written 6.8 years ago by | modified 2.8 years ago by |
Subject: Digital Forensics
Topic: Initial response and forensic duplication
Difficulty: Medium
written 6.8 years ago by | modified 2.8 years ago by |
Subject: Digital Forensics
Topic: Initial response and forensic duplication
Difficulty: Medium
written 6.7 years ago by |
A live response is typically used for two purposes, to gather volatile evidence before a system is shut down for imaging, and as a ‘first look’ at a system to determine whether it requires additional attention.
In large enterprise investigations, you may find that most of your investigation is accomplished through performing live response. Many investigations involve several dozen computer systems, and most organizations lack the personnel or time to examine a significant number of forensic disk images.
One significant reason to collect hard drive images rather than rely on live response (LR) is that the entire operating environment is preserved. Rarely do you know all of the questions that need to be answered at a single point in time, and repeating the LR every time a new data source is needed is a very disjointed means of collection.
Furthermore, it is possible that the evidence that was once present on a system is overwritten or deleted by the time the question is asked.