Fundamentals of Digital Forensics

Volatile information is information that is lost when a system is shut down or loses power. Volatile information generally exists in physical memory, or RAM, and consists of information about processes, network connections, open files, clipboard, and similar. This information describes the state of the system at a given time.

When performing a live-data forensics analysis, one of the first things researchers should collect is the contents of RAM. By collecting this information first, the impact of their data collection on the RAM content is minimised, however this capture may cause system instability or even lead to a Blue Screen of Death (BSoD), leading several authors to indicate that this procedures should be performed after the collection of other volatile information, being prioritised according to each situation.

Some of the specific types of volatile information that should be collected:

·       RAM memory

·       System date and time

·       Network information

·       Logged in users

·       Open files

·       Network connections

·       Information about running processes

·       Mapping between processes and ports

·       Network status

·       Clipboard content

·       Information about services and drivers

·       History of executed commands

·       Mapped drives

·       Shares

·       Passwords and cryptographic keys

 

Of these, it is necessary to identify for each specific case, which information is more volatile and will be more important to obtain first. Here a possible sequence of information in order of volatility (Figure 31).

Figure 31 – Possible sequence of information in order of volatility