Live Investigation Acquisition

Sometimes you need to acquire data from a live system, which should be useful in these situations:

• System can't be turned off. In this case all data retrieving should be done with the system alive.

• You believe you might have evidence in RAM. All data in random access memory is wasted when you turn off a system (at least generally speaking).

• You have opted for a live forensic (due to evidence in RAM or other pull-the-plug arguments).

Remember, everything you do on a live system could leave traces on the system itself if not done properly, and sometimes some of those changes simply can't be avoided, changing its state and the evidence (for example, you need to launch a program to perform a RAM image, altering partial memory content).

Checklist Description

Use only trusted tool. Never use native commands. Use only trusted binaries written on a CD/DVD.



Retrieve data.

Copy /proc/kcore. You'll have a memory dump to

Begin with the most



Copy all /proc. In the /proc filesystem, you have a ton

of information about the state of the system both at the

hardware and software level.

Pay attention if there is any crypto filesystem mounted.

You can't do anything sillier than umount a crypto

filesystem. Copy everything before unmounting it, or even

better, make a forensic image out of it. You won't have

another opportunity.

Run chrootkit or rootkit hunter. The system might be

already compromised.

Investigate network traffic. (It's better with an external

probe.) You could find some network traffic not shown at

the system level if a rootkit were present.

Post Mortem Acquisition (case 1)

This is the fastest way to do a forensics image. You can use the tool you prefer ("dd," "sdd," "dcfldd"). There are even some GUIs in the field (but you'll want to stay clear of them) to perform offline acquisition with some of the tools.


Take apart hard disks.

Verify image file vs. original media.


Connect each hard disk to the forensics workstation and begin the imaging process with your preferred tool. Take into account that you'll want to write-block the device being used before you connect this original media to your forensic workstation. If possible, spend some money and buy yourself read-only USB/Firewire/IDE/ SCSI/SATA interfaces; if you don't, you will eventually make a mistake—once again.. .believe us!

Use md5sum or shal (or both if you don't want to talk about "message digest collisions" at court) on image file and original media to verify original media and its forensic copy.

Post Mortem Acquisition (case 2)

There are many cases when you can't take apart the target system. It could have, for example, a strange RAID controller onboard that you're not sure you can simulate using software on the lab. In this case, it is always safer to copy the virtual disk created by the RAID system, so the best way to proceed could be booting with a safe environment and generating a forensic image to a local drive or even over the network.


Boot target system with Helix Knoppix.

Boot forensic workstation to receive network copy.

Perform a forensic image through the network.

Verify image file vs. original media.


Helix Knoppix is a very useful tool in these situations. When it boots, it preserves system state. Helix works only in RAM, doesn't touch any partition (even swap), and uses a forensics-aware mount command.

Connect your forensic workstation with a cable to the target system. Configure network on both systems.

On target system perform:

dd if=[dev-to-copy] bs=2048 I nc [ip-workstation] [port]

On forensics workstation perform: nc -l -p [port] > image_file.img

Use md5sum or shal on image file and original media to verify original media and its image.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment