When conducting digital forensic investigations that involve live (up and running) computers, it is imperative to collect volatile memory so that all your bases covered and so that no vital evidence is lost. A live analysis conducted in the correct manner will yield the results you are looking for in your investigation. It has become commonplace and an accepted practice to collect data from a live computer, especially in cases of child exploitation. ADF software makes it easy for you to perform a RAM capture it in the proper manner with as little intrusion as possible.
The first order of business should be the volatile data or collecting the RAM. ADF has simplified the process and will expeditiously and efficiently collect the volatile data first. Once the RAM collection is saved to the collection key and completed you can next go right to the scanning of the drives, partitions, or attached devices for relevant and actionable evidence. This will allow you to make critical on-scene decisions.
As with any tool used for live analysis, ADF will access files on the target computer while scanning. ADF will access files on the target computer without modifying their timestamps. However, it should be expected that running ADF software on a live system will leave traces related to the insertion of both the Collection Key and Authentication Key and the execution of the application. (See Technical Specifications Sect.3)
When returning to the forensic lab, or within your mobile lab, RAM dumps can be analyzed with the appropriate software (e.g. Volatility).
The collection key will serve several purposes while on scene;
- RAM Collection – First option when executing the application
- Scanning and collection of relevant data
- Imaging of drive and attached devices
- Analysis on scene or back at the lab
These options are independent of each other and do not all need to be run on every computer. The tool can be used to conduct just one task. As always with ADF’s flexible licensing you can collect RAM, scan for information and evidence, or image many computers simultaneously.