| <<< The ON/OFF Switch, cont. | Index | Collecting and Preserving Digital Evidence >>> |
Sometimes it's a difficult decision...
Capturing RAM into an evidence image file is needed when dealing with systems that have
Large memory -- gigabytes of RAM
Data in memory may be important to the investigation.
Sometimes entire documents could be produced in memory, but never saved in a file and/or printed.
Computer intrusion case require capturing information related to active processes and network connections that are stored in RAM.
Capturing active network connections is important in traditional investigations such missing person.
System utilities like netstat and fport will create a report -- you must document date/time of such report along with MD5 value of the actual command output.
| <<< The ON/OFF Switch, cont. | Index | Collecting and Preserving Digital Evidence >>> |