Traditionally, Forensic Analysts would capture everything. Going on site for a collection meant using forensic software and hardware to create exact physical images of computer media. Best case evidence has always been a complete drive image however there are problems with this approach. Ever increasing hard drive sizes, low pricing of hard drives and tools used to capture these drive images are not keeping pace. Sure, you can still capture physical images however the process can take many hours or even days to complete. Making physical images requires shutting down the machine hosting the drive or drives and connecting to the forensic hardware and software. Increasingly even small businesses employ some form of RAID array. RAID imaging brings in another set of issues to deal with and RAID arrays can be terabytes in size. Many times Court orders or agreements between parties to collect evidence are specific in that the collection be done after business hours and in a manner that does not interrupt the targeted company’s ability to conduct business. Faced with these realities, methods of collection must be shifted.
Todays collections require a targeted collection and implementation of “live forensics” is the new approach. Live forensics permits capture of RAM from the computer in question. RAM has been found to contain valuable evidentiary data such as the Windows Registry of the running machine. Collecting from a running machine permits capture of responsive data and not gigabytes of data which is not needed for your investigation which translates into collection that takes much less time than the traditional physical image. Targeted collections reduce the amount of private information collected as only relevant data is captured.
There are a few tools out there which permit this type of collection. They range in ability and prices start at hundreds of dollars at the low end and as high as six figures for the top of the scale. Many are proprietary. In looking at what was available and affordable for our purposes, we came across Matt Shannon and his product, F-Response. In testing and in real world usage, in our opinion, there is no better tool on the market for your hard earned dollar. F-Response permits access to machines via network cable and presents those storage media to your local machine. You can then use whatever forensic tools you wish for searching and logical evidence capture. Two F-Response dongles, a gigabit switch and two network cables are all you require.
Given we sell F-Response in Canada this may be seen as a shameless plug. The reality is, if we didn’t believe in it and didn’t use it, we wouldn’t sell it or endorse it. This is a great product which will enable you to conduct live targeted collections over a variety of platforms, efficiently with very reasonable costs.
[...] Digital Forensics – Sometimes Everything is Too Much « EFS e-Forensic Services Inc. [...]