Computers are vulnerable to cyber-attacks in many ways and forms, on a daily basis. Computer forensic procedures can help retrieve vital information which can be used to prosecute an intruder that compromises a computer or network.
The main goal of computer forensics is to utilize the complete chain of data, in order to identify, collect, preserve, and analyze them, preserving at the same time their integrity so that they may be effectively used in a legal case.
TYPES OF DATA-EXCTRACT METHODS
Persistent data are the data stored on a local hard drive or another medium sized drive, and are preserved when the computer is turned off. The technique known as “live analysis”, allows the examiner to extract information from the hard drive. Another technique, named “deleted files analysis” is used to extract data from a hard drive, after deletion, since most operating systems do not physically delete data, but simply delete their entries in the allocation table of the drive.
Volatile data are data stored in memory, or existing in transit, that will be lost when the computer loses power or is turned off. Volatile data reside in registries, cache, and random access memory (RAM), and have a wealth of information available such as active processes, information about open files and registry handlers, network information, passwords and cryptographic keys, unencrypted content that is encrypted on disk, hidden data, etc. Worms and root kits, written to run solely in memory are potentially there to be found.
Volatile data are ephemeral, hence Volatile Data Analysis is a very time-sensitive work, as these data can only be extracted or monitored during the computer’s operation.
The Digital Investigations security team has the know-how, experience and tools to capture and extract data, either being in a persistent or in a volatile state.