When I first began dabbling in digital forensics, the year was 1999. At the time it was little more than tepid curiosity for me. It wasn’t but a couple of months before I was thrust into my first “investigation”. The matter turned out to be a non-issue but it sure had us worried. Looking back on my procedure, I still had a lot to learn about digital investigations.
Here we are in 2020 and the practice of digital forensics continues to change with the advances in technology. For example, we used to think that live analysis of a system was taboo. First rule of thumb was turn it off and write block everything before you attempt to do any discovery. Changes in technology have necessitated a shift in thinking of live acquisitions during a forensic examination. Let’s look at a couple of the scenarios which offer highly compelling arguments for live acquisition.
Standardization of Localized Encryption
Years ago it would have been rare to find a desktop with any sort of local drive or file encryption. Today however, full drive or volume encryption is commonplace on nearly any laptop or mobile device. The device to be analyzed may be unencrypted while booted and logged in but will revert to an encrypted state once the system is rebooted or locked. Encryption is the bane of every digital investigator’s existence. Sure, you can get around some of it, but the time and frustration added to your investigation is a reality. Governments and law enforcement continue to lobby for restricted backdoor access to defeat encryption. While it would certainly make digital forensics simpler, it’s a bad idea for many reasons.
Use of Volatile Memory for Malware Applications
We used to tweak and tune our machines to scrape together an additional 2 or 3 megabytes in RAM to get an application to run. Attackers typically had to rely on placing some part of their payload on a physical disk to ensure a high rate of success. Today a PC comes with 8, 12 or even 16 gigabytes of RAM, and we have plenty to spare. Attackers have become adept at building small but powerful apps, which are completely memory resident. Shutting down a system may eliminate any evidence that once existed only in memory.
Advent of Flash Storage as System’s Primary Storage
Devices often use “blade” type solid state drives (SSD) to replace hard drives. These blade drives use a myriad of connectors, some of which are proprietary. In many cases, you can’t just pull a drive out and stick it in a duplicator. Some of the drives require connectors with special firmware or controllers, which are on the motherboard. Booting to a forensic image on a USB stick may not allow the controller firmware to load correctly, and the drive will not be recognized. Mobile devices use flash storage directly on the motherboard making this process even more difficult. Sometimes a live acquisition is the only way to get data.
As you can see, shutting a system down prior to acquisition could cause significant loss of evidence. Our first goal in digital forensics is to preserve evidence. It is equally important to prove what is present as it is to prove what is not present.
Rob Lee of SANS once gave a presentation to the ISSA chapter in Des Moines. He explained it well by saying when an EMT shows up at a shooting and the victim is still alive, they don’t worry about contaminating the crime scene when trying to save a life. Their footprints and residual evidence left behind can be identified and explained in the bigger picture. The traces left by our “prodding and poking” of a live system can be tracked and explained once the full forensic detail is laid out.
So, the next time you prepare for an investigation, think about this. Would you have a better overall picture of that system’s current state by doing a live analysis and explaining away your tracks, or by shutting it down and doing a more conventional acquisition? And so, my dear Watson… what’s your answer?
For more information on our digital forensics services, reach out to a Pratum representative today!