Collecting Data

Kävrestad, Joakim

doi:10.1007/978-3-030-38954-3_11

Collecting Data

Joakim Kävrestad²

Chapter
First Online: 20 May 2020

2399 Accesses

Abstract

The common and best practice for conducting a forensic examination is to create a bit-by-bit copy of the storage device that you are set to examine and then analyze the copy. Working in this manner ensures that the actual storage device is not contaminated and can even provide performance benefits. This chapter begins with a description of how to create this bit-by-bit copy, called disk image, using the tool FTK imager on a running or turned off computer. The chapter then describes how to collect volatile data including taking a memory dump and extracting registry hives from a Windows computer during a live examination. At times, you find a computer that is turned on and you are not able to extract any data from the computer because it is logged out or likewise. In those cases, it is possible to extract information from memory using invasive techniques. This chapter introduces two such techniques, DMA attack and cold boot attack. At the end of the chapter, some constraints and considerations relating to collecting video from surveillance equipment are presented.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 44.99; Price excludes VAT (USA)

Softcover Book: USD 59.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

References

Amari K (2009) Techniques and tools for recovering and analyzing data from volatile memory. SANS Institute InfoSec Reading Room
Google Scholar
Break & Enter (2017) Inception. Available online http://www.breaknenter.org/projects/inception/. Fetched June 03, 2017
ForensicsWiki (2017) Forensic File Formats. Available online http://www.forensicswiki.org/wiki/Category:Forensics_File_Formats. Fetched June 03, 2017
Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W, Calandrino JA et al (2009) Lest we remember: cold-boot attacks on encryption keys. Commun ACM 52(5):91–98
Article Google Scholar
Witherden F (2010) Memory forensics over the IEEE 1394 interface. Available online https://freddie.witherden.org/pages/ieee-1394-forensics/revisions/c1c615827b7647933e5a3d00668d6183.pdf. Fetched June 03, 2017

Download references

Author information

Authors and Affiliations

School of Informatics, University of Skövde, Skövde, Sweden
Joakim Kävrestad

Authors

Joakim Kävrestad
View author publications
You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Kävrestad, J. (2020). Collecting Data. In: Fundamentals of Digital Forensics. Springer, Cham. https://doi.org/10.1007/978-3-030-38954-3_11

Download citation

DOI: https://doi.org/10.1007/978-3-030-38954-3_11
Published: 20 May 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38953-6
Online ISBN: 978-3-030-38954-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics