Abstract
The common and best practice for conducting a forensic examination is to create a bit-by-bit copy of the storage device that you are set to examine and then analyze the copy. Working in this manner ensures that the actual storage device is not contaminated and can even provide performance benefits. This chapter begins with a description of how to create this bit-by-bit copy, called disk image, using the tool FTK imager on a running or turned off computer. The chapter then describes how to collect volatile data including taking a memory dump and extracting registry hives from a Windows computer during a live examination. At times, you find a computer that is turned on and you are not able to extract any data from the computer because it is logged out or likewise. In those cases, it is possible to extract information from memory using invasive techniques. This chapter introduces two such techniques, DMA attack and cold boot attack. At the end of the chapter, some constraints and considerations relating to collecting video from surveillance equipment are presented.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Amari K (2009) Techniques and tools for recovering and analyzing data from volatile memory. SANS Institute InfoSec Reading Room
Break & Enter (2017) Inception. Available online http://www.breaknenter.org/projects/inception/. Fetched June 03, 2017
ForensicsWiki (2017) Forensic File Formats. Available online http://www.forensicswiki.org/wiki/Category:Forensics_File_Formats. Fetched June 03, 2017
Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W, Calandrino JA et al (2009) Lest we remember: cold-boot attacks on encryption keys. Commun ACM 52(5):91–98
Witherden F (2010) Memory forensics over the IEEE 1394 interface. Available online https://freddie.witherden.org/pages/ieee-1394-forensics/revisions/c1c615827b7647933e5a3d00668d6183.pdf. Fetched June 03, 2017
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kävrestad, J. (2020). Collecting Data. In: Fundamentals of Digital Forensics. Springer, Cham. https://doi.org/10.1007/978-3-030-38954-3_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-38954-3_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38953-6
Online ISBN: 978-3-030-38954-3
eBook Packages: Computer ScienceComputer Science (R0)