Archive for the ‘Digital forensics’ Category

Kludge remote running local

Sunday, January 13th, 2013

Kludge is a remote information gathering script that can be used in cases requiring a triage phase. If there are situations where network connectivity is not an option, this version can be used instead. Note that in order to run the tool you need all components downloaded from here.

RAM dumps and volatile memory treasures

Wednesday, August 15th, 2012

Our interview on scienceomega on our recent paper on volatile memory analysis:

http://www.scienceomega.com/article/528/pulling-the-plug-on-ram-loophole

ACPO Guide and volatile memory capture

Monday, June 13th, 2011

ACPO’s Good Practice Guide for Computer-Based Electronic Evidence has always been an excellent resource for supporting the digital forensics process. In the recently revised version emphasis is given on the handling of live data, strengthening the paradigm of “not pulling the plug”. As mentioned on p.18 of the document:

“Memory also often contains useful information such as decrypted applications (useful if a machine has encryption software installed) or passwords and any code that has not been saved to disk etc.
If the power to the device is removed, such artefacts will be lost. If captured before removing the power, an investigator may have a wealth of information from the machine’s volatile state,…”

We thought that it would be worthwhile reminding ourselves that a powered device is not necessarily a turned on device; In our recent research we established that even if a desktop computer is switched off but connected to mains, the contents of RAM are present and can be retrieved.

Therefore it is recommended that volatile memory is captured even if the computer is switched off at the time of the seizure.


Copyright © 2017 Information Security and Incident Response Research Unit. All Rights Reserved.
No computers were harmed in the 0.268 seconds it took to produce this page.

Designed/Developed by Lloyd Armbrust & hot, fresh, coffee.