The Importance of Volatile Data Capture in Digital Forensics

Introduction

Volatile data refers to the information stored in a system’s temporary storage areas, like the RAM or physical memory, and in active processes or services. This data is characterized by its transient nature; it exists only as long as the system is powered on and can be lost or altered upon shutdown or restart.

WetStone Technologies’ USB-Live Acquisition and Triage Tool (US-LATT) is adept at capturing volatile data during a live investigation. The tool is designed to effectively gather evidence from a live system in various degrees of volatility. The types of evidence that can be collected are grouped into three categories based on their volatility:

1.  Highly Volatile

These types of evidence are unlikely to be recoverable after the system is powered down. Examples include physical memory, running processes, running services, screen shots, active network sessions, operational drivers, system information, and mounted encrypted volumes.

  • Physical Memory: Provides the opportunity to examine and carve potential passwords, recent messages, partial documents, malicious processes, web history, financial data, phone numbers, contact information, etc.
  • Running Processes: Provides the investigator or auditor with a record of the processes that were running on the target computer at the time of the acquisition. This information can provide clues about what the suspect or victim was doing most recently.
  • Running Services: Furnishes insight into the system services that were running or stopped. For example – was the antivirus active, was the firewall running, was there a VPN in operation?
  • Screenshots: Gives information about the most recent user activity, images, videos, messages, documents, and open web pages.
  • Active Network Sessions: Affords insight into the connections to inside or outside services. These could be NAS devices, cloud infrastructures, accomplices, or compromised services.
  • Operational Drivers: Provides detailed information about which peripherals have been connected to the system. For example, cameras, GPS devices, USB devices, flash memory cards, etc. that could be valuable to the investigation or audit.
  • System Information: Provides IP and MAC addresses, general system information to link this computer/device to the acquired evidence.
  • Mounted Encrypted Volumes: Access to information that may be vital for the investigation, yet only available while file systems are mounted and unlocked.

2.  Moderately Volatile

These types of evidence might be recoverable, but the process can be complex, slow, or less accurate. Examples include user events (login, shutdown), security events, registry events, recent images, recent multimedia, recent documents, actively inserted devices, recently inserted devices, web history, and email history.

  • User Events (Login, Shutdown): Provides information about when the systems were used, when users logged in and logged out. Gives investigators evidence that could be used in questioning users.
  • Security Events: Provides auditors and compliance officers with information about possible security violations, unsuccessful login attempts, and changes to important security settings that could affect operations.
  • Registry Entries: Delivers a wealth of information about Windows systems, security settings, application settings, and even user activities.
  • Recent Images, Recent Multimedia, and Recent Documents: Offers a glimpse at the most recent images, multimedia, and documents viewed and modified by users.
  • Actively Inserted Devices and Recently Inserted Devices: Provides quick access to information about inserted USB and other memory devices.
  • Web History: Gives investigators insight into the most recent browsing habits of users.
  • Email History: Gives investigators access to email history and address books in use by users.

3.  Possibly Volatile or Time-Sensitive

These types of evidence are most likely recoverable using postmortem procedures, but the recovery may be delayed. Examples include files and documents, drive images, directory structure, and installed applications.

  • Files and Documents: Certain files by type or content may provide immediate evidence to investigators or auditors. These files may have vital data related to the investigation or contain company proprietary data.
  • Drive Images: In some cases, the direct image of a logical volume may be essential either to preserve evidence or acquire evidence that may be lost during shutdown or only be available in a live environment.
  • Directory Structure: Taking a snapshot of a directory structure may provide information about user activities and tendencies.
  • Installed Applications: Can provide a glimpse into the tendencies and sophistication of the user.

Conclusion

Volatile data capture is a crucial component of digital forensics. Given the transient nature of volatile data, swift and strategic action is required to prevent the loss of valuable evidence. Tools such as US-LATT from WetStone Technologies play a significant role in this process, enabling investigators to capture a wide spectrum of data in various states of volatility. This includes highly volatile data like running processes and active network sessions, moderately volatile data such as user events and web history, and even possibly volatile or time-sensitive data like drive images and installed applications. The ability to capture such a broad range of data enhances the scope and depth of an investigation, providing a more comprehensive understanding of a user’s activities and tendencies.