Live Forensics

• Involves analyzing a system or network that is up and running
• DFIR (Shorthand)
• Often happen in corporate environment
• Malware analysis
• Security. Cyber security is often important within live forensics

What we are looking at

• Data breaches
• Hackers - Intrusion to your network
• Data Breach

What we are collecting

• Live data
  • Router and Firewall logs
  • Running Processes
  • Volatile Data including RAM
  • Network Traffic
• Often done on scene

Tools we use in live forensics

• Network Capture
  • Wireshark
• Live Forensic Boot Discs
  • Sift
  • CAINE
• Memory Ferensic Tools
• Live Imaging
  • FTK Imager
  • EnCase Imager
  • dd

---

Dead Box Forensics

• Also referred to as "Post Mortem" Analysis
• Done after the incident
• Usually in a lab - not in the field or on scene
• Looking for artifacts to find out what happened
• System has typically be shut down
• Hard drive or other media is what we are looking at
  • SD Card
  • Optical Drives
  • USB Drives
• Seizure: how the device was taken, understanding the person who is collecting the data may not understand the scientific process
• The proper way to seize a device relys on numerous factors
  • State of the system
  • OS of the system
  • Tools available on the scene
  • Skill of the person seizing the system

[10, 22, 9, 4]