2,2 Computer Forensics
foremost, data can reside either in a storage medium locally (e.g., DRAM, a
BIOS chip, or an HDD), in log files on a remote machine, or on the network.
On a Windows machine, data on disk is divided into logical areas of storage
called volumes, where each volume is formatted with a specific file system
(NTFS, FAT, ISO 9660, etc,). These volumes in turn store files, which can be
binary files that adhere to some context-specific format (e.g., registry hives,
page files, crash dumps, etc.), text-based documents, or executables. At each
branch in the tree, a set of checks can be performed to locate and examine
anomalies.
Classifying Forensic Techniques: Second Method
Another way to classify tactics is their chronological appearance in the proto¬
typical forensic investigation. This nature of such an investigation is guided
by two ideas:
■ The "order of volatility."
■ Locard's exchange principle.
The basic "order of volatility" spelled out by RFC 3227 defines Guidelines
for Evidence Collection and Archiving based on degree to which data persists
on a system. In particular, see Section 2.1 of this RFC: "When collecting
evidence you should proceed from the volatile to the less volatile."
During the act of collecting data, an investigator normally seeks to heed
Locard's exchange principle, which states that "every contact leaves a trace."
In other words, an investigator understands that the very act of collecting data
can disturb the crime scene. So he goes to great lengths to limit the footprint
he leaves behind and also to distinguish between artifacts that he has created
and the ones that the attacker has left behind.
Given these two central tenets, a forensic investigation will usually begin
with a live response (see Figure 2.2).
Live Response
Keeping Locard's exchange principal in mind, the investigator knows that
every tool he executes will increase the size of his footprint on the targeted
system. In an effort to get a relatively clear snapshot of the system before he
muddies the water, live response often begins with the investigator dumping
the memory of the entire system en masse.
Parti I 41