There may be times when the computer cannot be removed from the network for analysis because of the disruption that may result in networking activities, or the lack of an appropriate replacement unit. At other times, the only evidence of any incidence may be the data that is currently in memory. These situations may require what is known as the Live Incident Response Process.
The Live response collects all relevant system data to confirm whether an incident occurred. The data collected during a live response consists of two main sets:
Volatile data
The volatile data is data that is not stored but exists temporarily. A live response process would contain information such as current connections, processes that are running and files that are open. on the other hand, there would also be nonvolatile data.
Non-volatile data
Nonvolatile data collected during live response such as the system logs can be collected in an easy readable format instead o the customary binary files.This data may be available during regular forensic duplication, but will be difficult to output in a nice format after the computer has been shut off.
The live data is collected by running a series of commands.Each command produces data that normally would be sent to the console. The data should be saved for further analysis and should be transmitted to the forensic workstation instead of the local hard drive. The forensic workstation should be an isolated machine that the forensic investigator considers trusted. The chance to overwrite any evidence on the local drive is then avoided, if a forensic duplication is later desired. There are several methods to transfer data to the forensic workstation
The first method utilises what is called the ‘Swiss army knife’ or otherwise known as netcat. Netcat simply creates TCP or Transmission Control Protocol channels. Netcat can be executed in listening mode like a telnet server or in connection mode like,the telnet client.
A variant of Netcat named Cryptcat can also be used in most cases, because it encrypts the data across the TCP channels. Cryptcat utilizes the same command-line switches as Netcat, while offering the additional advantages of security and authentication. Intruders can be detected as the edited bits will be shown as unencrypted on the forensic workstation.
The Live Response system has several advantages, because it allows you to observe intruders and detect their movements in real time without their knowledge. There are tools that will return the users that are currently logged onto the system or accessing the resource shares and what capacity is involved.
Vital data from Live Response:The easiest information to collect and understand is the system date and time, and it can also be the most important to any investigation, but may be easily missed.
Current network Connections: It is entirely possible to execute the live response process while intruders are connected to the server and open ports can also easily be detected.
Routing:The Live response will enable easy detection of the attackers movements to discern his or her intentions. Compromised servers are often used to redirect traffic. The benefit of redirecting traffic, is to avoid security devices such as a firewall. The routing table can be examined to observe the data routes.
The Windows Live Response process can be invaluable to the computer forensic investigator as it easily facilitates collection of vital data often required in many incidences where computer may be involved. investigations.