Semester 3 / ECTS Credits: 5 ECTS
Course Description:
This class will lay down the foundation of live data capture and analysis but also RAM analysis as being one of the best live data evidence types. Traditionally most of the forensics standard operating procedures have led us to “pull the plug” on a working machine to preserve the evidence. In the past few years this procedure has very slowly transitioned into “if its running, it depends” methodology. This “it depends” has been taken form the mobile forensic world where “turn if off” procedure has been impossible for quite some time and for forensic investigators to get any data, they must turn on the device and therefore change the original evidence. In today’s modern world everything is constantly running, so we acutely cannot just pull the plug on most of the computers and IT equipment and we must grab data in its live form. The process of imagining live machine and obtaining a copy of data from a live system, has not been an issue but, analysis of what has been obtained, especially memory is. This class will go over through some of the methodology on how to obtain live data but will focus on memory analysis with volatility framework.
The class will include comprehensive knowledge and practical skills of the topics covered with theories, concepts, and hands-on exercises.
Learning Outcomes:
- Identify and recognize different live data sources
- How to work on a live system
- How RAM works and RAM imaging options
- Evaluate RAM analysis tools
- Working with Volatility framework
- Identify regular processes in working memory
- Analyzing the contents of the working memory for existence of malicious files
- Combine storage and analysis tools for producing a forensic report
- Self-evaluate procedures for storing data from computer memory
- Create reports on the digital forensic investigation of the working memory
Course content lectures:
- Introduction to live system review
- Traditional forensics vs. Forensics of working memory
- Working with a power off or powered computer
- Live analysis methods
- Work with encrypted disk
- Data collection
- RAM overview and imaging
- Random access memory imaging
- Ram analysis
- Volatility framework
- Basic usage of Volatility framework
- Volatile Data Differences in Variable Data Operations
- Documenting collected evidence and steps taken during the investigation
- Create reports on the digital forensic investigation process