Time
8 hours 6 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

This lesson covers volatile data considerations. The decision to shut down a system is made on a case by case basis and the collection of volatile data requires changes to a system which could overwrite more valuable data. An investigators work might be hindered by computer inactivity such as power schemes, screen savers and hibernation. It is also important to remember that with an active connection, an investigator does not have total control of the system. If it is necessary to terminate connections, be sure to determine if it is wireless or wired as those have specific instructions.

Video Transcription

00:04
some volatile data considerations, though the decision to shut down the system should be made on a case by case basis obviously got destructive activity occurring on a system, and it is rapidly changing and the environment essentially untenable, and you're not going to be able to shut down
00:23
our stop that process.
00:25
Shutting down the system may be your only option.
00:28
Therefore, the decision to forego the collection of volatile data
00:32
depends on if it is reasonably expected to support the investigation.
00:37
So we talked about that earlier that a long time has maybe progressed from the time you became aware of the incident till
00:46
now. It may not be good
00:48
practice to collect that vault data because it essentially useless or you've lost control of that system. Two or three or four users have have logged on.
00:59
And then again, um, we also hinted that some of the processes that we are going to demonstrate do require some changes to the system. So collecting volatile data does require more extensive changes to the system and that can
01:18
override other, more valuable data.
01:19
So all of those types of considerations have to be thought of before collecting the data and or shutting off the system and forgoing the collection of that.
01:34
Another problem that you may encounter when trying to preserve evidence is in activity
01:42
an activity functions can limit
01:46
access that you have to a particular computer system.
01:51
And then, uh,
01:52
you may have different sources of in activity, such as a power scheme
01:57
that will essentially activate itself to reduce power consumption to a device or an entire system.
02:04
You also have your screen saver, which will essentially lock computer after a certain period of time. If they have that screen saver that locks that when the computer
02:19
essentially is left alone some screen saver, it won't lock. But some might require a password on upon waking up. And then hibernation will simply cause Randi written to the hard drive and then content can be restored in power. It may require password.
02:37
So
02:38
one of the first things to consider when you come to a scene and you find a computer with a blank screen, it's too.
02:46
Ensure the monitors powered on
02:47
nothing appears on the screen, depressed the left ship, keep now depressing. That left shift key is
02:54
important because that is the only key that can't really be hot
03:00
to create some other process. So if you have a very technically savvy computer user and they've set up something on their system to when you push any other key. But that left ship P,
03:14
A C cleaner or bleach bit is going to run, start wiping everything on that system.
03:20
To wake that system up, simply press that left shift key, and the system should shouldn't wake itself up.
03:28
Uh, the other thing that we can do to prevent an activity functions
03:34
is to insert a mouse, jiggle er into the system and what a mouse jugular is. It's essentially a
03:44
looks almost like a very small thumb drive, and it mimics a human interface device such as a mouse. And it makes very slight mouse movements very occasionally, very sporadically, that keep the system from being
04:01
inactive and creating these in activity functions
04:04
that still allows the investigator to perform dysfunctions.
04:09
And this is an example of the weed B tech mouse jugular. They're relatively inexpensive. I think they're about 17 to 20 bucks, but you can buy those and then insert those into the operating system,
04:24
and it will prevent the system from becoming
04:30
the next consideration that we have when preserving data are the active connections and then connective ity is a data connection between two systems
04:40
and their most prevalent in modem or network connections to the Internet. So almost any system that you're going to encounter more than likely on 2016 is going to have some type of network.
04:55
Are are other type of connection to it, unless you're dealing with some type of true sneaker net system.
05:02
So with active connections, an investigator and does not have complete control system. So it's very important
05:12
to understand what the computer is connected to, who may or may not have control over that system.
05:19
So the network state may provide vital information to the investigation, such as remote storage. So if we were to immediately disconnect all of the network connections to the computer soon as we got there, we might lose some of that vital information.
05:40
That being said, data can be sent or received overactive connections and may permit someone to begin active destruction measures on the system.
05:48
So until we're certain that we had complete control over that system,
05:53
way can't necessarily let our guard down and assume that we are the only ones who may be working on that system.
06:02
So investigators need to conduct an assessment of the situation and determine terminating the connection. Is Morton.
06:09
Volatile? Information should be collected first unless it is apparent that connection must be terminated immediately.
06:15
So again it's going to depend on the situation. But the investigator must be cognisant of some of these considerations and do that continual assessment. A CZ. They're going throughout your investigation process.
06:32
So
06:33
terminated connections a wired connection can be terminated a CZ easily as removing a data cable from the back of the computer.
06:43
That being said, some computers, as soon as they're disconnected, they may revert back to a wireless connection or a Bluetooth connections. Wireless connections could be a simple is disconnecting the cable to the wireless access point
07:00
S. O. That entails being able to locate the wireless access point and generally in a home or business.
07:10
They're going to be near cable modems are near the TV,
07:14
and then any type of cabling can help identify
07:17
those access points if they're not readily apparent
07:21
and then access points are probably generally close to the computer due to the radio wave limitations, however. Keep in mind, though, that waits can propagate two other levels of home.
07:33
So if you're in a home setting, you could have
07:38
a
07:40
a WiFi network that, essentially hidden obvious, skated out of sight.
07:45
That being said,
07:46
if you disconnect one wife by setting it, it's quite possible someone has another wife by setting very close by
07:55
that when you disconnect one, it will. I'll connect to another,
07:59
so you may also have to just completely disable the WiFi connections on that system as well.

Up Next

Incident Response & Advanced Forensics

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. Why do I need this certification? As a part of the Incident Response process, ...

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor