Part 5 - Volatile Data Considerations

Video Activity

This lesson covers volatile data considerations. The decision to shut down a system is made on a case by case basis and the collection of volatile data requires changes to a system which could overwrite more valuable data. An investigators work might be hindered by computer inactivity such as power schemes, screen savers and hibernation. It is also...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers volatile data considerations. The decision to shut down a system is made on a case by case basis and the collection of volatile data requires changes to a system which could overwrite more valuable data. An investigators work might be hindered by computer inactivity such as power schemes, screen savers and hibernation. It is also important to remember that with an active connection, an investigator does not have total control of the system. If it is necessary to terminate connections, be sure to determine if it is wireless or wired as those have specific instructions.

Video Transcription
00:03
>> Some volatile data considerations though.
00:03
The decision to shut down a system
00:03
should be made on a case-by-case basis.
00:03
Obviously gotten destructive activity occurring on
00:03
a system and it is rapidly changing,
00:03
and the environment essentially
00:03
untenable and you're not going to
00:03
be able to shut down or stop that process,
00:03
shutting down the system may be your only option.
00:03
Therefore, the decision to
00:03
forego the collection of volatile data
00:03
depends on if it is reasonably
00:03
expected to support the investigation.
00:03
We talked about that earlier,
00:03
that if a long time has maybe progressed from
00:03
the time you became aware of the incident till now,
00:03
it may not be good practice to collect volatile data
00:03
because it's essentially useless or you've
00:03
lost control of that system.
00:03
Two or three or four users who have logged on.
00:03
Again, we also
00:03
hinted that some of the processes that we are
00:03
going to demonstrate do
00:03
require some changes to the system.
00:03
Collecting volatile data does
00:03
require more extensive changes to
00:03
the system and that can
00:03
overwrite other more valuable data.
00:03
All of those types of
00:03
considerations have to be thought of
00:03
before collecting the data and or
00:03
shutting off the system and
00:03
foregoing the collection of that data.
00:03
Another problem that you may encounter when
00:03
trying to preserve evidence is inactivity.
00:03
Inactivity functions can limit
00:03
access that you have to a particular computer system.
00:03
You may have different sources of inactivity,
00:03
such as the power scheme that will essentially activate
00:03
itself to reduce power consumption
00:03
to a device or an entire system.
00:03
You also have your screensaver which will essentially
00:03
lock the computer after a certain period of time,
00:03
if they have that screensaver that
00:03
locks when the computer essentially is left alone.
00:03
Some screensavers won't work but some might
00:03
require a password upon waking up.
00:03
Then Hibernation will simply
00:03
cause RAM to be written to the hard drive and
00:03
then content can be restored on
00:03
power up but it may require a password.
00:03
One of the first things to consider
00:03
when you come to a scene and you
00:03
find a computer with a blank screen is
00:03
to ensure the monitor is powered on.
00:03
If nothing appears on
00:03
the screen depress the left Shift key.
00:03
Now depressing that left shift key
00:03
is important because that is
00:03
the only key that can't really be
00:03
hotkey to create some other process.
00:03
If you have a very technically
00:03
savvy computer user and they've set
00:03
up something on their system when you
00:03
push any other key but that left shift key,
00:03
the CCleaner or BleachBit is going to
00:03
run starting to wiping everything on that system.
00:03
To wake that system up simply press
00:03
that left shift key and the system
00:03
>> should wake itself up.
00:03
>> The other thing that we can
00:03
do to prevent inactivity functions
00:03
is to insert a Mouse jiggler into the system.
00:03
What a Mouse jiggler
00:03
it looks almost like a very small thumb drive.
00:03
It mimics a human interface device,
00:03
such as a mouse and it makes
00:03
very slight mouse movements very occasionally,
00:03
very sporadically that keep the system from
00:03
being inactive and creating these inactivity functions,
00:03
but still allows the investigator
00:03
to perform his functions.
00:03
This is an example of the Wiebe Tech mouse jiggler.
00:03
They're relatively inexpensive, I
00:03
think they are about 17 to 20 bucks.
00:03
You can buy those and then
00:03
insert those into the operating system
00:03
and it will prevent the system from becoming inactive.
00:03
The next consideration that we have when
00:03
preserving data are the active connections.
00:03
Connectivity is a data connection between two systems.
00:03
They are most prevalent in modem or
00:03
networked connections to the Internet
00:03
so almost any system
00:03
that turned on to encounter more than
00:03
likely in 2016 is willing to have
00:03
some type of network or other type of
00:03
connection to it unless you're dealing with
00:03
some type of crude sneakernet system.
00:03
Active connections an investigator
00:03
does not have complete control of the system.
00:03
It's very important to
00:03
understand what the computer is connected to,
00:03
who may or may not have control over that system.
00:03
The network state may provide
00:03
vital information to the investigation,
00:03
such as remote storage.
00:03
If we were to immediately disconnect all
00:03
of the network connections
00:03
to the computer as soon as we got there,
00:03
we might lose some of that vital information.
00:03
That being said, data can be
00:03
sent or received over active connections and
00:03
may permit someone to begin
00:03
active destruction measures on the system.
00:03
Until we're certain that we have
00:03
complete control over that system,
00:03
we can't necessarily let our guard down and assume that
00:03
we are the only ones who may be working on that system.
00:03
Investigators need to conduct an assessment of
00:03
the situation and determine if
00:03
terminating the connection is warranted,
00:03
but volatile information should be collected
00:03
first unless it is
00:03
apparent the connection must be terminated immediately.
00:03
Again it's going to depend on the situation
00:03
but the investigator must be
00:03
cognizant of some of these considerations
00:03
and do that continual assessment
00:03
as they're going through out
00:03
>> your investigation process.
00:03
>> Terminating connections,
00:03
a wired connection can be terminated
00:03
as easily as removing
00:03
a data cable from the back of the computer.
00:03
That being said, some computers,
00:03
as soon as they're disconnected,
00:03
they may revert back to
00:03
a wireless connection or a Bluetooth connection.
00:03
Wireless connections, it could be as simple
00:03
as a disconnecting the cable to
00:03
the wireless access point.
00:03
That entails being able to locate
00:03
the wireless access point and
00:03
generally in a home or a business,
00:03
they're going to be near cable modems or near the TV.
00:03
Then any type of cabling can help
00:03
identify those access points
00:03
if they're not readily apparent.
00:03
Access points are probably generally close to
00:03
the computer due to the radio wave limitations.
00:03
However, keep in mind though that waves
00:03
can propagate to other levels within the home,
00:03
so if you're in a home setting you could have
00:03
a WiFi network that is
00:03
essentially hidden or obfuscated out of sight.
00:03
That being said, if you disconnect one WiFi setting it
00:03
is quite possible that someone has
00:03
another WiFi setting very close by,
00:03
that when you disconnect one
00:03
it will auto connect to another one.
00:03
You may also have to just completely disable
00:03
the WiFi connections on that system as well.
Up Next