Rich Nolan
2006 Carnegie Mellon University
NIST Methodology
NIST: National Institute of Standards and Technology, Information Technology Laboratory, Computer Forensic Tool Testing Program The Computer Forensics Tools Verification project provides a measure of assurance that the tools used in the investigations of computer-related crimes produce valid results. It also supports other projects in the National Institute of Justices overall computer forensics research program, such as the National Software Reference Library (NSRL).
http://www.cftt.nist.gov/
Location:
Registers, cache, and RAM (this module focuses on RAM)
Order of Volatility
Registers and cache Routing table, arp cache, process table, kernel statistics, connections Temporary file systems Hard disk or other nonvolatile storage devices Remote or off-site logging and monitoring data Physical configuration and network topology Archival media such as backup tapes, disk, and so on
2006 Carnegie Mellon University
ss to acce ation ing t t hav ocumen No e d lin t the er base abou comput ous spici su
Volatile Network Information: A collection of information about the network state of the suspicious computer
Summary
Collected volatile data can lead the first responder to the root cause of the security incident. Volatile data can be easily changed and lost. Document all findings and actions performed during the volatile data collection process. Use a first responder toolkit to collect volatile data.