This essay was written for Professor Leinecker's Digital Forensics I course.
Live analysis, or a live response, is when you observe the volatile memory of a system. This kind of memory can be RAM or cache memory, for example. A problem with live analysis is volatility. Much of this information is what is called “volatile”, meaning it will be deleted or altered if the device loses power. So why do live analysis then? Sometimes it is the only option. If you have a warrant that limits you to live response, or if you need to capture that volatile memory to observe internet activity, for example, this would restrict you to only performing a live response. Of course, if you already have (or have seized) a device, you can pull a full image from it and do analysis, but you won’t be able to view much of this volatile memory because it will be gone if the device is powered off. Imaging a hard drive is great for analysis, but it won’t contain any of the vital volatile memory that may be needed to gain evidence for a conviction of wrongdoing.
What kind of information might be found before a computer is shut down? Well, this can be anything from user data, to applications or programs. Basically, it is the temporary memory of a computer. Web cache and browsing information might be stored in volatile memory too, revealing somebody’s web activity. Cookies are an example of web-based volatile memory. They are stored in the web browser for (typically) as long as the browser remains open. However, once the browser is closed, the cookies are then lost. Sometimes, programs or applications will store passwords or their hashes in memory. If you can pull the strings from RAM memory, you may be able to crack the hashes and gain the cleartext passwords.
The risks to doing live response can be great, depending on the system, time you have to do it, and tools you use. If you are performing live analysis on a production server, for example, you have to be very careful not to crash the system. Some tools might use too much power or might not work well with the configuration of the server, and cause a hard-crash. This is bad, because crashing a production system may give the company leverage to hold you liable for losses incurred during the outage; for a big company these losses may be great. Some tools also don’t actually perform pure live analysis, meaning they may alter parts of memory in the process of collection. This in turn would make any evidence gathered moot, because altered evidence has no integrity and is oftentimes not admissible in court, or sometimes even in private investigations. Another consideration is data availability and integrity prior to collection. Some people may set up traps that will automatically shut down the computer if it detects live analysis being done on it. Also, most people have encrypted hard drives and keep their computer closed at all times when not on it. They do this because the non-volatile memory is encrypted, and as long as they have their computer, they can shut it down when not using it.
Wireshark is an example of a live analysis tool. It can be set up on a machine to capture network traffic between that machine and other endpoints. Magen RAM capture is a tool that does what it’s name implies: it captures volatile RAM memory. RAM Capturer does the same.