VOLATILE EVIDENCE

Not all the evidence on a system is going to last very long. Some evidence is residing in storage that requires a consistent power supply; other evidence may be stored in information that is continuously changing.^[i] When collecting evidence, you should always try to proceed from the most volatile to the least. Of course, you should still take the individual circumstances into account—you shouldn’t waste time extracting information from an unimportant/unaffected machine’s main memory when an important or affected machine’s secondary memory hasn’t been examined.

To determine what evidence to collect first, you should draw up an Order of Volatility—a list of evidence sources ordered by relative volatility. An example an Order of Volatility would be:

1. Registers and cache

2. Routing tables

3. Arp cache

4. Process table

5. Kernel statistics and modules

6. Main memory

7. Temporary file systems

8. Secondary memory

9. Router configuration

10. Network topology^[ii]

    Note

    Once you have collected the raw data from volatile sources you may be able to shutdown the system.

^[i]John R. Vacca, The Essential Guide to Storage Area Networks, Prentice Hall, 2002.

^[ii]Matthew Braid, “Collecting Electronic Evidence After A System Compromise,” Australian Computer Emergency Response Team (AusCERT (http://www.auscert.org.au), The University of Queensland, Qld 4072 Australia (mdb©auscert.org.au), ([SANS Institute, 5401 Westbard Ave. Suite 1501, Bethesda, MD 20816).], 2001.