When a Windows PC is involved in computer investigation, there are
several choices in proceeding with any computer forensic investigation.
The steps are dictated by the overall scenario.There may be times when
the computer cannot be removed from the network for analysis because of
the disruption that may result in networking activities, or the lack of
an appropriate replacement unit. At other times, the only evidence of any
incidence may be the data that is currently in memory. These situations
may require what is known as the Live Incident Response Process.The Live
response collects all relevant system data to confirm whether an incident
occurred. The data collected during a live response consists of two main
sets:Volatile dataThe volatile data is data that is not stored but exists
temporarily. A live response process would contain information such as
current connections, processes that are running and files that are open.
on the other hand, there would also be nonvolatile data.Non-volatile
dataNonvolatile data collected during live response such as the system
logs can be collected in an easy readable format instead o the customary
binary files.This data may be available during regular forensic
duplication, but will be difficult to output in a nice format after the
computer has been shut off.The live data is collected by running a series
of commands.Each command produces data that normally would be sent to the
console. The data should be saved for further analysis and should be
transmitted to the forensic workstation instead of the local hard drive.
The forensic workstation should be an isolated machine that the forensic
investigator considers trusted. The chance to overwrite any evidence on
the local drive is then avoided, if a forensic duplication is later
desired. There are several methods to transfer data to the forensic
workstationThe first method utilises what is called the 'Swiss army
knife' or otherwise known as netcat. Netcat simply creates TCP or
Transmission Control Protocol channels. Netcat can be executed in
listening mode like a telnet server or in connection mode like,the telnet
client.A variant of Netcat named Cryptcat can also be used in most cases,
because it encrypts the data across the TCP channels. Cryptcat utilizes
the same command-line switches as Netcat, while offering the additional
advantages of security and authentication. Intruders can be detected as
the edited bits will be shown as unencrypted on the forensic
workstation.The Live Response system has several advantages, because it
allows you to observe intruders and detect their movements in real time
without their knowledge. There are tools that will return the users that
are currently logged onto the system or accessing the resource shares and
what capacity is involved.Vital data from Live Response:The easiest
information to collect and understand is the system date and time, and it
can also be the most important to any investigation, but may be easily
missed.Current network Connections: It is entirely possible to execute
the live response process while intruders are connected to the server and
open ports can also easily be detected.Routing:The Live response will
enable easy detection of the attackers movements to discern his or her
intentions. Compromised servers are often used to redirect traffic. The
benefit of redirecting traffic, is to avoid security devices such as a
firewall. The routing table can be examined to observe the data
routes.The Windows Live Response process can be invaluable to the
computer forensic investigator as it easily facilitates collection of
vital data often required in many incidences where computer may be
involved. investigations.
http://ezinearticles.com/?Windows-Live-Response-and-Computer-
Forensics&id=6374348