Forensics Workflow
Forensics workflow has great importance, especially around submitting an evidence. If workflow is not followed, unproven method used, no academical support and only one forensics tools being used, it gives other side the leverage to put a doubt into evidence and make is inadmissible in court.
| Computer -> | Acquire Memory | Analyze -> | Use and Fuse |
|---|---|---|---|
| Running | Create artefacts e.g. memory dump | Extract needed Credentials | Use gathering info, such as access encrypted container |
| Recently used | Capture samples | Ip addresses | Fuse with other datasources e.g. IP address |
| Forgotten/Hidden | Copy artefacts e.g. pagefile | other | |
| Recover artefacts |
WINDOWS memory capture tools (more common at top)
** running machines only, if not, extract pagfile.sys or hiberfile.sys- Volatitity workbench1
- BlackBag MacQuisition
- FireEye Memoryze
- Sumuri RECON Imager
- Belkasoft Live RAM Capturer
- AccessData FTK Imager
- Advanced Data Forensics (ADF) Digital Evidence Investigator
- ADF Triage Investigator/G2
- Magnet RAM Capture
- MoonSols DumpIt
LINUX
- DumpIt
- Memory DD
- WinPmem