Capturing System Volatile Information
Triaging a computer can be a methodology to avoid many of the issues inherent with “pulling the plug” on a live system. For instance, capturing the system volatile information can very quickly provide investigators valuable information such as:
- What applications are installed.
- Capture a list of running processes.
- View network adaptors and open ports.
- Collect browser history and IP addresses.
- View most recently opened documents.
- Obtain a list of users.
- Gather a list of USB devices that have been plugged into the computer.
- View the contents of the Recycle Bin, and so forth.
Triaging goes contrary to the traditional approach of not interacting with a live system. To collect volatile information, it is necessary to attach an external device, such as a USB thumb drive containing applications, directly to one of the target computer’s USB ports. Obviously doing so will make changes to the hard drive, make entries into the Registry, and violate the “golden rule.” However, as long as the investigator knows what areas are being affected on the hard drive, triaging becomes a practical methodology to employ.