Volatile data collection from Window system

Volatile data is the data that is usually stored in cache memory or RAM. This volatile data is not permanent this is temporary and this data can be lost if the power is lost i.e., when computer looses its connection. During any cyber crime attack, investigation process is held in this process data collection plays an important role but if the data is volatile then such type of data should be collected immediately. Volatile information can be collected remotely or onsite. If there are many number of systems to be collected then remotely is preferred rather than onsite. It is very important for the forensic investigation that immediate state of the computer is recorded so that the data does not lost as the volatile data will be lost quickly. If the volatile data is lost on the suspects computer if the power is shut down, Volatile information is not crucial but it leads to the investigation for the future purpose. To avoid this problem of storing volatile data on a computer we need to charge continuously so that the data isn’t lost. So that computer doesn’t loose data and forensic expert can check this data sometimes cache contains Web mail. This volatile data may contain crucial information.so this data is to be collected as soon as possible. This process is known “Live Forensics”. This may include several steps they are:

1. Initially create response tool kit.
2. Storing in this information which is obtained during initial response.
3. Then obtain volatile data
4. Then after that performing in in-depth live response.

Purpose of Volatile data collection from the Window system

• Forensic Investigation: Capturing the system’s RAM allows forensic investigators to analyze the volatile data present in the memory. This data can provide valuable insights into the state of the system at the time of an incident, such as active processes, network connections, and open files.
• Evidence Preservation: RAM captures serve as a means to preserve potential evidence that may be lost once the system is powered off. By capturing the volatile data, investigators can ensure that critical information is not lost and can be used for further analysis and evidence gathering.
• Live System Analysis: Analyzing the system’s RAM in real-time provides a snapshot of the system’s current state. This can help investigators identify running processes, active network connections, malicious activities, or any unauthorized access to sensitive data.
• Memory Artifacts: The RAM contains various artifacts, such as passwords in clear text, encryption keys, clipboard data, and recently accessed files, which may not be available through traditional file system analysis. Capturing the volatile data allows investigators to uncover these artifacts and gather valuable information for their investigation.
• Malware Detection: Volatile data collection from RAM can help in identifying and analyzing malware residing in memory. Malicious processes or suspicious activities can be detected by examining memory structures, code injection, or abnormal behavior patterns, aiding in the identification and removal of malware.
• Incident Response: Capturing volatile data from RAM is crucial for incident response teams to understand the scope and impact of an incident. It provides real-time visibility into system activities and helps in making informed decisions regarding containment, remediation, and preventing further damage.