Volatile Information

Volatile information is a critical component in forensics. There are five main reasons why we must ensure we analyze volatile information when investigating. Please remember that volatile information will disappear if/when a computer is turned off. We do not want this to happen, so we might have to act fast to recover the evidence.

Real-Time Relevance: Capturing this data quickly is crucial because it provides details about the recent activities that took place on the computer.
Preservation for Analysis: If we do not capture the violative data, we may lose data or clues important to the investigation.
Supporting Evidence: Volatile data can provide details of what occurred before the incident and support or challenge other evidence collected during the investigation.
Hidden Artifacts: At times, vital data might contain artifacts and data that are not easily accessible by other means. These pieces of data can reveal information about what took place or intentions.
Dynamic Insights: By monitoring volatile information, it is possible to uncover hidden threats or malicious activities.

System Time

The system time should be collected right away. This helps with understanding the timezone and how the system time is configured. It will also be helpful when analyzing file timestamps later for chronological ordering. Obtaining an accurate system time is essential for ensuring the admissibility of digital evidence. This is a requirement of the courts.

Using PowerShell type 'Get-Date'.

System Uptime

Make sure you also collect how long the computer has been on. This is another important piece of data that is essential to our timeline. Obtaining the system uptime can help contextualize events, and forensics investigators can use this to help determine when activities occurred since the last report.

Using PowerShell Type: (Get-Date) – (gcim Win32_OperatingSystem).LastBootUpTime.

Windows PowerShell showing Current User.

Current Users

It is also important to determine who is currently using the computer system, as the user could be a suspect in the case. This can help add context and details to other information that is collected.

Using PowerShell:

Get-WMIObject -class Win32_ComputerSystem | select Username

Open Files

It is also essential to determine what files are open. This can help add valuable clues to the activities that were taking place on the system, understand the user(s) behavior, and the open files might even contain evidence!

Use PsTools provided by Microsoft. Once you have downloaded and extracted PsTools, use psfile64 to view open files opened remotely.

Clipboard

We all love the ability to copy and paste, but do you ever think that the data that is copied is stored in memory for later use? We should examine what is currently stored in the clipboard as it might help us understand what the user was currently doing.

Using PowerShell: Get-Clipboard

This will only work with text. If you have an image, look for the user Free Clipboard Viewer.

command History

Most Windows users do not use the command line (cmd or PowerShell), but some do. We should make sure to anaylze what tasks might have been completed on both. Microsoft is migrating to only PowerShell, but until that time we need to consider both options.

cmd Prompt History

PowerShell History

Using cmd.exe in Windows issue the following command:

doskey /history.

This will show the history of the current cmd.exe session.

Using PowerShell in Windows issue the following command:

Get-History

This will show the history of the current PowerShell session.

Google Sites

Report abuse