When collecting evidence you should proceed from the volatile to the
less volatile. Here is an example order of volatility for a typical
system.
- registers, cache
- routing table, arp cache, process table, kernel statistics,
memory
- temporary file systems
- disk
- remote logging and monitoring data that is relevant to the
system in question
- physical configuration, network topology
- archival media
http://www.faqs.org/rfcs/rfc3227.html
Thursday, November 1, 2012
Volatile source of Forensic Evidences on windows based Systems.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment