Part 2 of 6

Live System Analysis

🕑 120-150 minutes 📖 Intermediate Level 📋 Module 3

Introduction

Live system analysis is the process of examining a running computer without shutting it down. This approach is critical when volatile data must be captured before it's lost. Understanding when and how to perform live analysis is a crucial skill for any forensic examiner.

📚 Learning Objectives

By the end of this part, you will understand the order of volatility, master RAM acquisition techniques, analyze running processes and network connections, and know how to properly document live system findings.

Order of Volatility

RFC 3227 defines the order of volatility - the sequence in which evidence should be collected based on how quickly it disappears. This is fundamental to live forensics.

Order of Volatility (RFC 3227)
CPU Registers & Cache
Nanoseconds
RAM / System Memory
Seconds to Minutes
Network State & Connections
Minutes
Running Processes
Minutes to Hours
Temporary Files
Hours to Days
Disk / Non-volatile Storage
Persistent
Backup Media
Long-term
Critical Decision

The decision to perform live analysis vs. immediate shutdown depends on the situation. Live analysis is preferred when: encryption may be in use, network connections are active, memory-resident malware is suspected, or the system cannot be easily restored. However, any interaction with a live system will alter evidence - document everything!

Volatile Data Collection

Volatile data exists only while the system is running. Once power is lost, this data is gone forever. Proper collection requires systematic approach and trusted tools.

Types of Volatile Data

📈

System Information

Current date/time, uptime, logged-in users, system configuration, environment variables.

🛠

Running Processes

Process list, parent-child relationships, command lines, memory usage, open handles.

🌐

Network State

Active connections, listening ports, routing tables, ARP cache, DNS cache.

🔒

Memory Contents

Encryption keys, passwords in memory, malware artifacts, process memory regions.

Windows Volatile Data Collection Commands

# System Information date /t && time /t # Current date and time systeminfo # Detailed system information hostname # Computer name whoami /all # Current user and privileges net localgroup administrators # Admin group members # Logged-in Users query user # Currently logged-in users qwinsta # Terminal sessions net sessions # Network sessions # Process Information tasklist /v # Detailed process list tasklist /svc # Processes with services wmic process list full # Complete process details wmic process get name,parentprocessid,processid,commandline # Network Information netstat -anob # Connections with PIDs and executables ipconfig /all # Network configuration ipconfig /displaydns # DNS cache arp -a # ARP cache route print # Routing table netsh wlan show profiles # WiFi profiles # Scheduled Tasks schtasks /query /fo list /v # Scheduled tasks # Open Files and Handles openfiles /query /fo list # Open files (if enabled) net file # Open shared files

Linux Volatile Data Collection Commands

# System Information date # Current date and time uname -a # System information uptime # System uptime cat /etc/os-release # OS version # Users and Sessions who # Currently logged-in users w # User activity last -a # Login history cat /etc/passwd # User accounts # Process Information ps auxwww # All processes with full command lines ps -ef --forest # Process tree top -b -n 1 # Process snapshot lsof -i # Open network files lsof +L1 # Deleted but open files # Network Information netstat -tulpan # Network connections ss -tulpan # Socket statistics ip addr # Network interfaces ip route # Routing table arp -a # ARP cache cat /etc/resolv.conf # DNS configuration # Loaded Modules lsmod # Loaded kernel modules # Scheduled Tasks crontab -l # User cron jobs cat /etc/crontab # System cron jobs ls -la /etc/cron.* # Cron directories

RAM Acquisition

Memory acquisition is one of the most critical aspects of live forensics. RAM contains encryption keys, passwords, malware code, and artifacts that don't exist on disk.

Why RAM Acquisition Matters

  • Encryption Keys: BitLocker, VeraCrypt, and other encryption keys may exist only in memory
  • Memory-Only Malware: Fileless malware exists entirely in RAM
  • Process Memory: Running processes, their data, and injected code
  • Network Artifacts: Connection data, buffered communications
  • User Activity: Clipboard contents, typed data, chat messages

RAM Acquisition Tools - Windows

FTK Imager (AccessData)
Free, GUI-based tool for memory acquisition. Creates raw memory dumps with minimal footprint.
File > Capture Memory > Select destination > Capture Memory
WinPMEM
Open-source memory acquisition tool from the Rekall project. Command-line based.
winpmem_mini_x64.exe memdump.raw
DumpIt (Comae)
Simple one-click memory acquisition. Double-click to dump memory to current directory.
DumpIt.exe
Magnet RAM Capture
Free tool from Magnet Forensics. GUI-based with automatic filename generation.
MagnetRAMCapture.exe (GUI)

RAM Acquisition Tools - Linux

LiME (Linux Memory Extractor)
Loadable Kernel Module for Linux memory acquisition. Must be compiled for target kernel.
insmod lime.ko "path=/tmp/memdump.lime format=lime"
AVML (Acquire Volatile Memory for Linux)
Microsoft's open-source tool. No kernel module needed.
avml memory.lime
/proc/kcore
Virtual file representing physical memory. Requires root access.
dd if=/proc/kcore of=memory.raw bs=1M
RAM Acquisition Best Practices

Always dump to an external drive, never to the target system's disk. Use write blockers when possible. Document the exact tool version, time, and hash of the resulting image. Remember that the acquisition tool itself will be loaded into memory, altering the evidence - this is unavoidable but must be documented.

Memory Analysis with Volatility

After acquisition, memory images can be analyzed using tools like Volatility Framework.

# Volatility 3 Commands # Identify the operating system vol -f memory.raw windows.info # List processes vol -f memory.raw windows.pslist vol -f memory.raw windows.pstree # Detect hidden processes vol -f memory.raw windows.psscan # Network connections vol -f memory.raw windows.netscan # Command line arguments vol -f memory.raw windows.cmdline # DLLs loaded by processes vol -f memory.raw windows.dlllist # Registry hives in memory vol -f memory.raw windows.registry.hivelist # Dump a specific process memory vol -f memory.raw windows.memmap --pid 1234 --dump

Process Analysis

Understanding running processes is crucial for detecting malicious activity. Legitimate Windows processes have specific characteristics that can help identify anomalies.

Critical Windows Processes

Process Expected Path Expected Parent Notes
System N/A (PID 4) None (PID 0) Kernel process, always PID 4
smss.exe %SystemRoot%\System32\ System (4) Session Manager, first user-mode process
csrss.exe %SystemRoot%\System32\ smss.exe Client/Server Runtime, one per session
wininit.exe %SystemRoot%\System32\ smss.exe Windows Initialization, Session 0 only
services.exe %SystemRoot%\System32\ wininit.exe Service Control Manager, single instance
lsass.exe %SystemRoot%\System32\ wininit.exe Local Security Authority, single instance
svchost.exe %SystemRoot%\System32\ services.exe Service Host, multiple instances normal
explorer.exe %SystemRoot%\ userinit.exe Windows Shell, one per logged-in user
Red Flags in Process Analysis

Watch for: processes running from wrong paths (svchost.exe from temp folder), unusual parent-child relationships (cmd.exe spawning lsass.exe), misspelled process names (svhost.exe, 1sass.exe), and multiple instances of processes that should be singleton (two lsass.exe).

PowerShell Process Analysis

# Get processes with path and command line Get-Process | Select-Object Id, ProcessName, Path, StartTime | Format-Table # Get processes with parent PID (requires admin) Get-WmiObject Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine # Find processes by path pattern (suspicious locations) Get-Process | Where-Object {$_.Path -like "*temp*" -or $_.Path -like "*appdata*"} # Find network connections per process Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess

Network Connection Analysis

Network state analysis reveals active communications, potential data exfiltration, and command-and-control connections.

Key Network Artifacts

🔗

Active Connections

Established TCP/UDP connections showing communication with remote hosts.

🔊

Listening Ports

Services waiting for incoming connections - potential backdoors or legitimate services.

📋

DNS Cache

Recently resolved domain names - reveals browsing history and malware C2 domains.

💻

ARP Cache

IP to MAC address mappings - reveals local network communication patterns.

Network Analysis Commands

# Windows - Detailed network connections netstat -anob # -a: All connections # -n: Numeric addresses # -o: Owning process ID # -b: Executable name (requires admin) # Look for suspicious connections # - Connections to unusual ports (4444, 8080, high ports) # - Connections to foreign IP addresses # - Unexpected listening services # DNS Cache - recently resolved domains ipconfig /displaydns # PowerShell - Detailed connection info Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} # Linux - Network connections with process info ss -tulpan lsof -i -P -n netstat -tulpan
💡 Suspicious Network Indicators

Red flags: Connections to known malicious IPs/domains, unusual outbound connections from system processes, encrypted traffic on non-standard ports, beaconing behavior (regular interval connections), and connections from processes that shouldn't have network access.

Live Forensics Documentation

Proper documentation is critical in live forensics because your actions modify the system. Every command executed should be recorded with timestamps.

Documentation Requirements

  • Timestamp: Record the exact time of each action
  • Commands: Document every command executed
  • Tools: Record tool names, versions, and source
  • Order: Maintain chronological order of actions
  • Hashes: Calculate hashes of all collected data
  • Rationale: Document why each action was taken

Automated Collection Script Example

# Windows Live Response Script (run from USB) @echo off set OUTDIR=E:\LiveResponse\%COMPUTERNAME%_%DATE:~-4,4%%DATE:~-10,2%%DATE:~-7,2% mkdir "%OUTDIR%" echo [%DATE% %TIME%] Starting live response collection > "%OUTDIR%\collection.log" echo [%DATE% %TIME%] Collecting system info >> "%OUTDIR%\collection.log" systeminfo > "%OUTDIR%\systeminfo.txt" echo [%DATE% %TIME%] Collecting processes >> "%OUTDIR%\collection.log" tasklist /v > "%OUTDIR%\tasklist.txt" wmic process list full > "%OUTDIR%\wmic_process.txt" echo [%DATE% %TIME%] Collecting network state >> "%OUTDIR%\collection.log" netstat -anob > "%OUTDIR%\netstat.txt" ipconfig /all > "%OUTDIR%\ipconfig.txt" ipconfig /displaydns > "%OUTDIR%\dnscache.txt" arp -a > "%OUTDIR%\arpcache.txt" echo [%DATE% %TIME%] Collecting scheduled tasks >> "%OUTDIR%\collection.log" schtasks /query /fo list /v > "%OUTDIR%\schtasks.txt" echo [%DATE% %TIME%] Collection complete >> "%OUTDIR%\collection.log"
📚 Key Takeaways
  • Follow the order of volatility (RFC 3227) - collect most volatile data first
  • RAM acquisition is critical - encryption keys, malware, and artifacts exist only in memory
  • Use trusted tools from external media to minimize system modification
  • Understand normal process behavior to identify anomalies and potential malware
  • Network analysis reveals active threats, C2 communications, and data exfiltration
  • Document everything - every command, timestamp, and tool used during live analysis
Previous: Fundamentals Next: Windows Forensics Deep Dive