Chapter 15 — Key Takeaways

The big idea

When the machine is running, the most valuable evidence is the most perishable — so you collect fastest-dying first, and because you cannot observe a live system without changing it, defensibility shifts from preservation to minimization plus documentation. Chapter 14 let you keep the original pristine behind a write-blocker. Here you cannot: you will touch a running, possibly compromised, possibly evidence-destroying system with your own hands, and every command changes it. The skill is not avoiding that — you cannot — but doing it in a defensible order, capturing the most volatile evidence before you trample it, and logging your actions so completely that a year later, on the stand, you can account for every byte you altered and prove the evidence is sound even though the system was not. The original is still sacred; reverence just becomes a logbook instead of a write-blocker.

The order of volatility (RFC 3227 §2.1) — collect top-down

Tier Artifact Lifetime Note
1 CPU registers, L1/L2/L3 cache nanoseconds effectively uncapturable — skip it
2 Routing/ARP, process table, network state seconds–minutes reconstructable from a memory image
3 System RAM (full contents) until power-off the prize — capture first
4 Temp file systems (tmpfs, pagefile, hiberfil) minutes–hours
5 Disk — allocated and unallocated years deleted ≠ destroyed; it will wait for you
6 Remote logs, NetFlow, SIEM days–years
7 Physical config, topology stable
8 Archival media (backups, tape, cloud) years–decades

The invisible top entry on any unlocked, encrypted host: the decryption key in RAM, dying at power-off.

When not to pull the plug

  • Full-disk encryption that re-locks on shutdown (BitLocker / FileVault / LUKS / VeraCrypt). Unlocked now, ciphertext after power-off — unless you captured memory (the key) or live-imaged the mounted volume.
  • Production services and the graceful-shutdown trap. A clean shutdown runs code — including a possible attacker wiper. Often the answer is: don't shut down at all.
  • Cloud-tethered, ephemeral state. OAuth tokens and session cookies in RAM, MDM remote-wipe, cloud-drive placeholders. Disconnecting and staying connected are both non-neutral.
  • Isolate, don't terminate. EDR host isolation (CrowdStrike Falcon, Microsoft Defender, Carbon Black) freezes the attacker out while keeping memory intact and the host reachable.

Live vs. dead-box: the two things that change

  • The smear. A live image is a long-exposure photo of a moving subject — a non-reproducible composite over minutes-to-hours. Re-acquire and the hash differs, because the system lived in between.
  • The hash means integrity from acquisition forward, not bit-for-bit equality with the original. Say so before you are asked; disclosed limitations cannot be used to ambush you.

Capturing volatile data, in order

Establish a trusted toolkit (rootkits hook the subject's netstat/ps/ls; use the cross-view difference to expose what they hide) and solve the two-clock problem first. Then: memoryprocesses with command line + PPID (not names) → network connections (netstat -anob / ss -tunap) → sessionsopen files (lsof +L1 and the deleted-but-open recovery from /proc) → clipboard / ARP / DNS cache. Run trusted tools; write every byte off-box; hash on completion.

Triage at scale

You cannot image a thousand 500 GB hosts. KAPE (Targets collect, Modules parse — run Targets only on the subject, parse later) and cross-platform CyLR grab the few high-value artifacts in minutes; Velociraptor and EDR consoles do it across the fleet. Triage many, image only the few that earn it — that is the rigor, applied to scale.

You can now…

  • ☐ Sequence a live collection by the order of volatility and explain why memory precedes the disk that dwarfs it.
  • ☐ Recognize when power-off destroys evidence — encrypted-and-unlocked volumes, keys in RAM, active connections, wiper risk — and choose, on the record, between live and dead-box.
  • ☐ Capture memory, lineage-aware process state, network state, sessions, and the deleted-but-open file soundly, off-box and hashed.
  • ☐ Run targeted triage with KAPE and CyLR and decide which hosts merit a full image.
  • ☐ Produce a defensible live-response record — scripted collector, manifest, witnessed log with UTC timestamps and per-artifact hashes — that survives cross-examination.

Looking ahead

Chapter 16 — Windows Forensics. You collected the registry hives, event logs, Prefetch, Amcache, LNK files, and $Recycle.Bin with KAPE. Now you learn to read them — and to expose the employee who thought they covered their tracks.

One sentence to carry forward: You cannot capture a live system without changing it — so capture the fastest-dying evidence first, write everything off-box and hashed, and document so completely that your footprints can never be confused with the intruder's.