Chapter 15 — Key Takeaways
The big idea
When the machine is running, the most valuable evidence is the most perishable — so you collect fastest-dying first, and because you cannot observe a live system without changing it, defensibility shifts from preservation to minimization plus documentation. Chapter 14 let you keep the original pristine behind a write-blocker. Here you cannot: you will touch a running, possibly compromised, possibly evidence-destroying system with your own hands, and every command changes it. The skill is not avoiding that — you cannot — but doing it in a defensible order, capturing the most volatile evidence before you trample it, and logging your actions so completely that a year later, on the stand, you can account for every byte you altered and prove the evidence is sound even though the system was not. The original is still sacred; reverence just becomes a logbook instead of a write-blocker.
The order of volatility (RFC 3227 §2.1) — collect top-down
| Tier | Artifact | Lifetime | Note |
|---|---|---|---|
| 1 | CPU registers, L1/L2/L3 cache | nanoseconds | effectively uncapturable — skip it |
| 2 | Routing/ARP, process table, network state | seconds–minutes | reconstructable from a memory image |
| 3 | System RAM (full contents) | until power-off | the prize — capture first |
| 4 | Temp file systems (tmpfs, pagefile, hiberfil) | minutes–hours | |
| 5 | Disk — allocated and unallocated | years | deleted ≠ destroyed; it will wait for you |
| 6 | Remote logs, NetFlow, SIEM | days–years | |
| 7 | Physical config, topology | stable | |
| 8 | Archival media (backups, tape, cloud) | years–decades |
The invisible top entry on any unlocked, encrypted host: the decryption key in RAM, dying at power-off.
When not to pull the plug
- Full-disk encryption that re-locks on shutdown (BitLocker / FileVault / LUKS / VeraCrypt). Unlocked now, ciphertext after power-off — unless you captured memory (the key) or live-imaged the mounted volume.
- Production services and the graceful-shutdown trap. A clean shutdown runs code — including a possible attacker wiper. Often the answer is: don't shut down at all.
- Cloud-tethered, ephemeral state. OAuth tokens and session cookies in RAM, MDM remote-wipe, cloud-drive placeholders. Disconnecting and staying connected are both non-neutral.
- Isolate, don't terminate. EDR host isolation (CrowdStrike Falcon, Microsoft Defender, Carbon Black) freezes the attacker out while keeping memory intact and the host reachable.
Live vs. dead-box: the two things that change
- The smear. A live image is a long-exposure photo of a moving subject — a non-reproducible composite over minutes-to-hours. Re-acquire and the hash differs, because the system lived in between.
- The hash means integrity from acquisition forward, not bit-for-bit equality with the original. Say so before you are asked; disclosed limitations cannot be used to ambush you.
Capturing volatile data, in order
Establish a trusted toolkit (rootkits hook the subject's netstat/ps/ls; use the cross-view difference to expose what they hide) and solve the two-clock problem first. Then: memory → processes with command line + PPID (not names) → network connections (netstat -anob / ss -tunap) → sessions → open files (lsof +L1 and the deleted-but-open recovery from /proc) → clipboard / ARP / DNS cache. Run trusted tools; write every byte off-box; hash on completion.
Triage at scale
You cannot image a thousand 500 GB hosts. KAPE (Targets collect, Modules parse — run Targets only on the subject, parse later) and cross-platform CyLR grab the few high-value artifacts in minutes; Velociraptor and EDR consoles do it across the fleet. Triage many, image only the few that earn it — that is the rigor, applied to scale.
You can now…
- ☐ Sequence a live collection by the order of volatility and explain why memory precedes the disk that dwarfs it.
- ☐ Recognize when power-off destroys evidence — encrypted-and-unlocked volumes, keys in RAM, active connections, wiper risk — and choose, on the record, between live and dead-box.
- ☐ Capture memory, lineage-aware process state, network state, sessions, and the deleted-but-open file soundly, off-box and hashed.
- ☐ Run targeted triage with KAPE and CyLR and decide which hosts merit a full image.
- ☐ Produce a defensible live-response record — scripted collector, manifest, witnessed log with UTC timestamps and per-artifact hashes — that survives cross-examination.
Looking ahead
Chapter 16 — Windows Forensics. You collected the registry hives, event logs, Prefetch, Amcache, LNK files, and $Recycle.Bin with KAPE. Now you learn to read them — and to expose the employee who thought they covered their tracks.
One sentence to carry forward: You cannot capture a live system without changing it — so capture the fastest-dying evidence first, write everything off-box and hashed, and document so completely that your footprints can never be confused with the intruder's.