NETS1032

Live Forensics

Introduction

This module provides some conceptual and practical information on processes, tools, and considerations for doing examinations of system memory, known as doing live or memory forensics.

For your lab work, ensure you have access to both a Linux desktop environment with root, and a Windows desktop with Administrator. You will be showing your work to the professor throughout the semester, so you will need to be able to share your lab system screen, and the lab system you use will need to be clearly identified as your own (you should use your own name for the login, or at least something unique to you). No marks will be given for showing work on a lab system which is not your own.

Learning Objectives

At the end of this module, students will:

These objectives are in support of Learning Outcomes 1, 2, 3, 4, and 5 in the Course Outline.

To do List

Lesson Material

Learning Activity

Watch the videos from the presentation, as well as the videos listed under additional resources. Briefly review the materials available at the other websites listed under Additional Resources. Do the Live Forensics Assignment using the video from DFIRScience as a guide for software installation and use.

Additional Resources

Videos with demos of working with RAM captures

Example Software Tools for live forensic analysis

Graded Activity

This lab is graded and the lab instructions describe what to submit for it.

Quiz

The quiz is found on Blackboard under Assignments and Tests.

Test

There is no separate test for this topic. The quiz will count for your testing mark in this topic.

Summary

In this module, you have been introduced to working with live memory investigations and capturewd memory images. You should now be:

Completing the quiz will provide you with a measure of your knowledge in these areas. For the next class you should have your computing environment available with access to both Linux and Windows.