Evidence handling is clearly one of the most important aspects in the expanding field of computer forensics. The never-ending innovation in technologies tends to keep best practices in constant flux in effort to meet industry needs. One of the more recent shifts in evidence handling has been the shift away from simply "pulling the plug" as a first step in evidence collection to the adoption of methodologies to acquire evidence "Live" from a suspect computer.
The need for changes in digital evidence collection are being driven by the rapidly changing computing environment:
Effectively Live forensics provides for the collection of digital evidence in an order of collection that is actually based on the life expectancy of the evidence in question. Simply put in all likelihood perhaps the most important evidence to be gathered in digital evidence collection today and for the foreseeable future exists only in the form of the volatile data contained within the computers RAM.
Order of volatility of digital evidence
Stand Alone Home Computer
For proper evidence preservation, follow these procedures in order (Do not use the computer or search for evidence)
Note: * If computer is x64 the author recommends collecting the image of RAM using HBGary FastDump Pro
The author's first exposure to live forensics in digital evidence collection was nearly 10 years ago during his initial SANS GIAC Certified Forensic Analysis (GCFA) forensics training. The course included several hands on labs that allowed students to become familiar with tools such as the Windows Forensic Toolkit (WFT) http://www.foolmoon.net/security/ that automated the collection of the volatile data from the subject PC in a forensically sound manner:
Hence even a decade ago computer forensics evidence collection training went well beyond being limited to simply imaging a hard drive. It included the training necessary to perform the collection of "Live" evidence such as that found in RAM in a forensically sound manner. As an example the methodologies taught at SANS as part of the GCFA training enabled the forensics investigator to include the volatility of all data as part of their consideration in the planning for the evidence collection process. Hence using the training from SANS you were effectively enabled to collect all available and relevant evidence. Starting of course with that data which is most volatile first. Not simply focusing on the limited evidence available on the computer hard drive.
There are several other options that have become available that the author has become familiar with to acquire volatile digital evidence - live data including creating an image of RAM in a forensically sound manner (in no specific order):
In digital evidence collection today live forensics has become a necessity. Among many forensic professionals both in law enforcement and private practice it has long been recognized that the tradition of first pulling the plug on a PC under examination is an outdated and overly conservative approach that can destroy valuable evidence. Our ability to reliability collect volatile evidence in a forensically sound manner has effectively rendered our legacy best practice of "pulling the plug" as an obsolete methodology.