Volatile Data Preservation

Ok it has been a while since I started this blog but I do not think any one was reading it or will for a while, so here is my first meaningful post, hope to be on a more regular schedule from now on.

One thing that I have noticed is that the collection and preservation of volatile data is not as well documented or talked about when discussing evidence, and most of the focus is based on the hard drive collection and preservation. This probably has to do with the fact that the collection of volatile data is more related to network intrusion incidents then with prosecutions of criminal acts. This data should be treated the same way as the traditional collection of the hard drive, making sure that the evidence has a chain of custody and can not be tampered with, more on this can be read here. The Snapshot does a good job in interacting with the target machine as little as possible but preservation of the evidence that is collected is just as important as not interacting with the target machine. One area lacking in the preservation of the collected evidence I have observed, as well as others, is with EnCase Enterpise's inability to preserve their "Snapshots". I have not been able to figure out how to get the data to export from the report view and many have tried this with no luck either. At one point they had a Snapshot database feature that was once available and that is supposed to come back sometime with a new release, maybe 6.99, hopefully it will come back soon (its been almost a year since they promised it would be back).

In the mean time I thought I could make something for the preservation of this evidence. This EnScript will take a Snapshot from the case and produce either a HTML view of the Snapshot or a XLS workbook. The workbook is easier to use for analysis, auto filter will be your friend, and the HTML view is good for reporting purposes. Please give me comments on what could be done to make it better or more usable. Download it below.

Snapshot Report Generator