Design as a script based live forensics tools that can be used by forensics investigator with zero knowledge.
Conduct live evidence extraction before system reboot
Make use of USB as the media
Used for carrying non-intrusive volatile evidence extraction
According to Forensics Practice Principles at the Scene of Crime
Find as much as evidence as possible
Reconnaissance
Preserve the evidence as good as possible
Reliability
Identify related evidence as close as possible
Relevancy
⚫ Not to cause unnecessary input to the target machine ⚫ Collect the volatile data including network, and memory information for investigation ⚫Documentation of execution flow for court presentation ⚫ Backup passwords from the machine for future forensic purpose.
Volatile information to be collected
⚫ Date, time
⚫ Volatile memory
⚫ clipboard
⚫ Network connection
⚫ Open ports UDP, TCP
⚫ NetBIOS, neighboring network connection
⚫ User Account
⚫Users currently logged on
⚫ Processes
⚫ Running processes
⚫ Running services
⚫ Scheduled Jobs
⚫ Files
⚫ Open files
⚫ Screen capture
⚫ Clipboard
Supported OS, hardware and commands
OS
⚫ Windows 2000
⚫ Windows XP
⚫ Windows 2003 Server
⚫ Windows Vista
⚫ Windows 7
⚫ Windows 2008 R1 & R2
⚫ Windows 8.1
⚫ Windows 10
Hardware
⚫ Tested on USB thumb drive and Hard disk
Commands
Around 150 commands executed cover the following area:
⚫ Network
⚫ Log
⚫ Memory
⚫ Users
⚫ Registry
⚫ Process, Services
⚫ Files
⚫ Password
⚫ System configuration
