TABLE OF CONTENTS Now that we ve collected volatile data from a system, how do we hear what it has to say or how do we figure out what the data is telling us? Once we ve collected a process listing, how do we determine which one of the processes, if any, is malware? How do we tell if someone has compromised the system and is currently accessing it? Finally, how can we use the volatile data we ve collected to build a better picture of activity on the system, particularly as we acquire an image and perform post-mortem analysis?
The purpose of this chapter is to address these sorts of questions. What you re looking for, what artifacts you will be digging for in the volatile data you ve collected depends heavily on the issue you are attempting to address. How do we dig through reams of data to find what we re looking for? In this chapter, I do not think for a moment that I will be able to answer all your questions; rather, my hope is to provide enough data and examples so that when something occurs that is not covered, you will have a process by which you can determine the answer on your own. Perhaps by the time we reach the end of this chapter, you will have a better understanding of why we collect volatile data, and what it can tell us.
There are a number of sources of information that tell us what data we should collect from...
