Week 1 - What Is LDF

Question 1

Summarise what is LDF

Answer 1

• Collection & analysis of data from live systems. This means it relates to data that is:

VOLATILE
IN TEMPOARY STATES
includes
ACTIVE NETWORK CONNECTIONS
RUNNING PROCESSES
MEMORY CONTENTS.

Goal is to preserve and obtain data that would be lost when the device is powered down.

Question 2

Summarise the relationship between Live Response & Live Aquisition

Answer 2

LIVE RESPONSE is the immediate actions taken to preserve volatile data.
(e.g actions like isolating the system to prevent data exfiltration* and identifying active malicious processes)

LIVE AQUISITION involves the collection of the volatile data (e.g taking a RAM dump or capturing network traffic)

• Data exfiltration is the intentional, unauthorized, covert transfer of data from a computer or other device.

Question 3

List the basic steps when conducting LDF

Answer 3

1. Preparation & planning (objectives of investigation clearly defined & necessary tools prepared. Includes which data to prioritise).
2. Establishing a secure environment (e.g where possible isolate systems from the network).
3. Volatile Data Acquisition. Capture data from RAM, active processes and network connections.
4. Non volatile data collection
5. Documentation & logging. Documentation must be thorough. Ensure actions are fully recorded, justified and traceable. Ensure reliability and integrity of evidence foradmissibility in court.
6. Analysis of data
7. Reporting

Question 4

Summary of LDF Requirements

Answer 4

• Requires careful planning, execution and thorough documentation
• Requires ability to act swiftly and accurately
• Requires regular practice and continuous learning and updating of knowledge and skills