Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 5. Incident Response: Live Foren... > Case Study: Live versus Postmortem - Pg. 101

Incident Response: Live Forensics and Investigations · Chapter 5 101 Case Study: Live versus Postmortem Live investigations allow investigators to capture volatile information that would not normally be present in a postmortem investigation.This informa- tion can consist of running processes, event logs, network information, regis- tered drivers, and registered services. Why is this important to us, you ask? Let's take a look at the case of running services and how this could be extremely important us. Running services tell us the types of services that may be running on a computer.These services run at a much higher priority than processes, and many users are unaware that these services actually exist. Given their high pri- ority and lack of attention by the typical end user, they are a common target for hackers. By conducting a live investigation, we are able to see the state of these services, which could prove crucial to our investigation. For example, a hacker could turn off the service for McShield, which is a McAfee Antivirus service, and then later come back and infest the machine with malicious software.