MINIMIZING DISTURBANCE TO THE SUBJECT SYSTEM

Unfortunately, it is impossible to collect all the data from a running system without causing something to change. Your goal as a forensic investigator should be to minimize this disturbance to the subject system. There are two things you should never do if you can avoid it. First, do not install anything on the subject system. If you install new software it will substantially change the system when configuration files, libraries, and executables are saved to the subject’s media. The worst possible situation would be to compile something from source code as it will cause many temporary files to be created and will also consume memory (possibly pushing out other more interesting information) and affect a memory image should you choose to make one.

The second thing you should avoid is creating new files on the system. If you must use a tool that is not installed, have it on your response USB drive. Don’t create memory or disk images and then store them on the subject system either!

You will definitely alter what is in RAM when you investigate a system. You should try to minimize your memory footprint, however. There are a couple of ways that you might accomplish these goals. Two popular solutions are to store data on USB media (which could be your response drive) or to use the netcat utility.