Collecting Volatile Evidence from Compromised Hosts

What Is This Skill?

Collecting Volatile Evidence from Compromised Hosts is a critical incident response skill that focuses on acquiring data that exists only temporarily in a system's memory or active state. When a host is compromised, evidence such as RAM contents, network connections, running processes, and session data can provide invaluable forensic insights. This skill ensures that volatile information is captured in a forensically sound manner before it is lost due to system shutdown, remediation, or continued attacker activity. It follows the "order of volatility" principle, prioritizing the most transient evidence first, and emphasizes preserving the chain of custody and evidence integrity for potential legal or investigative use.

Why Use This Skill?

Volatile evidence can be the difference between a successful incident response and a missed detection. Modern cyberattacks often use fileless malware and in-memory techniques that leave little or no trace on disk. If this data is not collected immediately after compromise is detected, it is likely to be lost forever. Collecting volatile evidence is essential for:

• Uncovering in-memory malware, rootkits, or credential theft that may not persist on disk.
• Capturing active network connections to identify command and control (C2) channels or lateral movement.
• Documenting running processes and loaded modules to track malicious activity.
• Preserving system state for root cause analysis and legal proceedings.
• Maintaining evidence integrity and chain of custody for regulatory or prosecutorial requirements.

This skill ensures that the most perishable evidence is collected first, giving investigators the best possible chance of reconstructing attack scenarios and eradicating threats.

How to Use This Skill

Prerequisites

Before collecting volatile evidence, verify the following:

• Forensic toolkit: A trusted set of forensic tools (ideally on a write-protected USB drive or secure network share).
• Memory acquisition tool: Use tools like WinPmem (Windows) or LiME (Linux) for RAM capture.
• Write-blocker: For subsequent disk imaging, not typically required for volatile evidence but important for full forensics.
• Chain of custody forms: Document every handler and action related to the evidence.
• Secure evidence storage: Prepare hash calculations (MD5, SHA256) for integrity verification.
• Proper authorization: Ensure legal and organizational approval for evidence collection.

Order of Volatility

Follow the recommended order (most volatile to least):

1. CPU registers and cache (impractical outside specialized environments)
2. RAM (system memory)
3. Network connections and processes
4. Running services and open files
5. System logs and disk data

Collection Workflow

Step 1:

Prepare Collection Environment

• Mount your forensic toolkit via USB (write-protected) or secure network share.
• Avoid installing or running new tools from the compromised host's disk.

Step 2:

Document the Scene

• Record system time, user logged in, and visible activity.
• Begin chain of custody documentation.

Step 3:

Collect Memory (RAM) Image

Windows Example (WinPmem):

## Run from trusted USB or share
WinPmem.exe --output C:\Evidence\host123-memory.aff4

Linux Example (LiME):

## Insert LiME kernel module
insmod lime.ko "path=/mnt/usb/host123-memory.lime format=lime"

• Compute and record hash values immediately after acquisition.

Step 4:

Capture Network Connections and State

Windows:

netstat -ano > C:\Evidence\netstat.txt
tasklist /v > C:\Evidence\tasklist.txt

Linux:

ss -tulpan > /mnt/usb/ss.txt
ps aux > /mnt/usb/ps.txt

• Consider capturing packet data with tools like tcpdump if feasible:

tcpdump -i eth0 -w /mnt/usb/host123.pcap

Step 5:

Document Running Processes and Open Files

• Use platform-appropriate commands to capture lists of running services, scheduled tasks, and open files:

lsof > /mnt/usb/lsof.txt   # Linux
wmic service list brief > C:\Evidence\services.txt  # Windows

Step 6:

Secure and Verify Evidence

• Immediately transfer collected evidence to secure storage.
• Recompute hashes and compare with initial values to verify integrity.
• Update chain of custody logs with each transfer or handler.

When to Use It

• As soon as a security incident is confirmed and before any remediation, shutdown, or system isolation.
• When memory-resident threats or fileless attacks are suspected.
• If root cause analysis or legal proceedings may require volatile data.
• When directed by incident response protocols involving host compromise.

Important Notes

• Do not reboot or shut down the system before collecting volatile evidence, as this will erase critical data.
• Only use trusted, portable tools brought in from external media, not those installed on the compromised system.
• Minimize footprint: Run only essential commands to avoid altering evidence.
• Maintain strict chain of custody to ensure evidence is admissible in legal or regulatory contexts.
• Document every action and tool used, including time, operator, and hash values.
• Follow organizational and legal policies regarding evidence handling and privacy.

By methodically collecting volatile evidence as described, incident responders can preserve the most valuable forensic artifacts and maintain the integrity required for effective investigation and possible legal action.