Live System Examination

Live System Examination: A Comprehensive Guide for GIAC GCIH Certification

Introduction to Live System Examination

Live System Examination is a critical component of incident response and cyber investigations. It refers to the process of collecting and analyzing data from a computer system while it is still running and powered on. This is in contrast to traditional forensic analysis, which typically involves creating a bit-for-bit image of a powered-off system. In the context of the GIAC GCIH (GIAC Certified Incident Handler) certification, understanding live system examination is essential for effective incident response.

Why is Live System Examination Important?

Live system examination is important for several critical reasons:

1. Volatile Data Preservation: When a system is powered off, volatile data is permanently lost. This includes information stored in RAM, active network connections, running processes, logged-in users, and clipboard contents. Live examination allows responders to capture this data before it disappears.

2. Order of Volatility: According to RFC 3227, evidence should be collected in order of volatility — from the most volatile to the least volatile. The most volatile data (registers, cache, RAM) can only be captured on a live system.

3. Real-Time Threat Assessment: Live examination allows incident handlers to observe attacker activity in real time, identify active command-and-control (C2) connections, and understand the scope of a compromise as it unfolds.

4. Encrypted Volumes: If a system uses full-disk encryption (such as BitLocker or FileVault), powering off the system may render the data inaccessible. Live examination allows access to decrypted data while the system is running.

5. Business Continuity: In many enterprise environments, taking a system offline for traditional forensics is not immediately feasible. Live examination allows data collection while minimizing disruption to operations.

6. Malware Analysis: Some malware resides only in memory and never writes to disk (fileless malware). Live system examination is the only way to detect and analyze such threats.

What is Live System Examination?

Live system examination is the systematic process of collecting, documenting, and analyzing evidence from a running computer system during an incident response engagement. It encompasses:

- Volatile Data Collection: Capturing RAM contents, running processes, open files, network connections, and other transient data.
- System State Documentation: Recording the current state of the system including logged-in users, scheduled tasks, services, and startup items.
- Network Activity Analysis: Examining active connections, listening ports, DNS cache, ARP tables, and routing tables.
- Log Review: Examining system, security, and application logs on the live system.
- Triage and Scoping: Quickly assessing whether the system is compromised, the nature of the compromise, and its extent.

How Does Live System Examination Work?

Live system examination follows a structured methodology:

Step 1: Preparation
Before touching the system, the incident handler should:
- Prepare a forensic toolkit on trusted, write-protected media (USB drive, CD/DVD)
- Use trusted binaries — never rely on the compromised system's own tools, as they may have been replaced by an attacker (e.g., rootkits replacing netstat, ps, or ls)
- Document the chain of custody from the outset
- Ensure legal authorization to perform the examination

Step 2: Volatile Data Collection (Order of Volatility)
Collect data in the following order, from most to least volatile:

1. CPU Registers and Cache — Rarely captured in practice but represent the most volatile data
2. Memory (RAM) — Use tools like FTK Imager, WinPmem, DumpIt, LiME (Linux Memory Extractor), or Magnet RAM Capture to create a full memory dump
3. Network State — Active connections, listening ports, routing tables
4. Running Processes — Process lists, process trees, open handles, loaded DLLs
5. Open Files and Handles
6. System Configuration and Logged-In Users
7. Disk and File System Data — Less volatile but still important in live context

Step 3: Key Commands and Tools

On Windows Systems:
- netstat -anob — Shows active network connections with associated process IDs and executables
- tasklist /v — Lists all running processes with verbose information
- wmic process list full — Detailed process information via WMI
- ipconfig /all — Network configuration
- ipconfig /displaydns — DNS resolver cache
- arp -a — ARP cache showing recently contacted hosts
- net session — Active sessions to the machine
- net use — Mapped drives and network shares
- nbtstat -S — NetBIOS sessions
- systeminfo — Comprehensive system information
- schtasks — Scheduled tasks (persistence mechanism)
- reg query — Registry examination for autorun entries and other artifacts
- pslist, psinfo, listdlls, handle (Sysinternals Suite) — Advanced process and handle analysis

On Linux Systems:
- ps aux or ps -ef — Running processes
- netstat -antp or ss -antp — Network connections with process information
- lsof — Open files and associated processes
- w or who — Logged-in users
- cat /proc/meminfo — Memory information
- /proc filesystem — Rich source of process and system information
- arp -a — ARP cache
- route -n — Routing table
- crontab -l — Scheduled tasks
- last — Login history
- lsmod — Loaded kernel modules (detect rootkits)

Step 4: Memory Analysis
Once a memory dump is acquired, tools like Volatility Framework or Rekall can be used to analyze it offline:
- pslist / psscan / pstree — Process enumeration (psscan can find hidden processes)
- netscan — Network connections from memory
- malfind — Detect injected code in process memory
- dlllist — Loaded DLLs per process
- cmdscan / consoles — Command history
- hashdump — Extract password hashes
- hivelist / printkey — Registry analysis from memory

Step 5: Documentation and Reporting
Every action taken during live examination must be meticulously documented:
- Timestamp each action
- Record the exact commands executed and their output
- Hash all collected evidence files (MD5, SHA-1, SHA-256)
- Maintain chain of custody documentation
- Note the examiner's identity and qualifications

Key Concepts for the GCIH Exam

1. Order of Volatility (RFC 3227): Understand that data must be collected from most volatile to least volatile. Memory is more volatile than disk. Network connections are highly volatile.

2. Trusted Toolkits: Always use trusted binaries from known-good media. Never trust the tools already on a potentially compromised system — attackers may have trojanized system utilities.

3. Locard's Exchange Principle: Any interaction with a live system will change it. The goal is to minimize the footprint of the examination while maximizing evidence collection. Running tools on a live system will consume memory, create processes, and potentially overwrite evidence.

4. Fileless Malware: Understand that some threats exist only in memory. Without live system examination and memory capture, these threats would be undetectable.

5. Legal Considerations: Ensure proper authorization before conducting live examinations. Understand the difference between consent-based searches, organizational policy-based authority, and legal process (warrants).

6. Difference Between Live Examination and Live Forensics: Live examination is the broader practice of working with a running system. Live forensics specifically focuses on forensically sound collection of evidence from a live system with an emphasis on admissibility.

Common Exam Scenarios

- You discover a system is compromised and need to determine what to collect first → Answer: Volatile data first, starting with memory
- A system uses full-disk encryption and you need to collect evidence → Answer: Perform live acquisition before powering off
- You suspect a rootkit has replaced system utilities → Answer: Use trusted binaries from external media
- You need to identify active C2 connections → Answer: Use netstat -anob (Windows) or netstat -antp / ss -antp (Linux) from trusted toolkit
- You need to detect a fileless threat → Answer: Capture and analyze RAM using memory forensic tools

Exam Tips: Answering Questions on Live System Examination

1. Memorize the Order of Volatility: This is one of the most frequently tested concepts. Remember: Registers → Cache → RAM → Network State → Running Processes → Disk → Removable Media → Printouts. When in doubt, collect the most volatile data first.

2. Know Your Commands: Be familiar with key commands for both Windows and Linux. Exam questions may present a scenario and ask which command to use. Pay special attention to netstat flags (-anob for Windows, -antp for Linux), ps syntax, and wmic commands.

3. Trusted Tools Are Critical: If a question asks about best practices for live examination, the answer almost always involves using trusted binaries from external, write-protected media. This is a fundamental principle — never trust a compromised system's own tools.

4. Understand the Trade-offs: Live examination changes the system state. Exam questions may test whether you understand that running tools on a live system has a forensic cost (modifying memory, creating artifacts). The correct approach acknowledges this trade-off while emphasizing that volatile data loss from powering off is typically worse.

5. Read Questions Carefully for Keywords: Look for keywords like volatile, running system, powered on, encrypted disk, memory-resident, or fileless — these are signals that the question is about live examination.

6. RFC 3227 Is Your Friend: If you see a reference to RFC 3227 or 'Guidelines for Evidence Collection and Archiving,' the question is likely testing order of volatility or evidence handling best practices.

7. Memory Forensics Tools: Know that Volatility is the primary open-source memory analysis framework. Be familiar with key Volatility plugins: pslist, psscan, netscan, malfind, dlllist, and hashdump. Questions may ask which plugin to use for a specific analysis task.

8. Eliminate Wrong Answers: In multiple-choice questions, eliminate answers that suggest powering off the system before collecting volatile data, using tools from the compromised system without verification, or ignoring documentation requirements.

9. Chain of Custody: Even in live examination, maintaining chain of custody is mandatory. Hash all collected evidence, document every step, and record timestamps. Questions may test whether you know to hash evidence immediately after collection.

10. Scenario-Based Thinking: Many GCIH questions present real-world scenarios. Think like an incident handler: What would you do first? What data would be lost if you don't act? What tools would you use? Practice walking through incident response scenarios mentally, applying live examination principles at each step.

Summary

Live system examination is an indispensable skill for incident handlers. It enables the collection of volatile data that would otherwise be permanently lost, supports the detection of sophisticated threats like fileless malware, and allows investigation of encrypted systems. For the GCIH exam, focus on the order of volatility, the use of trusted toolkits, key commands and tools for both Windows and Linux, memory forensics with Volatility, and the importance of documentation and chain of custody. Mastering these concepts will prepare you to answer live system examination questions confidently and accurately.