| Computer forensics plays an important role in fighting | | | | Theoretically, it would be possible to freeze computer |
| terrorism and criminal activity. The fact is that bad | | | | memory by liquid nitrogen and this would significantly |
| guys use computers, internet and other modern | | | | increase chances to recover the data but this |
| communication tools to communicate and to store their | | | | approach is not practical. Analysis of live volatile data in |
| plans. We would be naive if we would think that they | | | | a computer is essential for any serious forensic |
| can barely open Word or Excel. They are aware of all | | | | analysis. |
| the risks and they protect themselves with modern | | | | There are many open source and professional |
| encryption algorithms and general protective measures. | | | | commercial forensic tools that can make a snapshot |
| Fighting criminal activities is very different from | | | | of crucial volatile data for later analysis. Such tools can |
| discovering occasional violations on company | | | | discover open ports, virtual disk drives, VPN |
| computers. | | | | connections and other resources not visible to the |
| Many traces can be hidden if the software used for | | | | normal user. In some cases also the whole disk drive |
| criminal activity or otherwise unwanted is not present | | | | or individual partition can be encrypted so it is important |
| on the computer disk and runs in the memory of the | | | | to make an image of it before the system is shut |
| computer. It is very easy to start some process and | | | | down. Once all the data is safely stored it can be |
| then successfully cover all traces that were left behind. | | | | analyzed regardless of the state of the computer. |
| In such case analyzing disk data makes no sense | | | | A logical question would be, for example, what can be |
| because nothing suspicious could be discovered. The | | | | done to successful hide some processes running in the |
| only solution to this problem are tools that can protect | | | | computer memory? Theoretically, it would be possible |
| volatile data like live memory. | | | | to eliminate traces from the memory when the |
| The static analysis of computer data (i.e. the analysis | | | | process is not active or when it waits for some input. |
| of a hard disk removed from the computer) is usually | | | | But even for such approaches there are some |
| not enough because many advanced techniques can | | | | solutions. It is possible to create memory snapshots at |
| be used to erase all traces from file systems and the | | | | periodic intervals and sooner or later the secret |
| only relevant data remains only in memory. | | | | process will show itself. |