Traditional digital forensics, or what is often referred to now as dead box forensics, focuses on the hard disk drive that's been taken from a shut-down system acting as the primary source of evidence. This approach works well when addressing criminal activity such as fraud or child exploitation where image files, word processor documents, and spreadsheets can be discovered in a forensically sound manner. The issue with this approach is that, to properly acquire this evidence, the system has to be powered off, thereby destroying any potential evidence that could be found within the volatile memory.
As opposed to traditional criminal activity, incident responders will find that a great deal of evidence for a security incident is contained within the memory of a potentially compromised system. This is especially true when examining systems that have...