Program run on live machines


New Member
Feb 21, 2005
I'm trying to get a feel of the various programs available, which we can run on live machines and capture relevant info before we pull the plug or shutdown the machine.
Any ideas?
Mar 1, 2005
I would think it would matter on the following variables:
1. What are you trying to document?- is the computer holding evidence as stored data (files) or as active processes (worms, running applications)?
If I'm curious about the first, doing some form of complete imaging of the drive is the best bet. You want something that will capture invisible files, swap space and mirror everything on the drive. I wouldn't want to do that on a running machine myself, unless I suspected something triggered to erase relevant data on shutdown.
If I want to capture running systems, I'd look at the process viewer(or equivalent). On Unix boxes, I'd run ps or top to identify running processes.
If I'm curious about what's going on between the machine and the network, I'd put a dumb hub between the machine and the network (effectively cloning the traffic between it and the rest of the world) and put a sniffer on another of those ports. Barring that, ifconfig/ipconfig, netstat would be a good start.


If you ar looking at forensics analysis of what they have on the system at their desk, then your answer could be EnCase Enterprise Edition. It lets you:
• Performs a live, network-enabled analysis without interrupting operations
• Reach workstations and servers remotely
• Uses forensics methodology
• Documents the investigation

The reason I suggest something as pricy as Encase is because it preserves your evidence. If oyu try to image the drive on your own, touch the machine, open and close any files or viewers on a alive machine without the proper forensics software, you can and prbably will cause changes to the files and logs fo the machine, thus hurting you in the long run if the case turns legal.

EnCase will make a bit by bit forensics image of the drive, hashed without touching or altering anything on the suspect machine. It prevents any form of writing at all or alterations.

The days of the admin going to the machine and perusing it then imaging it to a drive they have sitting around are long gone considering crime and also potential lawsuits.

Spend the 2K, it is worth it and we have used it from small individual cases up to larger cases in which we are coordinating with local and federal law enforcement on possible political corruption.

[Edited: Reason for edit - message merge.]
Sep 2, 2004
I'm trying to get a feel of the various programs available, which we can run on live machines and capture relevant info before we pull the plug or shutdown the machine.
What are you trying to do?

If you're looking to collect volatile data only, I've released the Forensic Server Project (FSP) and First Responder Utility (FRU) off of the web site for my book. The FRU available in the my book (updated version is on the web site) works for Windows systems, but the same framework can be ported to other systems. The server runs on Windows, but can also be easily ported.

H. Carvey
"Windows Forensics and Incident Recovery"

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu