Government of Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > Courses A-Z >

Institutional links

Live Analysis Workshop (LAW)

Purpose

This workshop is designed for technological crime investigators who may be required to seize and / or analyze system information or memory contents from live computers.

This workshop will look at memory structures along with the different types of system information available on live computers. The workshop will also address the proper methodology and techniques for seizing memory and system information from live computers.  Techniques for extracting images, passwords, chat logs, documents, and other artifacts from volatile data will also be covered as will the basic interpretation and analysis of live system information.

The focus of this workshop is (1) to give the investigator confidence in seizing volatile data from live computer systems, and (2) to give the investigator the necessary skills to perform a basic analysis of the seized data.

At the end of the workshop students will be able to
1 (a) Extract memory from live computer systems

(b) Carve out data from extracted memory including:

  • Passwords
  • Images
  • Web pages
  • Documents
  • Chat/messaging logs

2 (a) Acquire system information from live computers including:

  • System profile, current system date, time, and uptime
  • Logged on users
  • Open ports
  • Running processes
  • Clipboard data
  • Startup and shutdown files
  • Connection information
  • Network status and routing information
  • Open files and encrypted files
  • Network shares

(b) Analyze and interpret the extracted system information and respond appropriately to the extracted system information

Workshop content

  1. Memory architecture basics
  2. Legal concerns
  3. Methodological concerns
  4. Tools and techniques for acquiring computer memory
  5. Tools and techniques for searching and recovering artifacts from memory
  6. Tools and techniques for acquiring system information
  7. Interpretation and possible responses to system information

Selection Criteria

To be eligible to take this workshop, students must meet the following criteria:

  • Have successfully passed the CMPFOR (or similar training) prior to April 2009
  • Be established as part of a technological crime investigative unit or program

Duration: Four working days.
Number of Students: Twenty
Language of Instruction: English

 

Date Modified: 2008-12-18

Top of Page
Important Notices