|Tool Desc||Live-data Acquisition/Analysis tool|
|Using Env||Windows 2000, XP, Vista, 7|
|Download||LDFS is a commercial program|
Live-data Acquisition/Analysis tool
LDFS aims to collect volatile data as well as to analyze system files on live system in a fast fashion for investigation purposes. The tool allows people who are not familiar with forensic investigation to do the collection and analysis of data with simple GUI. It supports a XML-based report so that it can be a reference for inspectors to write a report.
Main Acquisition Function
- IP information
|Internet Usage Log||
- Search string
- Windows accounts
LDFS Collector is designed to minimize impact on evidence system. Collected information is analyzed in detail with LDFS Analyzer. The Analyzer supports the analysis of live data, registry, web browser file, and file system metadata, and the extraction of process in physical memory.
The figure below shows the reconstructed information which is meaningful for a forensic investigator through various decoding processes of hive files. Users can select the required information in the tool box on the right side of the program. Even those who don¡¯t have any knowledge about the specific structure of registry or the decryption process of encrypted data can extract and analyze useful information in registry.
The figure below shows how the program analyzes the files produced by Web browsers such as search keywords, downloaded files, and cookie information. It supports Microsoft Internet Explorer v6, v7, and Mozilla Firefox v2, v3. Users can investigate the history at certain time through produced timeline, and get information of URLs and time that user accessed.
The figure below shows the analysis of $MFT file which manages the meta-information of files in NTFS file system. Users can get the information of file name, extension, size, modification time, creation time, last access time, properties, and whether the file is deleted or not. Since $MFT file has smaller size than that of original disc, it allows fast investigation. In addition, the results can be saved as an Excel file, which facilitates further analysis.
The figure below shows that the program dumps the total physical memory and extracts only process information. It allows to detect hidden processes at the time of dump. If a particular process does not exist in the process list of Task Manager, but is extracted as a process in the physical memory dump file, the program considers it as a hidden process.