Digital forensic has become an integral part of corporate environment: legal regulations and knowledge building as well as reconstruction of the progression of events, but also prevention of criminal activities play a role. Due to a change in technological frame conditions in the past years the so-called live-forensic has continuously gained importance.
This term denotes the analysis of volatile data of a running computer system during or shortly after an incidence relevant to security in the system. Volatile data are items of information which have not yet been saved on a database like a hard disk and have therefore gone missing after a current interruption. Among these are contents of the main memory, active processes and information of running network connections.
Live-forensic can even help in scenarios where traditional digital forensic methods are not effective and subsequently enable other methods of analysis. On systems with data medium encryption the cryptographic key can be extracted from the content of the main memory, which can then be used in a later analysis of the system. However, there are regulations for the creation of digital-forensic processes (NIST, Sans, BSI etc.) which do not reflect the current status of technology as technological development is mostly one step ahead of the adaptation of regulations.
The qualification network aims at enabling corporations their own research activities in the field of live-forensic as well as the creation of a corporate network. Thus, the knowledge transfer of live-forensic concepts - which are not covered by digital-forensic regulations - is promoted.