Network Forensic Question

[skitter21]

I know this question has probably been asked in one form or another. However I am working on a case study and want to get as much insight as I can. Possibly maybe find any holes that I haven't covered. If, on a typical home network of say 3 PCs, not on a hub but all connected to the internet via a wireless router, a crime is commited on one of those PCs and the hard drive thrown away, destroyed, ( no chance of forensic data recovery), would any of the other PCs have any type of evidence on them? All I can think of is possibly the ISP having records, possibly some router logs of some sort that would probably be minimal. I would assume that no communication would have taken place between the two computers since the communication would simply be from the router to the particular PC in question. Where else could I find any type of data evidence?

Thanks for the help

 

[office politics]

if you run a network sniffer in promiscuous mode on a wireless network, i suspect you would be able to capture traffic from any node connected to the same network. This traffic would have been filtered out at the NIC though.

 

[CntdwnToExtn]

You could possibly check the RAM

Leave No Artifacts Behind | Anti-Forensics

When I power off my machine, isn't all data stored in RAM immediately lost?

Data in DRAM is not immediately lost when a machine is powered down. The data has a “fade” time based on current temperature. It is possible to dump data from RAM that has been cooled down with a spray from an inverted can of compressed air.

An example of where this might happen is lets say you have your laptop (which has one hard drive fully encrypted) locked at the Windows XP login prompt. You've already provided the passkey at startup to get to this point. If an examiner wanted to, they could spray the RAM with an inverted can of air to cool it and then remove it from the machine. They could then put the RAM into another computer and with some sort of boot media create a RAM dump that probably contains your encryption key and whatever else was currently loaded in RAM.

You probably won't have to worry about this when you're using a Live CD (or worry about it ever anyways). However, it is good to know that this method of data retrieval exists.