关键词: 计算机取证, 现场动态分析, 易挥发数据, 收集

Abstract: Due to lack of computer forensics professionals, the "two-steps" approach is commonly adopted to gather digital evidence in the running computer at the crime scene, that is, unplugging the running computer and booking it into evidence facilities first, then submitting it to trained digital evidence experts for examination. Although this method protects the aboriginality and integrity of digital evidence, it leads to the loss of "volatile data" stored in RAM and in other forms. The "volatile data" can often provide crucial clues and evidence for crime investigation, so it is necessary to make live analysis on-scene to acquire them. It is recommended that investigators be given professional trainings and get the live analysis skill.

Key words: computer forensics, live analysis on-scene, volatile data, collection