Incident Response: Evidence Collection in Windows

Learn how to perform evidence collection—a vital step in incident response. Find out how to collect volatile and non-volatile data and build an evidence report.

Introduction

• You've been hacked
• What you need to know before taking this course
• Conducting an incident response

1. Preparing for an Incident Response

• Preparation in the key to success
• Storage devices in Windows
• Installing FTK Imager
• Installing DD for Windows
• Preparing your evidence collection drive
• Creating a USB drive with trusted tools
• Validating our trusted tool kit

2. Volatile Data Acquisition

• Evidence collection
• Volatile and nonvolatile data
• Acquiring a memory image in Windows
• Acquiring a memory image in Windows in DumpIt
• Using CryptCat and Tee
• Collecting the data/time of the victim
• Documenting the logged on users
• Documenting open network connections
• Documenting the running processes
• Documenting any shared files

3. Nonvolatile Data Acquisition

• Nonvolatile evidence collection
• Collecting disk attributes using Disk Map
• Documenting completion of live collection
• Verification of data collected
• Graceful shutdown

4. Acquiring Evidence from Storage Media

• Write blockers
• Enabling a software write blocker in Windows
• Imaging a drive with the FTK Imager
• Imaging a drive with Forensic Imager

5. Challenges with Encryption

• Encryption in Windows
• Determining if BitLocker is running
• Securing a system with BitLocker
• BitLocker implementation and recovery password

6. Logging Your Evidence

• Creating a report
• Example report

Conclusion

• Next steps