I am in a small IT shop and working on a procedure to handle incidents. We will be relying on an external forensics firm - still working on ID one, but hope to have a "retainer" for one soon. In planning, given our location, it is likely we would have a delay in forensics response. Since powering off the machine is no longer status quo, this means the first responders must think about capturing a forensic image upon suspicion of an incident. I have done my research, and with a limited budget, from what I am understanding, we can create a triage image manually using FTK Imager. I have a list of files to capture - listed below. Just wanted to know if anyone else has this kind of procedure for first responders in place? Thanks.