cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Newcomer I

Triage Imaging - Computer Forensics

Hi All,

 

I am in a small IT shop and working on a procedure to handle incidents. We will be relying on an external forensics firm - still working on ID one, but hope to have a "retainer" for one soon. In planning, given our location, it is likely we would have a delay in forensics response. Since powering off the machine is no longer status quo, this means the first responders must think about capturing a forensic image upon suspicion of an incident. I have done my research, and with a limited budget, from what I am understanding, we can create a triage image manually using FTK Imager. I have a list of files to capture - listed below. Just wanted to know if anyone else has this kind of procedure for first responders in place? Thanks.

 

1.) capture memory first

2.) capture the following files:

 

Root > $Extend
Root > $Recycle.Bin
Root > Users Directory
Root > $Logfile
Root > $MFT
Root > hiberfil.sys
Root > pagefile.sys
Root > swapfile.sys
Root>ProrgamData>Microsoft>Search>Data>Applications>Windows>Windows.edb
Root>Windows>AppCompat>Programs>Amcache.hve
Root>Windows>INF>setupapi.dev.log
Root>Windows>System32>Config>Default, SAM, Security, Software, System
Root>Windows>System32>Config>RegBack - pull directory
Root>Windows>System32>LogFiles - pull directory
Root>Windows>System32>SRM - pull directory
Add Rest as New (From Bottom; Replace * with Text Indicated); Select All Options
NTUSER.DAT
UsrClass.dat
*.evtx
*.lnk
*.pf
$I30