Hi All,
I am in a small IT shop and working on a procedure to handle incidents. We will be relying on an external forensics firm - still working on ID one, but hope to have a "retainer" for one soon. In planning, given our location, it is likely we would have a delay in forensics response. Since powering off the machine is no longer status quo, this means the first responders must think about capturing a forensic image upon suspicion of an incident. I have done my research, and with a limited budget, from what I am understanding, we can create a triage image manually using FTK Imager. I have a list of files to capture - listed below. Just wanted to know if anyone else has this kind of procedure for first responders in place? Thanks.
1.) capture memory first
2.) capture the following files:
| Root > $Extend |
| Root > $Recycle.Bin |
| Root > Users Directory |
| Root > $Logfile |
| Root > $MFT |
| Root > hiberfil.sys |
| Root > pagefile.sys |
| Root > swapfile.sys |
| Root>ProrgamData>Microsoft>Search>Data>Applications>Windows>Windows.edb |
| Root>Windows>AppCompat>Programs>Amcache.hve |
| Root>Windows>INF>setupapi.dev.log |
| Root>Windows>System32>Config>Default, SAM, Security, Software, System |
| Root>Windows>System32>Config>RegBack - pull directory |
| Root>Windows>System32>LogFiles - pull directory |
| Root>Windows>System32>SRM - pull directory |
| Add Rest as New (From Bottom; Replace * with Text Indicated); Select All Options |
| NTUSER.DAT |
| UsrClass.dat |
| *.evtx |
| *.lnk |
| *.pf |
| $I30 |
