Incident Response: Evidence Collection in Windows

Incident Response: Evidence Collection in Windows
Incident Response: Evidence Collection in Windows
English | MP4 | AVC 1280×720 | AAC 48KHz 2ch | 1h 46m | 258 MB

If your organization is the victim of a cyberattack, will you be ready to respond? An incident responder or digital forensics technician has to be prepared to properly collect digital evidence as soon as an event is reported. This course teaches you how to quickly triage affected systems, securely collect digital evidence, and create your collection report for further forensic analysis. Digital forensic examiner (DFE) Jason Dion explains how to build a portable toolkit of trusted tools, both proprietary and open source, to collect evidence from Windows machines: volatile data from workstations, non-volatile data from hard drives and USBs, and disk images. Jason also shows how to deal with encryption challenges, document your collection efforts, and build a finalized collection report.

Topics include:

  • Preparing for an incident response event
  • Installing the right tools
  • Acquiring volatile and non-volatile data
  • Acquiring memory images
  • Documenting users, connections, processes, and files
  • Collecting disk attributes
  • Verifying data collection
  • Imaging a drive
  • BitLocker encryption
  • Creating an evidence report
Table of Contents

1 You’ve been hacked
2 What you need to know before taking this course
3 Conducting an incident response

Preparing for an Incident Response
4 Preparation in the key to success
5 Storage devices in Windows
6 Installing FTK Imager
7 Installing DD for Windows
8 Preparing your evidence collection drive
9 Creating a USB drive with trusted tools
10 Validating our trusted tool kit

Volatile Data Acquisition
11 Evidence collection
12 Volatile and nonvolatile data
13 Acquiring a memory image in Windows
14 Acquiring a memory image in Windows in DumpIt
15 Using CryptCat and Tee
16 Collecting the datatime of the victim
17 Documenting the logged on users
18 Documenting open network connections
19 Documenting the running processes
20 Documenting any shared files

Nonvolatile Data Acquisition
21 Nonvolatile evidence collection
22 Collecting disk attributes using Disk Map
23 Documenting completion of live collection
24 Verification of data collected
25 Graceful shutdown

Acquiring Evidence from Storage Media
26 Write blockers
27 Enabling a software write blocker in Windows
28 Imaging a drive with the FTK Imager
29 Imaging a drive with Forensic Imager

Challenges with Encryption
30 Encryption in Windows
31 Determining if BitLocker is running
32 Securing a system with BitLocker
33 BitLocker implementation and recovery password

Logging Your Evidence
34 Creating a report
35 Example report

36 Next steps