Incident Response: Evidence Collection in Windows
1h 47mAdvanced2019-10-22
Authors
Jason Dion
Cybersecurity Trainer at Dion Training Solutions
Course details
If your organization is the victim of a cyberattack, will you be ready to respond? An incident responder or digital forensics technician has to be prepared to properly collect digital evidence as soon as an event is reported. This course teaches you how to quickly triage affected systems, securely collect digital evidence, and create your collection report for further forensic analysis. Digital forensic examiner (DFE) Jason Dion explains how to build a portable toolkit of trusted tools, both proprietary and open source, to collect evidence from Windows machines: volatile data from workstations, non-volatile data from hard drives and USBs, and disk images. Jason also shows how to deal with encryption challenges, document your collection efforts, and build a finalized collection report.
Learning objectives
Preparing for an incident response event
Installing the right tools
Acquiring volatile and non-volatile data
Acquiring memory images
Documenting users, connections, processes, and files
Collecting disk attributes
Verifying data collection
Imaging a drive
BitLocker encryption
Creating an evidence report
Learning objectives
Preparing for an incident response event
Installing the right tools
Acquiring volatile and non-volatile data
Acquiring memory images
Documenting users, connections, processes, and files
Collecting disk attributes
Verifying data collection
Imaging a drive
BitLocker encryption
Creating an evidence report
Skills covered
Incident ResponseCybersecurityDeep Dive (X:Y)
Concepts
0. Introduction
- 01 - You've been hacked
- 02 - What you need to know before taking this course
- 03 - Conducting an incident response
1. Preparing for an Incident Response
- 04 - Preparation in the key to success
- 05 - Storage devices in Windows
- 06 - Installing FTK Imager
- 07 - Installing DD for Windows
- 08 - Preparing your evidence collection drive
- 09 - Creating a USB drive with trusted tools
- 10 - Validating our trusted tool kit
2. Volatile Data Acquisition
- 11 - Evidence collection
- 12 - Volatile and nonvolatile data
- 13 - Acquiring a memory image in Windows
- 14 - Acquiring a memory image in Windows in DumpIt
- 15 - Using CryptCat and Tee
- 16 - Collecting the data time of the victim
- 17 - Documenting the logged on users
- 18 - Documenting open network connections
- 19 - Documenting the running processes
- 20 - Documenting any shared files
3. Nonvolatile Data Acquisition
- 21 - Nonvolatile evidence collection
- 22 - Collecting disk attributes using Disk Map
- 23 - Documenting completion of live collection
- 24 - Verification of data collected
- 25 - Graceful shutdown
4. Acquiring Evidence from Storage Media
- 26 - Write blockers
- 27 - Enabling a software write blocker in Windows
- 28 - Imaging a drive with the FTK Imager
- 29 - Imaging a drive with Forensic Imager
5. Challenges with Encryption
- 30 - Encryption in Windows
- 31 - Determining if BitLocker is running
- 32 - Securing a system with BitLocker
- 33 - BitLocker implementation and recovery password
6. Logging Your Evidence
- 34 - Creating a report
- 35 - Example report
Conclusion
- 36 - Next steps
Related courses
- RAG, AI Apps, and AI Agents for Cybersecurity and Networking
- Introduction to Applied Cryptography and Cryptanalysis by Infosec
- ISC2 Systems Security Certified Practitioner (SSCP) Cert Prep
- CCNA Cybersecurity (200-201) v1.2 Cert Prep
- Automated Threat Detection: Building SOC Solutions with Splunk, TheHive, and Snort
- Azure Event Hubs for Developers
- Applied ChatGPT for Cybersecurity by Infosec
- Corporate Security Policies by Infosec