Evidence Collection During Initial Response

1 min read Advanced Security Topics

Evidence Collection During Initial Response

Proper evidence collection during initial response supports both immediate remediation and potential legal action:

Volatile Data Collection Priority:

  1. Network connections and ports
  2. Running processes and services
  3. Logged-in users
  4. Open files and registry handles
  5. System memory
  6. Temporary files

Collection Tools and Commands:

Windows:

netstat -anob > connections.txt
tasklist /v > processes.txt
wmic process list full > detailed_processes.txt

Linux:

netstat -plant > connections.txt
ps auxfww > processes.txt
lsof -n > open_files.txt