Live System Evidence Collection

1 min read Advanced Security Topics

Live System Evidence Collection

When systems cannot be immediately shut down, live collection becomes necessary:

Pre-Collection Preparation:

  1. Document system state (screenshots, photographs)
  2. Identify critical services and dependencies
  3. Prepare collection tools on external media
  4. Establish secure evidence storage
  5. Brief stakeholders on potential impacts

Volatile Data Collection Process:

Step 1: Network Connections

# Windows
netstat -naob > network_connections.txt
# Linux
netstat -plant > network_connections.txt
ss -plant >> network_connections.txt

Step 2: Running Processes

# Windows
tasklist /v > processes.txt
wmic process get Name,ProcessId,ParentProcessId,CommandLine > process_details.txt
# Linux
ps auxfww > processes.txt
pstree -p > process_tree.txt

Step 3: System Information

# Windows
systeminfo > system_info.txt
wmic computersystem list full > computer_details.txt
# Linux
uname -a > system_info.txt
cat /proc/version >> system_info.txt

Step 4: User Activity

# Windows
query user > logged_users.txt
net session > sessions.txt
# Linux
w > logged_users.txt
last -F > login_history.txt