Moocable is learner-supported. When you buy through links on our site, we may earn an affiliate commission.
Information Security

Incident Response: Evidence Collection in Windows

via LinkedIn Learning

Description

Learn how to perform evidence collection—a vital step in incident response. Find out how to collect volatile and non-volatile data and build an evidence report.

Tags
Cyber Espionage Higher Education

Syllabus

Introduction
  • You've been hacked
  • What you need to know before taking this course
  • Conducting an incident response
1. Preparing for an Incident Response
  • Preparation in the key to success
  • Storage devices in Windows
  • Installing FTK Imager
  • Installing DD for Windows
  • Preparing your evidence collection drive
  • Creating a USB drive with trusted tools
  • Validating our trusted tool kit
2. Volatile Data Acquisition
  • Evidence collection
  • Volatile and nonvolatile data
  • Acquiring a memory image in Windows
  • Acquiring a memory image in Windows in DumpIt
  • Using CryptCat and Tee
  • Collecting the data/time of the victim
  • Documenting the logged on users
  • Documenting open network connections
  • Documenting the running processes
  • Documenting any shared files
3. Nonvolatile Data Acquisition
  • Nonvolatile evidence collection
  • Collecting disk attributes using Disk Map
  • Documenting completion of live collection
  • Verification of data collected
  • Graceful shutdown
4. Acquiring Evidence from Storage Media
  • Write blockers
  • Enabling a software write blocker in Windows
  • Imaging a drive with the FTK Imager
  • Imaging a drive with Forensic Imager
5. Challenges with Encryption
  • Encryption in Windows
  • Determining if BitLocker is running
  • Securing a system with BitLocker
  • BitLocker implementation and recovery password
6. Logging Your Evidence
  • Creating a report
  • Example report
Conclusion
  • Next steps

Start Learning Find study partner
Online Course
Information Security

Incident Response: Evidence Collection in Windows

via LinkedIn Learning
Start Learning Find study partner
Affiliate notice

Learn how to perform evidence collection—a vital step in incident response. Find out how to collect volatile and non-volatile data and build an evidence report.

Introduction
  • You've been hacked
  • What you need to know before taking this course
  • Conducting an incident response
1. Preparing for an Incident Response
  • Preparation in the key to success
  • Storage devices in Windows
  • Installing FTK Imager
  • Installing DD for Windows
  • Preparing your evidence collection drive
  • Creating a USB drive with trusted tools
  • Validating our trusted tool kit
2. Volatile Data Acquisition
  • Evidence collection
  • Volatile and nonvolatile data
  • Acquiring a memory image in Windows
  • Acquiring a memory image in Windows in DumpIt
  • Using CryptCat and Tee
  • Collecting the data/time of the victim
  • Documenting the logged on users
  • Documenting open network connections
  • Documenting the running processes
  • Documenting any shared files
3. Nonvolatile Data Acquisition
  • Nonvolatile evidence collection
  • Collecting disk attributes using Disk Map
  • Documenting completion of live collection
  • Verification of data collected
  • Graceful shutdown
4. Acquiring Evidence from Storage Media
  • Write blockers
  • Enabling a software write blocker in Windows
  • Imaging a drive with the FTK Imager
  • Imaging a drive with Forensic Imager
5. Challenges with Encryption
  • Encryption in Windows
  • Determining if BitLocker is running
  • Securing a system with BitLocker
  • BitLocker implementation and recovery password
6. Logging Your Evidence
  • Creating a report
  • Example report
Conclusion
  • Next steps

Tags

Cyber Espionage Higher Education

Quick Links

Browse by subject

Browse by provider

Browse by university

Browse by publisher

Browse by institution

Roadmaps

Posts