Host systems are the targets of malicious actions far too often. Host systems represent a possible initial target so that someone can gain a foothold in the network or a pivot point for additional attacks, or the end goal of threat actors. As a result, incident response analysts should be prepared to investigate these systems. Modern operating systems such as Microsoft Windows create a variety of evidentiary artifacts during the execution of an application, when changes to files are made, or when user accounts are added. All of these changes leave traces of activity that can be evaluated by incident response analysts. The amount of data that's available to incident response analysts is increasing as storage and memory in even the lowest-cost consumer systems continues to expand. Commonly available systems are routinely manufactured with extensive memory and storage in terabytes; there is a great deal of data that could assist incident responders with determining a root cause. As a result, incident response analysts should be prepared to acquire different types of evidence from systems for further analysis.
We will cover the following topics in this chapter:
- Preparation
- Order of Volatility
- Evidence acquisition
- Acquiring volatile memory
- Acquiring non-volatile evidence