Chapter 1. Introduction

Where does it start? Do corporate users suddenly notice that it takes longer to access web pages and download files from the file server? Does a user's workstation exhibit odd behavior on a sporadic basis, with files being modified or going missing? Or is it the sudden angry emails that arrive in your inbox, complaining about the massive amount of traffic being sent from your site? However it begins, as long as there are networks of computer systems, there will be computer security incidents. That being the case, investigators and administrators (titles that may apply to the same person) need to know what steps they can take to retrieve and analyze data from potentially compromised Windows systems. Due to the widespread use of Windows operating systems and the availability of high-speed Internet access, as well as the availability of easy-to-use tools to compromise and exploit systems, it is imperative that individuals responsible for Windows systems understand more than just how to protect their systems from incidents. Should they suspect that an incident has occurred, they must also understand how to react.