4

Endpoint Forensic Evidence Collection

After an incident has occurred, in accordance with an efficient incident response plan, it becomes essential to initiate the steps of incident verification and analysis. These steps cannot be effectively carried out in the absence of forensic evidence collected from the cybersecurity controls already in place or forensic data gathered from the endpoint under suspicion. While cybersecurity controls themselves already provide some valuable insights, forensic evidence acquisition is still required to dive deeper into incident details and get the full picture of malicious activities. It is important to note that the artifacts to be collected may vary depending on the host’s Operating System (OS), its version ...

Get Incident Response for Windows now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.