O'Reilly logo

Windows Forensics and Incident Recovery by Harlan Carvey

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Tools for Collecting Volatile Information

There is a good deal of volatile information on a live system that an administrator or investigator can use to determine what may have occurred during the incident. This information can be used for general troubleshooting purposes or as part of an investigation. This information is usually retained in memory while the system is operating and tends to disappear when the system is shut down. Volatile information generally consists of:

  • System time

  • Logged on user(s)

  • Process information

  • Network connections

  • Network status

  • Clipboard contents

  • Command history

  • Service/driver information

All of this information in its various forms can be retrieved using freeware utilities, tools native to the systems, and Perl scripts. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required