Tools for Collecting Volatile Information
There is a good deal of volatile information on a live system that an administrator or investigator can use to determine what may have occurred during the incident. This information can be used for general troubleshooting purposes or as part of an investigation. This information is usually retained in memory while the system is operating and tends to disappear when the system is shut down. Volatile information generally consists of:
System time
Logged on user(s)
Process information
Network connections
Network status
Clipboard contents
Command history
Service/driver information
All of this information in its various forms can be retrieved using freeware utilities, tools native to the systems, and Perl scripts. ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
