Tools for Collecting Non-Volatile Information
Non-volatile information does not necessarily need to be collected from a system at the same time as the volatile information. Because of the nature of non-volatile information, it should generally remain unchanged if the system is rebooted. However, this information can be collected at the same time as the volatile information, depending upon the needs of the investigator. Methodologies for collecting both types of information will be addressed in greater detail in Chapter 6, Developing a Methodology, and Chapter 7, Knowing What To Look For.
Collecting Files
Many times, the contents of files provide valuable information regarding the nature of an incident. If an attack occurs against an IIS web server, ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.