Chapter 6. Developing a Methodology

Now that we've covered the various tools to use in response to an incident, we need to look at how we can go about using these tools as part of a methodology. By developing and employing a methodology, we can be sure that we collect all of the data we need the first time around. After all, as discussed in Chapter 5, Incident Response Tools, there is a great deal of information available on a live system that will disappear when the system is powered down, and some of that information, such as network connections shown by netstat.exe, will change over time.

This chapter will reinforce the importance of developing and having an incident response methodology or process. Based on personal experience as a consultant, ...

Get Windows Forensics and Incident Recovery now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.