Chapter 6. Developing a Methodology

Now that we've covered the various tools to use in response to an incident, we need to look at how we can go about using these tools as part of a methodology. By developing and employing a methodology, we can be sure that we collect all of the data we need the first time around. After all, as discussed in Chapter 5, Incident Response Tools, there is a great deal of information available on a live system that will disappear when the system is powered down, and some of that information, such as network connections shown by netstat.exe, will change over time.

This chapter will reinforce the importance of developing and having an incident response methodology or process. Based on personal experience as a consultant, ...

Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.