Steps to collects the data from live system

On the compromised machine, run trusted command shell from an Incident Response toolkit.

Document system date and time, and compare it to a reliable time source.

Acquire contents of physical memory.

Gather hostname, user, and operating system details.

Gather system status and environment details.

Identify users logged onto the system.

Inspect network connections and open ports.

Examine Domain Name Service (DNS) queries and connected hostnames.

Examine running processes.

Correlate open ports to associated processes and programs.

Examine services and drivers.

Inspect open files.

Examine command line history.

Identify mapped drives and shares.

Check for unauthorized accounts, groups, shares, and other system resources and configurations using the Windows “net” commands.

Determine scheduled tasks.

Collect clipboard contents.

Determine audit policy.


About this entry