O'Reilly logo

Computer Evidence: Collection and Preservation, Second Edition by Christopher L. T. Brown

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Building a Live Collection Disk

One of the best ways for computer forensics investigators to ensure they know how their tools are interacting with evidence is to assemble and test the tools. As previously noted, ready-made incident response toolkits may be more intrusive than forensics investigators desire. In this section you can follow along as a simple batch file for extracting processed volatile data from a running or live Windows-based suspect system is created.

To begin the creation of the volatile extraction tool, which we’ll call VExtract, the forensics investigator first needs to decide what types of processed information from the suspect computer’s volatile memory might be of use to an investigation.

Note

The batch files and utilities ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required