One of the best ways for computer forensics investigators to ensure they know how their tools are interacting with evidence is to assemble and test the tools. As previously noted, ready-made incident response toolkits may be more intrusive than forensics investigators desire. In this section you can follow along as a simple batch file for extracting processed volatile data from a running or live Windows-based suspect system is created.
To begin the creation of the volatile extraction tool, which we’ll call VExtract, the forensics investigator first needs to decide what types of processed information from the suspect computer’s volatile memory might be of use to an investigation.
The batch files and utilities ...