Windows Forensics and Incident Recovery

Tools for Collecting Non-Volatile Information

Non-volatile information does not necessarily need to be collected from a system at the same time as the volatile information. Because of the nature of non-volatile information, it should generally remain unchanged if the system is rebooted. However, this information can be collected at the same time as the volatile information, depending upon the needs of the investigator. Methodologies for collecting both types of information will be addressed in greater detail in Chapter 6, Developing a Methodology, and Chapter 7, Knowing What To Look For.

Collecting Files

Many times, the contents of files provide valuable information regarding the nature of an incident. If an attack occurs against an IIS web server, ...

Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows Forensics and Incident Recovery by Harlan Carvey

Tools for Collecting Non-Volatile Information

Collecting Files

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly