Summary
The first step in responding to an incident is to have a policy for doing so. A corporate security policy that addresses how incidents will be handled is extremely important because it provides a roadmap for investigators. In some cases, the investigator may save the output of commands to files on the system, then copy the data off to diskettes or FTP them to a server. If a more forensically sound methodology is required, using netcat to get the data off of the system provides an excellent option. This option, however, requires a great deal of interaction from the investigator—documenting commands, starting and restarting the netcat server, ensuring that all of the necessary commands are run when copying files, etc. Other options exist, ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
