Subject: Digital Forensics

Topic: Initial response and forensic duplication

Difficulty: High

Potentially, a live collection may answer the majority of questions you may have during the initial stages of an investigation. It depends on the level of detail that you collect during a live response.

A small collection consisting of

• users,

• processes,

• select registry keys, and

• network state

can help you determine if there are signs of malicious activity. A comprehensive collection that includes data sources such as browsing history and the NTFS master file table can reveal far more.

Naturally, there are reasons for and against voluminous collections.