Anyone familiar with trusted software or methods that can be used before "pulling the plug" and a search site to document running processes and other information that might be needed.
Would depend on the operating system. There are some commands native to windows that work well such as tasklist and netstat ( swithes for each will provide some versitility type /? after the command to see them). Fport which I think is available from foundstone will also show open ports and associated PID’s.
These are a few I’m familiar with…what running them on a live system will do to any subsequent investigation (in terms of modifying any time stamps etc…) someone with more experience would be better equipped to answer.
Hope it helps,
Andrew
I'm mainly interested in windows operating systems and in capturing information that is potentially lost when pulling the plug.
anitajshah,
There are a couple of ways to go about this…one that I recommend is to use the Forensic Server Project (FSP):
If you have any questions, please drop me a line.
H. Carvey
"Windows Forensics and Incident Recovery"
Encase Enterprise Edition and the Field Intelligence module both have these features.
anitajshah,
Have any of the suggestions been helpful?
H. Carvey
"Windows Forensics and Incident Recovery"
Thanks for all your suggestions. I have been able to retrieve from useful information from
I've also received tips on using tools like pslist and netstat.
I am really looking for retrieving volatile information from standalone machines. Stuff that would be lost by yanking the plug. So any other suggestions would be appreciated.
Thanks in advance.
I am really looking for retrieving volatile information from standalone machines.
Well, that's what the FSP was designed for. If you have any questions, drop me a line…keydet89 at yahoo dot com
H. Carvey
"Windows Forensics and Incident Recovery"