mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-11 10:03:42 +03:00
3.9 KiB
3.9 KiB
Volatile Evidence Collection - Detailed Workflow
Order of Volatility Collection Sequence
Priority 1: Memory (Most Volatile) - Collect First
- Connect forensic USB with memory acquisition tool
- Run memory dump tool from USB (NOT from compromised disk)
- Save memory image to external storage
- Record start time, end time, and memory size
- Generate SHA256 hash of memory image immediately
- Document any errors during acquisition
Priority 2: Network State
- Capture all active TCP/UDP connections with process IDs
- Capture ARP cache (maps IP to MAC addresses)
- Capture DNS resolver cache
- Capture routing table
- Capture active firewall rules
- Capture listening ports and associated processes
- Hash all network evidence files
Priority 3: Running Processes
- List all processes with full command lines
- List parent-child process relationships (process tree)
- List all loaded modules/DLLs per process
- List all open file handles per process
- List process network connections per PID
- Capture process creation timestamps
- Hash all process evidence files
Priority 4: User Sessions
- List all currently logged-in users
- List active remote sessions (RDP, SSH, SMB)
- List mapped network drives
- Capture recent authentication events
- List active tokens and session keys (if accessible)
Priority 5: System Configuration
- Capture system time and UTC offset
- Export autostart/persistence locations (Registry Run keys, crontab)
- List all services and their states
- Capture environment variables
- List installed software
- Export relevant event log entries
Priority 6: Temporary/Cache Data
- Capture browser history and cache (if relevant)
- Capture clipboard contents (if accessible)
- Capture temp directory contents
- Capture recent file lists
- Capture prefetch files (Windows)
Platform-Specific Collection Procedures
Windows Collection Checklist
[ ] Memory: WinPmem/Magnet RAM Capture
[ ] Processes: tasklist /V, wmic process, Get-Process
[ ] Network: netstat -anob, Get-NetTCPConnection
[ ] Users: query user, net session
[ ] Registry: Run keys, Services, Startup
[ ] Services: sc queryex, Get-Service
[ ] Scheduled Tasks: schtasks /query
[ ] DNS Cache: ipconfig /displaydns
[ ] ARP: arp -a
[ ] Firewall: netsh advfirewall
[ ] Event Logs: wevtutil (Security, System, Application)
[ ] Prefetch: %SystemRoot%\Prefetch\*
[ ] Time: w32tm /query /status
Linux Collection Checklist
[ ] Memory: LiME kernel module or /proc/kcore
[ ] Processes: ps auxwwf, /proc/*/cmdline, /proc/*/maps
[ ] Network: ss -tulnp, /proc/net/tcp, /proc/net/udp
[ ] Users: who, w, last
[ ] Cron: crontab -l, /etc/cron.*
[ ] Services: systemctl list-units
[ ] DNS: systemd-resolve, /etc/resolv.conf
[ ] ARP: ip neigh
[ ] Firewall: iptables -L -n -v, nftables
[ ] Logs: /var/log/auth.log, /var/log/syslog
[ ] Open Files: lsof
[ ] Time: timedatectl
[ ] Loaded Modules: lsmod
Evidence Integrity Procedures
Hashing Protocol
- Hash EVERY collected file immediately after creation
- Use SHA256 (minimum) - SHA512 preferred for legal cases
- Store hash manifest in separate file
- Verify hashes before and after any transfer
- Include hash in chain of custody documentation
Chain of Custody Requirements
- Record who collected each evidence item
- Record exact time of collection (UTC)
- Record collection method and tool version
- Record any transfer of evidence
- Record storage location and access controls
- Record any analysis performed on copies (never originals)
Common Pitfalls to Avoid
- Running tools from the compromised system's disk
- Forgetting to hash evidence immediately
- Not recording system time offset from UTC
- Installing collection tools on the compromised system
- Rebooting the system before memory collection
- Modifying file timestamps by browsing the filesystem
- Not documenting collection steps in real-time
- Collecting evidence without proper authorization