**Situation & goal** You have 90 minutes with one analyst and a 2TB laptop suspected of data exfiltration. Priority: preserve volatile state (RAM, network, active sessions), collect high-value artifacts quickly, then acquire non‑volatile images/hashes. Minimize writes and avoid reboot.**Immediate preserve & containment (first 2–5 minutes)**- Photograph laptop state (powered on, screens, external devices). Note time, user presence, power source, network connection.- Isolate from network without powering off: prefer unplugging Ethernet and disabling Wi‑Fi via OS UI if possible; place in airplane mode or use a hardware network disconnect. If regulatory/policy requires, place in a Faraday bag after live collection.- Assign evidence tag and start chain-of-custody log.**Volatile collection (minutes 5–25) — capture first**- Memory image (primary): use trusted, signed tool from write-protected media. - Example tools: DumpIt, Belkasoft Live RAM capture, Magnet RAM Capture, FTK Imager (live).bash
# example (Windows) using DumpIt (run from external USB)
DumpIt.exe
- Running processes, services, and process network connections:powershell
tasklist /V
netstat -ano -p tcp
Get-Process | Sort CPU
- Open files, handles, loaded modules:powershell
handle.exe -accepteula > handles.txt # Sysinternals
- Network connections and route table, DNS cache:powershell
netstat -abno
ipconfig /all
route print
ipconfig /displaydns
- Logged‑on users, sessions, and clipboard:powershell
query user
whoami /all
powershell -command "Get-Clipboard" > clipboard.txt
- Browser sessions and open tabs (use browser-specific live export or copies of profile files), email client state, cloud sync clients (OneDrive/Dropbox status).- Mounts and attached devices, USB history:powershell
wmic logicaldisk get name,description
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR"
- Scheduled tasks, autoruns, network shares:powershell
schtasks /query /fo LIST /v
autorunsc.exe -accepteula > autoruns.txt
Record hashes and timestamps of any collected volatile files immediately.**Non‑volatile collection (minutes 25–80)**- Acquire forensic disk image after volatile capture. If time is limited, create a block device clone to external write-blocked media or create E01 with FTK Imager: - Prefer a physical image (dd, ddrescue, FTK Imager) with SHA256/SHA1.- Collect key artifacts pre-image if full image delayed: registry hives (SYSTEM, SOFTWARE, SAM, NTUSER.DAT), event logs, Prefetch, MFT, $LogFile, pagefile, swapfile, shadow copies, browser profile folders, Downloads, Desktop, Documents, and cloud sync folders.powershell
wevtutil epl Application Application.evtx
xcopy /E /I "C:\Users\username\AppData\Local\Google\Chrome\User Data" D:\artifact\chrome\
- Acquire Volume Shadow Copies (vssadmin list shadows) or use vssadmin to expose.- Compute hashes of original disk/device and of images. Log tool versions and command output.**Preservation & evidence integrity**- Do not reboot the system. Use signed, validated tools from external media.- Use write-blockers for physical disk acquisition. For live collections, minimize writes; document any expected writes.- Record MD5/SHA1/SHA256 for each artifact and image immediately after capture.- Maintain chain-of-custody: who handled, when, why, where stored, media serial numbers.**Documentation during process**- Maintain a running triage log: timestamps (UTC), commands run, tool name/version, operator, IP/network status, file paths collected, hashes, screenshots of desktop and important application windows.- Capture console outputs to files; include hashes of those logs.- Use a standardized checklist/template and initial incident summary for handoff.**Minimize disruption guidance**- Prefer read-only collection and non-invasive commands. Use memory capture first to avoid losing in‑RAM artifacts.- If uncertain, capture an additional RAM image and logs before deeper probing.- When possible, perform deeper analysis on a forensic workstation using copies, not the original.**Example prioritized checklist (short)**1. Photograph & isolate → start chain-of-custody 2. Memory image (DumpIt/Belkasoft) + hash 3. netstat, ipconfig, running processes, open files, clipboard, logged-on users 4. Browser profiles, cloud sync status, USB/drive mounts 5. Event logs, registry hives, Prefetch, MFT, VSCs 6. Full disk image (write-blocked) + hashes 7. Document everything, package evidence, handoffThis plan preserves the highest-value volatile evidence first, creates verifiable artifacts for court, and limits contamination while enabling follow-up forensic analysis.