collecting-volatile-evidence-from-compromised-host

# Collecting Volatile Evidence from Compromised Hosts ## When to Use - Security incident confirmed and compromised host identified - Before system isolation, shutdown, or remediation begins - Memory-resident malware suspected (fileless attacks) - Need to capture network connections, running processes, and system state - Legal proceedings may require forensic evidence preservation - Incident requires root cause analysis with volatile data ## Prerequisites - Forensic collection toolkit on USB or network share (trusted tools) - WinPmem/LiME for memory acquisition - Write-blocker or forensic workstation for disk imaging - Chain of custody documentation forms - Secure evidence storage with integrity verification - Authorization to collect evidence (legal/HR approval for insider cases) ## Workflow ### Step 1: Prepare Collection Environment ```bash # Mount forensic USB toolkit (do NOT install tools on compromised system) # Verify toolkit integrity sha256sum /mnt/forensic_usb/tools/* > /tmp/toolkit_hashes.txt diff /mnt/forensic_usb/tools/known_good_hashes.txt /tmp/toolkit_hashes.txt # Create evidence output directory with timestamps EVIDENCE_DIR="/mnt/evidence/$(hostname)_$(date +%Y%m%d_%H%M%S)" mkdir -p "$EVIDENCE_DIR" echo "Collection started: $(date -u)" > "$EVIDENCE_DIR/collection_log.txt" echo "Collector: $(whoami)" >> "$EVIDENCE_DIR/collection_log.txt" echo "System: $(hostname)" >> "$EVIDENCE_DIR/collection_log.txt" ``` ### Step 2: Capture System Memory (Highest Volatilit...