So what are the basics? What do I need for the bare minimum for response operations? (w/ a focus on Windows systems)
Below is a list of the items I like to collect for response operations: (your mileage may vary)
- $MFT- Master File Table for later parsing/analysis
- Prefetch files
- ntuser.dat(s) - just grab em all...
- AutoRuns - reg entries/startup folders/services/etc.
- Network info - ipconfig/netstat - dnscache - hosts file
- Event Logs - OS logs - AV logs - other app logs (if applicable)
- Scheduled Tasks
- Loaded DLLs
- Memory Dumps** If possible I like to capture the running memory from the system if space and time allows. A lot of good stuff can be pulled out of running memory if you want to learn about the malware/attack more. Will go deeper into this topic in a later post.
BTW, you can get this information easily utilizing some scripting and free tools. I'll cover those tools (free & not free) in another blog post.
