3 Live Analysis

INFORMATION IN THIS CHAPTER:

File metadata

Timelines

User command history

Log file analysis

Hashing

Dumping RAM

Automation with scripting

THERE WAS AN INCIDENT: NOW WHAT?

Based on interviews with the client and limited live response you are convinced there has been an incident. Now what? Now it is time to delve deeper into the subject system before deciding if it must be shut down for dead analysis. The investigation has now moved into the next box as shown in Figure 3.1.