intermediate

Endpoint Forensics Collection

Procedures for forensic evidence collection from Windows and Linux endpoints.

2-4 hours per system5 steps11 checklist items

Summary

Guide for collecting forensic artifacts from endpoints while maintaining evidence integrity.

Step-by-Step Procedure

Preparation

Prepare for forensic collection.

Actions

Gather forensic tools and storage media

Verify chain of custody procedures

Document initial system state

Plan collection order of volatility

Tools

KAPEVelociraptorFTK ImagerForensic workstation

Volatile Data Collection

Collect volatile data first.

Actions

Capture system memory

Document running processes

Capture network connections

Document logged-in users

Non-Volatile Collection

Collect persistent artifacts.

Actions

Collect event logs

Capture registry hives

Collect browser artifacts

Capture prefetch/superfetch data

Collect scheduled tasks

Capture startup items

Full Disk Imaging

Create forensic disk image if needed.

Actions

Use write blocker if collecting from live system

Create forensic image (E01 or dd)

Hash original and image

Verify image integrity

Documentation

Document collection activities.

Actions

Complete chain of custody form

Document all tools and versions used

Record collection timeline

Store evidence securely

Completion Checklist

Collection authorized

Tools prepared and validated

Volatile data collected first

Memory captured

Event logs collected

Registry collected

Browser artifacts collected

Full disk imaged (if needed)

Hashes verified

Chain of custody documented

Evidence stored securely

Evidence to Collect

Memory dump
Event logs
Registry hives
Browser artifacts
Disk image (if applicable)
Hash values
Chain of custody forms

Join our community to discuss playbooks and share incident response experiences.