Fundamental Computer Investigation Guide For Windows

iconMicrosoft published their “Fundamental Computer Investigation Guide For Windows”. The paper discusses processes and tools for use in internal computer investigations for windows systems.

You can find the guide here.

The table of content of the document:

Overview.. 1

  • Computer Investigation Model 1
  • Initial Decision-Making Process. 2
  • Chapter Summary. 3
  • Audience. 3
  • Caveats and Disclaimers. 3
  • References and Credits. 4
  • Style Conventions. 4
  • Support and Feedback. 4

Chapter 1: Assess the Situation. 5

  • Notify Decision Makers and Acquire Authorization. 5
  • Review Policies and Laws. 6
  • Identify Investigation Team Members. 7
  • Conduct a Thorough Assessment 7
  • Prepare for Evidence Acquisition. 9

Chapter 2: Acquire the Data. 11

  • Build a Computer Investigation Toolkit 11
  • Collect the Data. 11
  • Store and Archive. 13

Chapter 3: Analyze the Data. 15

  • Analyze Network Data. 15
  • Analyze Host Data. 16
  • Analyze Storage Media. 16

Chapter 4: Report the Investigation. 19

  • Gather and Organize Information. 19
  • Write the Report 20

Chapter 5: Applied Scenario Example. 23

  • Scenario. 23
  • Assess the Situation. 24
  • Acquire Evidence of Confidential Data Access. 25
  • Remote Evidence Collection. 28
  • Local Evidence Collection. 30
  • Analyze Collected Evidence. 33
  • Report the Evidence. 36
  • Applied Scenario Lab Configuration. 37
    • Deploy Computers and Create Domain. 37
    • Create Users and Groups. 37
    • Create Folders and Files. 38
    • Assign Sharing and Permissions. 39
    • Configure Auditing. 39

Appendix: Resources. 41

  • Preparing Your Organization for a Computer Investigation. 41
  • Worksheets and Samples. 42
  • Reporting Computer-Related Crimes. 42
    • Local Law Enforcement Agencies. 43
  • Training. 45
  • Tools. 45
    • Windows Sysinternals Tools. 46
    • Windows Tools. 49

Acknowledgments. 53

Index. 55