All SkillsGet Started Free
Collecting Volatile Evidence From Compromised Host
Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory, network connections, processes, and system state before they are lost.
MCP get_skill({ skillId: "collecting-volatile-evidence-from-compromised-host-b956ecbe" })Use this skill with your agent
Create a free account and connect via MCP
# Collecting Volatile Evidence from Compromised Hosts ## When to Use - Security incident confirmed and compromised host identified - Before system isolation, shutdown, or remediation begins - Memory-resident malware suspected (fileless attacks) - Need to capture network connections, running processes, and system state - Legal proceedings may require forensic evidence preservation - Incident requires root cause analysis with volatile data ## Prerequisites - Forensic collection toolkit on USB or network share (trusted tools) - WinPmem/LiME for memory acquisition - Write-blocker or forensic workstation for disk imaging - Chain of custody documentation forms - Secure evidence storage with integrity verification - Authorization to collect evidence (legal/HR approval for insider cases) ## Workflow ### Step 1: Prepare Collection Environment ```bash # Mount forensic USB toolkit (do NOT install tools on compromised system) # Verify toolkit integrity sha256sum /mnt/forensic_usb/tools/* > /tmp/toolkit_hashes.txt diff /mnt/forensic_usb/tools/known_good_hashes.txt /tmp/toolkit_hashes.txt # Create evidence output directory with timestamps EVIDENCE_DIR="/mnt/evidence/$(hostname)_$(date +%Y%m%d_%H%M%S)" mkdir -p "$EVIDENCE_DIR" echo "Collection started: $(date -u)" > "$EVIDENCE_DIR/collection_log.txt" echo "Collector: $(whoami)" >> "$EVIDENCE_DIR/collection_log.txt" echo "System: $(hostname)" >> "$EVIDENCE_DIR/collection_log.txt" ``` ### Step 2: Capture System Memory (Highest Volatility) ```bash # Windows - WinPmem memory acquisition winpmem_mini_x64.exe "$EVIDENCE_DIR\memdump_$(hostname).raw" # Linux - LiME kernel module for memory acquisition insmod /mnt/forensic_usb/lime.ko "path=$EVIDENCE_DIR/memdump_$(hostname).lime format=lime" # Linux - Alternative using /proc/kcore dd if=/proc/kcore of="$EVIDENCE_DIR/kcore_dump.raw" bs=1M # macOS - osxpmem osxpmem -o "$EVIDENCE_DIR/memdump_$(hostname).aff4" # Hash the memory dump immediately
#mukul-cybersecurity-skills#security#cybersecurity#forensics