Case Overview
Recent Collection Jobs
View All| Job ID | Target System | Scope | Status | Progress | Actions |
|---|---|---|---|---|---|
| JOB-2023-567 | SRV-DB-01 (192.168.1.45) | Memory, Logs, Registry | Completed |
|
|
| JOB-2023-568 | WS-JDOE-07 (192.168.1.78) | Full disk image | In Progress |
|
|
| JOB-2023-569 | FW-MAIN (192.168.1.1) | Network captures, Logs | Pending |
|
New Evidence Collection
Select all systems requiring forensic collection
Capture volatile memory for analysis of running processes
Create forensic copy of storage media (bit-for-bit)
Collect event logs, application logs, and system logs
PCAP files and network connection information
System and user registry hives for configuration analysis
History, cookies, downloads and cache from web browsers
Define the timeframe for evidence collection (UTC)
Collect system state information from before the incident for comparison
Credentials will be encrypted with AES-256 and access-controlled
Collection Summary
Target Systems
- SRV-DB-01 (192.168.1.45)
- WS-JDOE-07 (192.168.1.78)
- FW-MAIN (192.168.1.1)
Evidence Types
- Memory Dump
- System Logs
- Network Captures
- Registry Hives
Timeframe
2023-06-15 14:30 UTC to 2023-06-16 08:45 UTC
+7 days pre-incident baseline
Authentication
Domain Administrator (admin@corp.local)
Credentials will be stored securely
Incident Timeline
Initial Compromise
Spear phishing email delivered to jdoe@corp.local with malicious attachment
Malware Execution
Malicious payload executed, establishing C2 connection to 185.143.223.67
Lateral Movement
RDP connection established from WS-JDOE-07 to SRV-DB-01 using compromised credentials
Data Exfiltration
Large volume of database records transferred to external IP via encrypted channel
Containment Initiated
Security team isolated affected systems and began forensic collection