Evidence gathering in Windows

It offers both a global vision of the process, explaining what it consists of, what for, the phases that make it up, the methods to carry it out, etc., and a specific vision on the obtaining of evidence. It is important to keep in mind that despite the fact that the guide makes an initial approach to digital forensic analysis, it focuses mainly on the phase of obtaining evidence and that is its objective.

The target audiences of this document are professionals from the IT sector: IT support technicians, system administrators, network administrators, malware analysts, etc., that have computing knowledge but aren’t familiar with the digital forensic analysis process and might have to face an incident that would require using one of these processes.

The document aims to be a practical guide with the steps to follow if an incident arises that requires gathering necessary evidence to carry out a subsequent analysis that leads to a solution for the incident itself, this subsequent analysis is beyond the focus of this document.

It focuses in incidents related with data exfiltration, fraud, malware, non-authorized access, inappropriate use of resources, intellectual property or denial of service. There are other types of incidents, mainly related to child pornography, justifying acts of terrorism, extortion (this group includes cyber harassment, cyberbullying, grooming, sexting or intimacy infringement), etc., which must be passed on to the appropriate authorities for them to start an investigation and take the measure they deem appropriate. These kinds of incidents are beyond the focus of the document.