The alert fires: a suspicious PowerShell process spawned from a Word document on a finance team workstation. Your SOC escalates it to you. Everything you do next—every command you execute, every artifact you collect, every decision about isolation timing—either builds an airtight forensic timeline or lets the attacker's footprints evaporate. After leading dozens of endpoint investigations across enterprise environments, I've learned that methodology beats improvisation every single time.
The Golden Rule: Volatile First, Disk Second
Forensic evidence has a shelf life. RAM contents vanish on reboot. Network connections close. Process trees terminate. The order of volatility isn't academic theory—it's the difference between catching a C2 beacon in memory and staring at a clean disk image wondering what happened.
Before touching anything, document the endpoint's current state. A screenshot of the desktop, the logged-in user, and the system time costs you ten seconds and has saved me from "he said, she said" disputes with HR and legal more times than I can count.
Phase 1: Live Triage and Volatile Data Collection
On a Windows endpoint, start by capturing running processes, network connections, and loaded DLLs before isolation disrupts active connections:
# Capture running processes with full command lines
Get-CimInstance Win32_Process | Select-Object ProcessId, Name, CommandLine, ParentProcessId, CreationDate | Export-Csv C:\IR\processes.csv -NoTypeInformation
# Active network connections mapped to owning processes
Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess, CreationTime | Export-Csv C:\IR\netconnections.csv -NoTypeInformation
# Scheduled tasks (persistence mechanism of choice for modern attackers)
Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'} | Export-Csv C:\IR\scheduledtasks.csv -NoTypeInformationFor memory acquisition, I rely on WinPmem or Magnet RAM Capture before network isolation. A full RAM dump from a 32 GB workstation takes roughly five minutes and preserves injected code, encryption keys, and clipboard contents that disk forensics will never recover.
# Using winpmem to acquire memory
winpmem_mini_x64.exe C:\IR\memory_dump.rawPhase 2: Artifact Collection and Timeline Construction
Once volatile data is secured, pivot to persistent artifacts. The Windows event logs, prefetch files, NTFS artifacts, and registry hives tell the story of how and when the attacker operated.
# Extract recent Security log events (logon events, privilege escalation)
Get-WinEvent -LogName Security -MaxEvents 5000 | Where-Object {$_.Id -in @(4624,4625,4672,4688,4698,4720)} | Export-Csv C:\IR\security_events.csv -NoTypeInformation
# Collect Amcache for execution history
Copy-Item "C:\Windows\AppCompat\Programs\Amcache.hve" "C:\IR\Amcache.hve" -Force
# Parse prefetch for evidence of execution
Get-ChildItem C:\Windows\Prefetch\*.pf | Select-Object Name, CreationTime, LastWriteTime | Sort-Object LastWriteTime -Descending | Export-Csv C:\IR\prefetch.csv -NoTypeInformationI build timelines using Eric Zimmerman's tools—specifically MFTECmd.exe for parsing the Master File Table and PECmd.exe for prefetch analysis. Feeding these into Timeline Explorer gives you a chronological, sortable view of every file creation, execution, and modification event.
Phase 3: Correlation and Scoping
A single compromised endpoint is rarely the full story. Cross-reference indicators you've extracted—IP addresses, file hashes, unusual service accounts—against your SIEM and EDR telemetry across the entire environment.
# Quick IOC sweep across endpoints using Velociraptor
velociraptor query "SELECT * FROM hunt_results() WHERE TargetHash = 'a1b2c3d4...'"Tools like Velociraptor or CrowdStrike RTR let you hunt across thousands of endpoints simultaneously, turning a single-host investigation into an enterprise-wide sweep.
Closing the Loop: Documentation That Survives Scrutiny
Every investigation should produce a forensic report containing the chain of custody, tools used (with versions), hash values of acquired evidence, and a clear timeline narrative. I maintain a standardized template that maps findings to MITRE ATT&CK techniques, which gives leadership actionable context and feeds directly into detection engineering improvements.
Forensics isn't about heroics—it's about repeatable, defensible methodology executed under pressure. Build your runbooks before the 2 AM alert, and the investigation runs itself.
Have questions about endpoint forensics and incident investigation? I'm always happy to talk shop — reach out or connect with me on LinkedIn.