Fundamental Computer Investigation Guide for Windows

 

Download this Solution Accelerator

Click here to get the Fundamental Computer Investigation Guide for Windows from the Microsoft Download Center

About This Solution Accelerator

The Fundamental Computer Investigation Guide for Windows discusses processes and tools for use in internal computer investigations. It introduces a multi-phase model that is based on well-accepted procedures in the computer investigation community. It also presents an applied scenario example of an internal investigation in an environment that includes Microsoft® Windows®–based computers. The investigation uses Windows Sysinternals tools (advanced utilities that can be used to examine Windows–based computers) as well commonly available Windows commands and tools.

Included in the Download

Fundamental Computer Investigation Guide for Windows.zip

This folder extracts from the WinZip archive to the computer location that you specify. It contains the following files:

  • Fundamental Computer Investigation Guide for Windows.doc. This document provides guidance for conducting internal computer investigations.
  • Computer Investigation Guide Template. A top-level folder from which you can access the following computer investigation templates:
    • Sample - Internal Investigation Report.doc. A sample report that shows the type of information that should be included in such a report.
    • Worksheet - Chain of Custody Log Documentation.doc. A worksheet that can help you track evidence during your computer investigation.
    • Worksheet - Impact Analysis.doc. A worksheet that can help you determine the impact of a security incident

In More Detail

Internet connectivity and technological advances expose computers and computer networks to criminal activities such as unauthorized intrusion, financial fraud, and identity and intellectual property theft. Computers can be used to launch attacks against computer networks and destroy data. E-mail can be used to harass people, transmit sexually explicit images, and conduct other malicious activities. Such activities expose organizations to ethical, legal, and financial risks and often require them to conduct internal computer investigations.

Some of the policies and procedures invoked in investigations that result from computer security incidents might also exist in disaster recovery plans. Although such plans are beyond the scope of this guide, it is important for organizations to establish procedures that can be used in emergency and disaster situations. Organizations should also identify and manage security risks wherever possible. For more information, see the Security Risk Management Guide.

The Fundamental Computer Investigation Guide for Windows is comprised of five chapters and an appendix, which are briefly described in the following list. The first four chapters provide information about the four phases of the internal investigation process:

  • Chapter 1: Assess the Situation explains how to conduct a thorough assessment of the situation and prepare for the internal investigation.
  • Chapter 2: Acquire the Data provides guidance about how to gather digital evidence.
  • Chapter 3: Analyze the Data examines standard techniques of evidence analysis.
  • Chapter 4: Report the Investigation explains how to write the investigation outcome report.
  • Chapter 5: Applied Scenario Example describes a fictional scenario that depicts unauthorized access to confidential information.
  • Appendix: Resources includes information about how to prepare for a computer investigation, contact information for reporting computer-related crimes and obtaining computer investigation training, worksheets that can be used in computer investigations, and lists of certain computer investigation tools.

Related Resources

See the following resources on the Microsoft Web site for more information about this and other Solution Accelerators:

Community and Feedback

  • Want to know what’s coming up next? Check out our Security Guidance Blog.
  • E-mail your feedback to the following address: SecWish@microsoft.com
  • If you’ve used a Solution Accelerator within your organization, please share your experience with us by completing this short survey (less than ten minutes long).

About Solution Accelerators

Solution Accelerators are authoritative resources that help IT professionals plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.

Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as

  • Communication & Collaboration
  • Security, Data Protection, & Recovery
  • Deployment
  • Operations & Management

Download this Solution Accelerator

Click here to get the Fundamental Computer Investigation Guide for Windows from the Microsoft Download Center