In order to perform a forensic analysis you need access to several forensic tools. It is best to become familiar with them before the incident to ensure that you don't make any irrecoverable mistakes.
Network Capture/Analysis[]
Hard Drive Capture/Analysis[]
Network Analysis/Capture
- Netcat
- Netstat
- Nbtstat
- Sys Internals
- Wireshark
- NetworkMiner
- Argus/RA
- TCPDump
- WinDump
- Tcpdstat
- winhash
- SHA-1
Hard Drive Analysis/Capture
- Uname –a
- Cat /proc/version
- Hostname
- Ifconfig
- Date
- Netstat –aunt
- Netstat –tulnp
- W
- Netstat –rn
- Route
- Ps aux
- Service –status-all
- Ps –Al
- Crontab
- Lsof
- Lsmod
- Gcore
- dd
Tips[]
Find a variety of tools that you like. Make sure to learn them well enough that you understand when to use them and why