> For the complete documentation index, see [llms.txt](https://wongkenny240.gitbook.io/computerforensics/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wongkenny240.gitbook.io/computerforensics/acquisition/incident-response-method.md). # Live Data Collection ## Live Data Collection ## Fast IR Collection ### Redline 1. Installed Redline on your system and launch the tool 2. Click the option **Create Comprehensive Collector**. Then browse to the location you would like to save the collector (preferably an USB or external hard drive). 3. Before you save the collector, you can view and tweak the collection parameters by clicking the Edit Your Script link. 4. Use Windows Explorer to browse to the directory and then double-click on the file named **RunRedlineAudit.bat**. ### KAPE #### Update Update KAPE with the powershell script with the administrator command prompt: ``` powershell -ep Bypass .\Get-KAPEUpdate.ps1 ``` ![](/files/-MVp6IUvpZfAe8gNgfaD) Manually replace the Targets and Modules folders with the one inside KapeFiles-master ![](/files/-MVpGbCuXE__XM0AKihs) In order to run the Modules, place all the executables under KAPE\Modules\bin ![](/files/-MVt_LqDBAJCrlwI-Suc) Note: KAPE\Modules\bin\regripper should contains p2x5124.dll ![](/files/-MVtpf9Px39_zfK43lD2) Note: KAPE\Modules\bin\tln\_tools should contains ![](/files/-MVtpXZ9xkwOamI7uCGd) Run different Target to collect different items KAPE also provide a gui (i.e. gkape.exe) ### bulk\_extractor ## Traditional Method of Collection ### Windows Below list out a list of information we need to collection during a live response on Windows PC. | Data to be collected | Command /Tools | | -------------------------------------------------------------------------------------------------------- | --------------------------------- | | System date and time | date and time | | Time zone / Installed software / General system information /OS version/ Uptime /File system information | systeminfo | | User accounts | net user | | Groups | net group | | Network interfaces | ipconfg/all | | Routing table | route print | | ARP table | arp -a | | DNS cache | ipconfig/displaydns | | Network connections | netstat -abn | | List of services and tasks | Microsoft autoruns | | Loaded drivers | NirSoft DriverView | | Open files and handles | NirSoft OpenedFilesView | | Running processes | Microsoft pslist | | Registry (config data) | Microsoft logparser | | Event logs (login history) | Microsoft logparser | | File system listing | Microsoft logparser | | LR output checksum computation | PC-Tools.net md5sums or hashutils | ### Linux Below list out a list of information we need to collection during a live response on Linux PC. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wongkenny240.gitbook.io/computerforensics/acquisition/incident-response-method.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.