that he has released a script called FirstOnScene which basically will
take a working forensic snapshot of a Windows system within 10 seconds.
Basically he has written a visual basic script wrapper of some of
the more common tools from guys like SysInternals and Foundstone. I
haven't actually tried it yet, but will definitely follow his progress
and see where this tool ends up. It sounds quite interesting.
I have something similar that I use, but is based on a bootable live
CD. Why a separate bootable CD you ask? Because Windows has a major
inherit problem from a forensic analysis point of view. By simply
running some of the standard auditing tools you trample on critical
evidence as it relates to cache, swap and data access. (This is an
issue with the OS, not the tools) Timelines get tainted in an
unfortunate way if you do to much on a Windows system for to long after
you enter the system. Normally, unless I HAVE to get a map of volitile
memory, I just pull the plug, mirror the drive and work on the data on
an isolated forensic machine.
But thats just me.