In case you are following at home you will need to go download the following;
– WireShark http://www.wireshark.org/download.html.
– RegShot http://sourceforge.net/projects/regshot/.
Then something to do the disk, process and memory image. I will be using Helix Pro, mainly because I have a copy. There is several other options available to do this.
You can get Helix Pro here, http://www.e-fense.com/helix3pro.php.
First order of business is to take a snapshot of the registry with RegShot. Next will be the raw disk image and process / volatile data information using Helix. I have setup a receiving server and will capturing the disk and memory over the network, then the pdf for the volatile data will be saved.