Skip to content
Log in

Pre-positioned agent

Definition

Lightweight endpoint software deployed across the organisation before any incident occurs. When an incident is declared, the IR team tasks agents remotely to collect memory dumps, process lists, registry snapshots, or log files without physical attendance. Examples include Velociraptor, OSQuery, and commercial EDR platforms.

Related terms

Forensic readiness
The organisational state in which people, processes, and technology are prepared to collect and preserve digital evidence with minimum disruption to business...
ISO/IEC 27037
An international standard providing guidelines for the identification, collection, acquisition, and preservation of digital evidence. Published by ISO in 2012. Used by...
Jump bag
A pre-packed kit containing the hardware and media required for immediate on-site forensic response: write-blockers, imaging drives, bootable USB, cables, evidence labels,...
Order of volatility
The sequence in which digital evidence should be collected, ranked from most to least transient. Defined in RFC 3227. CPU registers and...
Write blocker
A hardware or software device interposed between a digital storage medium and the forensic workstation that prevents any write commands from reaching...

Explained in

  • Forensic Readiness and Response ToolkitsLightweight endpoint software deployed across the organisation before any incident occurs. When an incident is declared, the IR team tasks agents remotely to c...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account