In many ways, this chapter just scratches the surface of what information can be found by leveraging disk forensic tools. Specific tools and techniques are largely dependent on the tool utilized. What is important to understand is that modern operating systems leave traces of their activity all over the disk, from file change evidence in the Master File Table to registry key settings when new user accounts are added.Incident response analysts should have expertise in understanding how modern operating systems store data and how to leverage commercial or freeware tools to find this data. Taken in concert with other pieces of evidence obtained from network sources and in memory, disk evidence may provide more clarity on an incident ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.