11 Analyzing System Storage

So far, the evidence that has been analyzed has focused on those elements that are obtained from the network traffic or the system’s memory. Even though an incident’s root cause may be ferreted out from these evidence sources, it is important to understand how to obtain evidentiary material from a system’s storage, whether that is removable storage such as USB devices or the larger connected disk drives. These containers carry a massive amount of data that may be leveraged by incident response analysts to determine a root cause. It should be noted that this chapter will only be able to scratch the surface as entire volumes have been devoted to the depth of forensic evidence that’s available.

To provide a better understanding ...

Get Digital Forensics and Incident Response - Third Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Digital Forensics and Incident Response - Third Edition by Gerard Johansen

11

Analyzing System Storage

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly