O'Reilly logo

Digital Forensics by André Årnes

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

5Computer Forensics

Jeff Hamm

Mandiant, Mainz, Germany

Digital forensics at the system level requires the skills to both acquire and analyze data. This chapter will provide information regarding data collection in a forensically sound manner and forensic analysis techniques. Sometimes data will need to be acquired “live” and the collection techniques used will make changes to the system. In years past, digital forensics practitioners argued that changes should never be made to a system. With average users having accessibility to modern encryption such as BitLocker, and with advances in memory collection and analysis techniques, it has become more common to collect live data – memory images in particular.

5.1 Introduction

After data has been collected successfully, analysis is required to develop accurate theories of the significance of the evidence. To do so, one must, as always, take detailed notes of the techniques used and data analyzed. This chapter cannot possibly cover all situations and artifacts. It should instead be thought of as an introduction to using sound methodology to analyze common artifacts.

Before getting into collection and analysis, a note on timestamps is necessary. In an investigation, a single artifact with a single date in time and no corroborating evidence should not be considered conclusive. Digital forensic examiners have long been skeptical of timestamps because of the relative ease that a system clock can be changed, a file system timestamp modified, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required