Digital forensics at the system level requires the skills to both acquire and analyze data. This chapter will provide information regarding data collection in a forensically sound manner and forensic analysis techniques. Sometimes data will need to be acquired “live” and the collection techniques used will make changes to the system. In years past, digital forensics practitioners argued that changes should never be made to a system. With average users having accessibility to modern encryption such as BitLocker, and with advances in memory collection and analysis techniques, it has become more common to collect live data – memory images in particular.
After data has been collected successfully, analysis is required to develop accurate theories of the significance of the evidence. To do so, one must, as always, take detailed notes of the techniques used and data analyzed. This chapter cannot possibly cover all situations and artifacts. It should instead be thought of as an introduction to using sound methodology to analyze common artifacts.
Before getting into collection and analysis, a note on timestamps is necessary. In an investigation, a single artifact with a single date in time and no corroborating evidence should not be considered conclusive. Digital forensic examiners have long been skeptical of timestamps because of the relative ease that a system clock can be changed, a file system timestamp modified, ...