Tools for Analyzing Files
Once the investigator has collected various files from a system, she will want to analyze them to see if they contain any information specific to the incident she's investigating. By analyzing files, we don't mean correlating the data that the investigator collected, but rather analyzing executable files to see what information can be derived regarding their origin or usage, analyzing files created by dumping process memory, and looking for metadata hidden in Word or PDF documents. The investigator will analyze these files on a system on which the necessary tools have been installed.
Executable files
Many times while pursuing an incident, the investigator will come across binary executable files, such as those that usually ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.