Tools for Analyzing Files

Once the investigator has collected various files from a system, she will want to analyze them to see if they contain any information specific to the incident she's investigating. By analyzing files, we don't mean correlating the data that the investigator collected, but rather analyzing executable files to see what information can be derived regarding their origin or usage, analyzing files created by dumping process memory, and looking for metadata hidden in Word or PDF documents. The investigator will analyze these files on a system on which the necessary tools have been installed.

Executable files

Many times while pursuing an incident, the investigator will come across binary executable files, such as those that usually ...

Get Windows Forensics and Incident Recovery now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.