Tools for Analyzing Files
Once the investigator has collected various files from a system, she will want to analyze them to see if they contain any information specific to the incident she's investigating. By analyzing files, we don't mean correlating the data that the investigator collected, but rather analyzing executable files to see what information can be derived regarding their origin or usage, analyzing files created by dumping process memory, and looking for metadata hidden in Word or PDF documents. The investigator will analyze these files on a system on which the necessary tools have been installed.
Many times while pursuing an incident, the investigator will come across binary executable files, such as those that usually ...