Computer Forensic Expert, profile picture
Uploaded byComputer Forensic Expert
PDF, PPTX274 views

Computer forensic lifecycle

The document outlines the computer forensic lifecycle process for examining common PCs and laptops. It involves 4 main phases - preparation, identification/collection, imaging, and analysis. In the preparation phase, forensic tools and storage drives are tested and configured. Live computers are then triaged, and volatile and non-volatile data is collected following standard procedures before imaging. Finally, during analysis, various techniques are used to search the forensic images for evidence, including keyword searches, internet history analysis, and examining files and the registry.

Business
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
Computer  Forensic  Lifecycle  (common  PC/Laptop)   1. Preparation   a. Preparation  steps   i. Test  and  familiarize  yourself  with  software  tools   ii. Prepare  hard  drives   1. Wipe  &  verify   2. Partitioning   a. Filesystem  type   3. Load  tools   iii. Prepare  flash  drives   1. Wipe  &  verify   2. Partitioning   a. Filesystem  type   3. Load  tools   b. Initial  response  kit   i. Necessary  hardware   1. Prepared  flash  drive(s)   2. Prepared  hard  drive(s)   3. Hand  tools   ii. Necessary  software   1. RAM  collection  software   2. Encryption  detection  software   3. Imaging  software   iii. Other  necessary  equipment   1. Forms  (CoC,  computer  worksheet)   2. Notepad   3. Bags,  tape,  labels,  pens   4. Camera/Video    
2. Identify,  Triage,  Collect  and  Document   a. Initial  response  considerations   i. Safety   ii. Safeguarding  digital  evidence  from  further  tampering   iii. Urgency     b. Triaging  Live  computers   i. Initial  triage   1. Deletion  or  other  potentially  destructive  action  in  progress?   a. Stop  process  vs.  shutting  down  computer   2. If  circumstances  dictate,  disconnecting  physical  network  connection   a. Necessary  to  collect  minimal  information  prior  to  disconnection?   b. Disconnect  physical  network  connection   i. Hardware  wireless  switch  (laptop)   ii. Unlocked  Screen   1. Wireless  status/disconnect  required?   2. Determine  level  of  access   a. Administrator  access   i. Collection  of  volatile  data   1. Follow  order  of  volatility   a. RAM  collection   b. Other  volatile  Data   i. Comprehensive  networking  information   ii. Running  applications   iii. Date  &  time   c. Detecting  encrypted  volumes  
i. Logical  imaging   ii. Obtain  Bitlocker  recovery  key   2. Shutdown  system   b. Non-­‐administrator  access   i. Collection  of  volatile  data   1. Follow  order  of  volatility   a. Other  volatile  data   i. Comprehensive  networking  information   ii. Running  applications   iii. Date  &  time   b. Detecting  encrypted  volumes   i. Logical  imaging   iii. Locked  Screen   1. Shutdown  system   a. Pulling  plug  vs.  shutdown  process   c. Collection  of  digital  media   i. Marking/labeling   d. Documentation   i. CoC   ii. Notes              
  3. Imaging  Process   a. Interface  considerations  –  Available  adapters  and  connectors   1. USB   2. SCSI   3. PATA   4. SATA   5. SAS   6. ZIFF     b. Hardware-­‐based  imaging  devices   i. Storage  considerations   1. Pre-­‐prepared  HD  (wiped)   2. Drive  capacity   ii. Tableau   1. Native  .E01  support   iii. Weibetech   iv. Logicube     c. Software  Imaging   i. Storage  considerations   1. Pre-­‐prepared  HD  (wiped)   2. Drive  capacity   ii. Hardware  write-­‐blockers   1. Tableau   2. Weibetech   3. Others   iii. Software  write-­‐blockers   1. EnCase  Fastbloc  SE   2. Registry  hack  
iv. No  write  blocker   1. Linux  /  Unix  /  OSX     d. Verification  Process   i. Hash  verification     4. Analysis  Process   a. Pre-­‐Analysis  preparation   i. Root  Case  Folder   1. Location   2. Naming  convention   3. Case  folder  subcomponents   a. Evidence  files   b. Export   c. Temp   d. Index     b. Pre-­‐Analysis  Processing   i. Identification  of  all  archives,  encrypted  volumes,  virtual  machines.   1. Virtual  mounting     ii. Hash  Analysis   1. Good  vs.  bad  hashes  (Known  vs.  Unknown)   2. Generating  hash  values  for  each  file   3. Comparing  hash  sets   4. Filtering  out  identified  files     iii. File  Signature  Analysis     iv. Keyword  indexing  (optional)  
  c. Case-­‐Specific  Analysis  Techniques  (common  techniques)   i. RAM  Analysis  (if  applicable)   1. Strings   2. Redline   3. HBGary  Responder     ii. Keyword  Searching   1. Live  searching   2. Index  Searching   3. Unicode   4. GREP     iii. Internet  History  Analysis   1. IE   a. Internet  history   b. Favorites   c. Zone  identifier  files   d. Configuration  settings     2. Firefox   a. Internet  history   b. Favorites   c. Configuration  settings     3. Chrome   a. Internet  history   b. Favorites   c. Configuration  settings    
4. Safari   a. Internet  history   b. Favorites     c. Configuration  setting     5. 3rd  party  tools   a. Netanalysis   b. Web  Historian     iv. Email  Analysis   1. Client  based   a. Outlook   b. Outlook  Express   c. Thunderbird   2. Web  based   a. Gmail   b. Hotmail   c. Yahoo     v. Windows  Event  logs   1. Location   2. Types   3. Format   a. XP  vs.  Vista  /  7/  8   4. 3rd  party  tools   a. Splunk   b. Highlighter     vi. Social  Media  Analysis   1. Twitter  
2. Facebook   3. Google+   vii. Instant  Messaging   1. Gtalk   2. Yahoo   3. Live  /  Communicator  /  Lync     viii. User  Profile  Analysis  (recent  docs,  LNK,  etc)   1. Desktop   2. Downloads   3. Documents   4. Videos   5. Photos     ix. Registry  Analysis   1. Global   a. User  accounts  /  SIDS   b. Installed  applications   c. Passwords   2. User  Specific   a. Protected  Storage  Passwords   b. UserAssist   c. MRU  /  Recently  opened  files   d. Background  Image   3. 3rd  party  tools   a. regripper   b. regdecoder   c. WRR  (mitec)     x. USB  Device  Analysis  
1. XP   a. Registry   i. Mounted  Devices   ii. USBSTOR   b. setupapi.log   2. Vista  /  7  /  8   a. Registry   i. Mounted  Devices   ii. USBSTOR   b. setupapi.dev.log  &  setupapi.app.log     xi. Recycle  Bin  Analysis   1. SID  mapping     xii. System  Restore  Points  /  Volume  Shadow  Service  (VSS)  analysis   1. XP  systems   a. 3rd  party  tools   i. Mandiant  Restore  Point  analyzer   2. Vista  /  7/  8   a. VSS  Analysis   b. 3rd  party  tools   i. ShadowExplorer   ii. FAU  dd  (Garner)     xiii. Peer-­‐to-­‐Peer    (P2P)  Analysis   1. Limewire   2. Gigatribe   3. uTorrent     xiv. Cloud  Based  Applications  
1. Dropbox   2. Microsoft  Live  mesh   3. Google  drive     xv. Basic  Data  Carving   1. pagefile.sys   2. hiberfil.sys   3. Unallocated  Space   4. Identifying  headers  &  footers   a. Base64   b. Internet  History   5. 3rd  party  tools   a. Internet  Evidence  Finder  (IEF)     xvi. Unused  Disk  areas   1. Deleted  partitions     xvii. General  Intelligence  gathering   1. Collection  of  email  addresses   2. Collection  of  phone  numbers     5. Report  Writing   a. Baseline    &  Case  specific  information     i. Request   ii. Findings   1. Drive  Info   a. Physical  size  (label)   b. Physical  size  (BIOS)   c. Logical  size   i. Logical  partitions  
d. Unused  disk  space   2. OS  Information   a. Type   b. Version   c. Patch  level  /  hotfixes   d. Install  date   e. Registered  Name  /  Organization   3. Case  specific  findings   iii. Summary   iv. Recommendations     b. Timeline  of  events      

More Related Content

PPT
Live Memory Forensics on Android devices
byNikos Gkogkos
 
PDF
Forensics of a Windows System
byConferencias FIST
 
PPT
Digital Forensics in the Archive
byGarethKnight
 
PPTX
Open Source Forensics
byCTIN
 
PDF
Study on Live analysis of Windows Physical Memory
byIOSR Journals
 
PDF
Revision articulo cientifico - Lic. Mg. Aida Semblantes
byJairo Castillo
 
KEY
Weekly2011.01
bygjapnewscentral
 
PDF
TOEFL-IBT
byIkram Abidi
 
Live Memory Forensics on Android devices
byNikos Gkogkos
 
Forensics of a Windows System
byConferencias FIST
 
Digital Forensics in the Archive
byGarethKnight
 
Open Source Forensics
byCTIN
 
Study on Live analysis of Windows Physical Memory
byIOSR Journals
 
Revision articulo cientifico - Lic. Mg. Aida Semblantes
byJairo Castillo
 
Weekly2011.01
bygjapnewscentral
 
TOEFL-IBT
byIkram Abidi
 

Viewers also liked

PDF
Jewish Museum Precedent Studies Board
byPatricia Kong
 
PPTX
Clasificacion de desnutricion
byDayan Garza B
 
PPTX
Rejuvenate Your Small Business: 10 Marketing Ideas for Thanksgiving
byLogo Design Guru
 
PPTX
Migración
byComité Estrategico de Nuevo León
 
PPTX
Wes presentation
byAbhishek Bajaj
 
DOC
DIANA VINCENT Resume 4
byDiana Vincent
 
DOCX
stephen dover-resume
byStephen Dover
 
PDF
Resume
byTim Ryan
 
PPTX
La Ciencia y El Conocimiento Cientifico
byHector Luis Gil Bonett
 
DOCX
Celulas
byAmerica Lina Perez Perez
 
Jewish Museum Precedent Studies Board
byPatricia Kong
 
Clasificacion de desnutricion
byDayan Garza B
 
Rejuvenate Your Small Business: 10 Marketing Ideas for Thanksgiving
byLogo Design Guru
 
Migración
byComité Estrategico de Nuevo León
 
Wes presentation
byAbhishek Bajaj
 
DIANA VINCENT Resume 4
byDiana Vincent
 
stephen dover-resume
byStephen Dover
 
Resume
byTim Ryan
 
La Ciencia y El Conocimiento Cientifico
byHector Luis Gil Bonett
 
Celulas
byAmerica Lina Perez Perez
 

Similar to Computer forensic lifecycle

PPTX
Computer forensics
bydeaneal
 
PDF
Cyber Forensics Module 2
byManu Mathew Cherian
 
PDF
AntiForensics - Leveraging OS and File System Artifacts.pdf
byekobelasting
 
PPT
computer forensicsPPT4-SESI4-20220406071621.ppt
byBimo Septyo Prabowo
 
PPT
Computer Forensics Analysis and Validation.ppt
bymcjaya2024
 
PDF
Forensics
byGhariani Tewfik
 
PDF
Digital Forensics
byVikas Jain
 
PPTX
Computer forensics libin
bylibinp
 
PPTX
Computer forensics and its role
bySudeshna Basak
 
PPT
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
byguest66dc5f
 
PDF
CNIT 121: 11 Analysis Methodology
bySam Bowne
 
PPTX
Securitytools
byRichmond Adebiaye
 
PPT
Computer Forensics
byNeilg42
 
DOCX
Digital Forensic Examination Summary Report(for ALL lab assignme.docx
bylynettearnold46882
 
PDF
computerforensics-140529094816-phpapp01 (1).pdf
byGnanavi2
 
PPT
Forensics of a Windows Systems
byConferencias FIST
 
PDF
IT forensic
byRupesh Verma
 
PDF
CNIT 152 11 Analysis Methodology
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
CS6004 Cyber Forensics - UNIT V
byArthyR3
 
Computer forensics
bydeaneal
 
Cyber Forensics Module 2
byManu Mathew Cherian
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
byekobelasting
 
computer forensicsPPT4-SESI4-20220406071621.ppt
byBimo Septyo Prabowo
 
Computer Forensics Analysis and Validation.ppt
bymcjaya2024
 
Forensics
byGhariani Tewfik
 
Digital Forensics
byVikas Jain
 
Computer forensics libin
bylibinp
 
Computer forensics and its role
bySudeshna Basak
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
byguest66dc5f
 
CNIT 121: 11 Analysis Methodology
bySam Bowne
 
Securitytools
byRichmond Adebiaye
 
Computer Forensics
byNeilg42
 
Digital Forensic Examination Summary Report(for ALL lab assignme.docx
bylynettearnold46882
 
computerforensics-140529094816-phpapp01 (1).pdf
byGnanavi2
 
Forensics of a Windows Systems
byConferencias FIST
 
IT forensic
byRupesh Verma
 
CNIT 152 11 Analysis Methodology
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
CS6004 Cyber Forensics - UNIT V
byArthyR3
 

Recently uploaded

PDF
Stuart Frost - The Chief Executive Officer
byStuart Frost
 
PPTX
Crisis-Management-Plan-Apple-final case study.pptx
byBudi Septiawan
 
PDF
Sukhi Jolly Framework for Infrastructure-Driven Growth
bySukhi Jolly
 
PDF
Dimi Design Intelligence Addendum, All Parts.pdf
byBrij Consulting, LLC
 
PDF
Account Audit of a Sport Supplement Brand
byAlethLanuza
 
PDF
How to Buy Verified Redotpay Accounts_ A Step-by- ....pdf
by7zpjneju23g4b3ph3whf
 
PDF
FINANCIAL LITERACY Practices | Excellence Foundation for South Sudan
byExcellence Foundation for South Sudan
 
PDF
One Of The Best Website To Buy Verified Venmo Accounts.pdf
by7zpjneju23g4b3ph3whf
 
PPTX
Free Website Traffic Generator - Targeted Web Traffic
byTargeted Web Traffic
 
PDF
MCB-Code-of-Conduct Mansehra postal service operation management
bytanolihaseeb21
 
PDF
Comments on Dimi Design Intelligence Addendum2, All Parts.pdf
byBrij Consulting, LLC
 
PDF
Buy TikTok Shop accounts & Twitter accounts in 2026..pdf
bygetsmmpro getsmmpro
 
PDF
Buy Google Ads Accounts_ A Conservative Guide for Everyday.pdf
byUSAALLHUB Digital Marketer in 2026
 
PDF
Easy Ways to Buy Old Gmail Accounts Smartly Start in 2026.pdf
byUSAALLHUB Digital Marketer in 2026
 
PDF
Tips for Successfully Buying Old Gmail Accounts in Bulk.pdf
byBuy Verified Cash App Accounts
 
DOCX
How to Buy a Verified PayPal Account, a Verified Wise Account,.docx
bygetsmmpro getsmmpro
 
DOCX
How to buy Yahoo accounts and Outlook accounts in 2026..docx
bygetsmmpro getsmmpro
 
DOCX
17 Recommended Sites for Buying Gmail Accounts in 2026.docx
bymarketing
 
DOCX
Buying Telegram Accounts for Channels & Groups_ Old & New in the US.docx
byGoogle Business Site is usaallhub
 
DOCX
Tips for Successfully Buying Old Gmail Accounts in Bulk.docx
byBuy Verified Cash App Accounts
 
Stuart Frost - The Chief Executive Officer
byStuart Frost
 
Crisis-Management-Plan-Apple-final case study.pptx
byBudi Septiawan
 
Sukhi Jolly Framework for Infrastructure-Driven Growth
bySukhi Jolly
 
Dimi Design Intelligence Addendum, All Parts.pdf
byBrij Consulting, LLC
 
Account Audit of a Sport Supplement Brand
byAlethLanuza
 
How to Buy Verified Redotpay Accounts_ A Step-by- ....pdf
by7zpjneju23g4b3ph3whf
 
FINANCIAL LITERACY Practices | Excellence Foundation for South Sudan
byExcellence Foundation for South Sudan
 
One Of The Best Website To Buy Verified Venmo Accounts.pdf
by7zpjneju23g4b3ph3whf
 
Free Website Traffic Generator - Targeted Web Traffic
byTargeted Web Traffic
 
MCB-Code-of-Conduct Mansehra postal service operation management
bytanolihaseeb21
 
Comments on Dimi Design Intelligence Addendum2, All Parts.pdf
byBrij Consulting, LLC
 
Buy TikTok Shop accounts & Twitter accounts in 2026..pdf
bygetsmmpro getsmmpro
 
Buy Google Ads Accounts_ A Conservative Guide for Everyday.pdf
byUSAALLHUB Digital Marketer in 2026
 
Easy Ways to Buy Old Gmail Accounts Smartly Start in 2026.pdf
byUSAALLHUB Digital Marketer in 2026
 
Tips for Successfully Buying Old Gmail Accounts in Bulk.pdf
byBuy Verified Cash App Accounts
 
How to Buy a Verified PayPal Account, a Verified Wise Account,.docx
bygetsmmpro getsmmpro
 
How to buy Yahoo accounts and Outlook accounts in 2026..docx
bygetsmmpro getsmmpro
 
17 Recommended Sites for Buying Gmail Accounts in 2026.docx
bymarketing
 
Buying Telegram Accounts for Channels & Groups_ Old & New in the US.docx
byGoogle Business Site is usaallhub
 
Tips for Successfully Buying Old Gmail Accounts in Bulk.docx
byBuy Verified Cash App Accounts
 

Computer forensic lifecycle

  • 1.
    Computer  Forensic  Lifecycle  (common  PC/Laptop)   1. Preparation   a. Preparation  steps   i. Test  and  familiarize  yourself  with  software  tools   ii. Prepare  hard  drives   1. Wipe  &  verify   2. Partitioning   a. Filesystem  type   3. Load  tools   iii. Prepare  flash  drives   1. Wipe  &  verify   2. Partitioning   a. Filesystem  type   3. Load  tools   b. Initial  response  kit   i. Necessary  hardware   1. Prepared  flash  drive(s)   2. Prepared  hard  drive(s)   3. Hand  tools   ii. Necessary  software   1. RAM  collection  software   2. Encryption  detection  software   3. Imaging  software   iii. Other  necessary  equipment   1. Forms  (CoC,  computer  worksheet)   2. Notepad   3. Bags,  tape,  labels,  pens   4. Camera/Video    
  • 2.
    2. Identify,  Triage,  Collect  and  Document   a. Initial  response  considerations   i. Safety   ii. Safeguarding  digital  evidence  from  further  tampering   iii. Urgency     b. Triaging  Live  computers   i. Initial  triage   1. Deletion  or  other  potentially  destructive  action  in  progress?   a. Stop  process  vs.  shutting  down  computer   2. If  circumstances  dictate,  disconnecting  physical  network  connection   a. Necessary  to  collect  minimal  information  prior  to  disconnection?   b. Disconnect  physical  network  connection   i. Hardware  wireless  switch  (laptop)   ii. Unlocked  Screen   1. Wireless  status/disconnect  required?   2. Determine  level  of  access   a. Administrator  access   i. Collection  of  volatile  data   1. Follow  order  of  volatility   a. RAM  collection   b. Other  volatile  Data   i. Comprehensive  networking  information   ii. Running  applications   iii. Date  &  time   c. Detecting  encrypted  volumes  
  • 3.
    i. Logical  imaging   ii. Obtain  Bitlocker  recovery  key   2. Shutdown  system   b. Non-­‐administrator  access   i. Collection  of  volatile  data   1. Follow  order  of  volatility   a. Other  volatile  data   i. Comprehensive  networking  information   ii. Running  applications   iii. Date  &  time   b. Detecting  encrypted  volumes   i. Logical  imaging   iii. Locked  Screen   1. Shutdown  system   a. Pulling  plug  vs.  shutdown  process   c. Collection  of  digital  media   i. Marking/labeling   d. Documentation   i. CoC   ii. Notes              
  • 4.
      3. Imaging  Process   a. Interface  considerations  –  Available  adapters  and  connectors   1. USB   2. SCSI   3. PATA   4. SATA   5. SAS   6. ZIFF     b. Hardware-­‐based  imaging  devices   i. Storage  considerations   1. Pre-­‐prepared  HD  (wiped)   2. Drive  capacity   ii. Tableau   1. Native  .E01  support   iii. Weibetech   iv. Logicube     c. Software  Imaging   i. Storage  considerations   1. Pre-­‐prepared  HD  (wiped)   2. Drive  capacity   ii. Hardware  write-­‐blockers   1. Tableau   2. Weibetech   3. Others   iii. Software  write-­‐blockers   1. EnCase  Fastbloc  SE   2. Registry  hack  
  • 5.
    iv. No  write  blocker   1. Linux  /  Unix  /  OSX     d. Verification  Process   i. Hash  verification     4. Analysis  Process   a. Pre-­‐Analysis  preparation   i. Root  Case  Folder   1. Location   2. Naming  convention   3. Case  folder  subcomponents   a. Evidence  files   b. Export   c. Temp   d. Index     b. Pre-­‐Analysis  Processing   i. Identification  of  all  archives,  encrypted  volumes,  virtual  machines.   1. Virtual  mounting     ii. Hash  Analysis   1. Good  vs.  bad  hashes  (Known  vs.  Unknown)   2. Generating  hash  values  for  each  file   3. Comparing  hash  sets   4. Filtering  out  identified  files     iii. File  Signature  Analysis     iv. Keyword  indexing  (optional)  
  • 6.
      c. Case-­‐Specific  Analysis  Techniques  (common  techniques)   i. RAM  Analysis  (if  applicable)   1. Strings   2. Redline   3. HBGary  Responder     ii. Keyword  Searching   1. Live  searching   2. Index  Searching   3. Unicode   4. GREP     iii. Internet  History  Analysis   1. IE   a. Internet  history   b. Favorites   c. Zone  identifier  files   d. Configuration  settings     2. Firefox   a. Internet  history   b. Favorites   c. Configuration  settings     3. Chrome   a. Internet  history   b. Favorites   c. Configuration  settings    
  • 7.
    4. Safari   a.Internet  history   b. Favorites     c. Configuration  setting     5. 3rd  party  tools   a. Netanalysis   b. Web  Historian     iv. Email  Analysis   1. Client  based   a. Outlook   b. Outlook  Express   c. Thunderbird   2. Web  based   a. Gmail   b. Hotmail   c. Yahoo     v. Windows  Event  logs   1. Location   2. Types   3. Format   a. XP  vs.  Vista  /  7/  8   4. 3rd  party  tools   a. Splunk   b. Highlighter     vi. Social  Media  Analysis   1. Twitter  
  • 8.
    2. Facebook   3.Google+   vii. Instant  Messaging   1. Gtalk   2. Yahoo   3. Live  /  Communicator  /  Lync     viii. User  Profile  Analysis  (recent  docs,  LNK,  etc)   1. Desktop   2. Downloads   3. Documents   4. Videos   5. Photos     ix. Registry  Analysis   1. Global   a. User  accounts  /  SIDS   b. Installed  applications   c. Passwords   2. User  Specific   a. Protected  Storage  Passwords   b. UserAssist   c. MRU  /  Recently  opened  files   d. Background  Image   3. 3rd  party  tools   a. regripper   b. regdecoder   c. WRR  (mitec)     x. USB  Device  Analysis  
  • 9.
    1. XP   a.Registry   i. Mounted  Devices   ii. USBSTOR   b. setupapi.log   2. Vista  /  7  /  8   a. Registry   i. Mounted  Devices   ii. USBSTOR   b. setupapi.dev.log  &  setupapi.app.log     xi. Recycle  Bin  Analysis   1. SID  mapping     xii. System  Restore  Points  /  Volume  Shadow  Service  (VSS)  analysis   1. XP  systems   a. 3rd  party  tools   i. Mandiant  Restore  Point  analyzer   2. Vista  /  7/  8   a. VSS  Analysis   b. 3rd  party  tools   i. ShadowExplorer   ii. FAU  dd  (Garner)     xiii. Peer-­‐to-­‐Peer    (P2P)  Analysis   1. Limewire   2. Gigatribe   3. uTorrent     xiv. Cloud  Based  Applications  
  • 10.
    1. Dropbox   2.Microsoft  Live  mesh   3. Google  drive     xv. Basic  Data  Carving   1. pagefile.sys   2. hiberfil.sys   3. Unallocated  Space   4. Identifying  headers  &  footers   a. Base64   b. Internet  History   5. 3rd  party  tools   a. Internet  Evidence  Finder  (IEF)     xvi. Unused  Disk  areas   1. Deleted  partitions     xvii. General  Intelligence  gathering   1. Collection  of  email  addresses   2. Collection  of  phone  numbers     5. Report  Writing   a. Baseline    &  Case  specific  information     i. Request   ii. Findings   1. Drive  Info   a. Physical  size  (label)   b. Physical  size  (BIOS)   c. Logical  size   i. Logical  partitions  
  • 11.
    d. Unused  disk  space   2. OS  Information   a. Type   b. Version   c. Patch  level  /  hotfixes   d. Install  date   e. Registered  Name  /  Organization   3. Case  specific  findings   iii. Summary   iv. Recommendations     b. Timeline  of  events