A basic computer forensics
There are people who think forensics is a small part of Security. That’s right, but this small part is very big. Usually, there are two kind of computer forensic investigators. The guy who acquires the digital evidences and manages the laboratory, and the specialist who analyses digital evidences. The role of this last one is very important because he must have deep knowledge about the technology which is going to be analysed. For instance, if a video game console has to be analysed, the case will need a video game console specialist. Therefore, computer forensics need lots of specialist with deep knowledge in specific fields.
This post is not going to be about a difficult and specific computer forensic analysis but about an easy one. You will be able to watch in the next video how to look for encrypted files as well as virtual machines volumes. In addition, we’ll recover deleted files and we'll check file extensions to look for alterations. We’ll also analyse the disk partition and the file system with the aim of knowing what operating system and applications were running in the digital evidence. What’s more, system and security events will be analysed to look for interesting facts as well.
This is a basic computer forensics where we have used six tools. AccessData FTK Imager for mounting digital evidences. Passware Encryption Analyzer to look for encrypted files. Autopsy, which is a digital forensics platform that I really love, to look for virtual machines volumes, files, mail accounts, etc. Active Disk Editor for analysing the disk partition and the file system. Windows Registry Recovery to know applications installed, operating system version, IP address, etc. The last tool I’ve used is Event Log Explorer for searching windows event logs.
Do you think it’s difficult? Keep learning and keep studying!!