• Register
Home  //  Infosec Computer Forensic  //  Forensic Imaging
Forensic Imaging

Computer forensic investigations usually follow the standard digital forensic process (acquisition, analysis and reporting). Investigations are performed on static data (i.e. acquired images) rather than "live" systems. This is a change from early forensic practices which, due to a lack of specialist tools, saw investigations commonly carried out on live data.

A number of techniques are used during computer forensics investigations.

Cross-drive analysis
A forensic technique that correlates information found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing anomaly detection.

Live analysis
The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.

Deleted files
A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.


Follow us on Twitter

Thanks for visiting us today

mod_vvisit_counterThis week581
mod_vvisit_counterLast week943
mod_vvisit_counterThis month2308
mod_vvisit_counterLast month4657
mod_vvisit_counterAll days764973

Our partners in technology

Scroll Up