My University Notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Main Page
  2. /
  3. Cyber Security and Digital Forensics (2021-2024)
  4. /
  5. Year 2
  6. /
  7. Forensics Fundamentals
  8. /
  9. Week 3 - Case Examination
Edit page

Week 3 - Case Examination

Live and Dead examination

Dead examination

  • Dead examination involves checking the suspect machine in a non-booted fashion.
  • Case Management software (e.g. FTK/Encase) mounts the suspect’s file system - changes are cached by the tool - the analysis remains ‘dead’
  • Benefits
    • The integrity of the suspect’s data is ensured
    • no instant decision is required
    • Analysis can be repeated

Case management Tools

  • Tools that can manage the complete forensics process
    • Process a wide range of data types (e.g. emails); Analyse the registry; decrypt files; crack passwords; and build a report.
    • Reduce the time required to identify and document evidence

Live Analysis

  • Live analysis utilizes the suspect machine in a booted fashion for examination
    • bespoke applications where it is not possible to obtain a (Licensed) Version
    • Understanding how a piece of malware is behaving
    • Case Dependent
  • Order of Volatility
    1. Main physical memory
    2. virtual memory
    3. network state
    4. running processes
    5. hard drive
    6. backup media
    7. external storage
  • Tools
    • Regshot
    • WinDirStat
    • net file
    • net session