How a forensic investigation is typically approached?
Very broadly, the main phases are sometimes considered to be: – secure the subject system (from tampering or unauthorized changes during the investigation); – take a copy of hard drive/disk (if applicable and appropriate); – identify and recover all files (including deleted files); – access/view/copy hidden, protected and temp files; – study ‘special’ areas on the drive (for example, the residue from previously deleted files); – investigate the settings and any data from applications and programs used on the system; – consider the system as a whole from various perspectives, including its structure and overall contents; – consider general factors relating to the users computer and other activity and habits, in the context of the investigation; – create detailed and considered report, containing an assessment of the data and information collected. Throughout the investigation, a full audit log of all activities willmaintained and recorded. It is not unreasonable to include this in the r
