How is a computer forensic investigation approached?
It’s a detailed science. However, very broadly, the main phases are sometimes considered to be: secure the subject system (from tampering during the operation); take a copy of hard drive (if applicable); identify and recovery all files (including those deleted); access/copy hidden, protected and temporary files; study ‘special’ areas on the drive (eg: residue from previously deleted files); investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; create detailed report. Throughout the investigation, it is important to stress that a full audit log of your activities should be maintained. 6. Is there anything that should NOT be done during an investigation? Definitely. However, these tend to be related to the nature of the computer system being investigated. Typically though, it is important to avoid changing date/time stamps (of files for example) or changing data itsel
