How is a forensic investigation typically approached?
Very broadly, the main phases are sometimes considered to be: secure the subject system (from tampering or unauthorized changes during the investigation) secure the subject system (from tampering or unauthorized changes during the investigation) take a copy of hard drive/disk (if applicable and appropriate) identify and recover all files (including deleted files) access/view/copy hidden, protected and temp files study ‘special’ areas on the drive (for example, the residue from previously deleted files) investigate the settings and any data from applications and programs used on the system consider the system as a whole from various perspectives, including its structure and overall contents consider general factors relating to the users computer and other activity and habits, in the context of the investigation create detailed and considered report, containing an assessment of the data and information collected 5) Are there any actions that should be avoided during an investigation? It
