Legal Forensics Scenario

Steps taken in a Legal Computer Forensics Case
Here is a detailed scenario of the steps typically taken in a Legal Computer Forensics Case, and the products that we recommend.

  • Create hard drive image: SafeBack (NIST Tested), TrueImage, Unix/Linux DD, Ghost
  • Verify image with hash code(s): SafeBack (NIST Tested)
  • Extract Individual Files: TrueImage
  • Create Duplicate Hard Drive: SafeBack (NIST Tested), TrueImage, Ghost
  • Undelete files
  • Recover Slack Space
  • Recover Unused Space
  • Capture Multi-stream files to standard files
  • Uncompress Archive Files (to temporary directories): PKZip, WinZip
  • Generate Hash codes for every file: File Investigator
  • Filter Out Known Good Files: File Investigator
  • Identify Files: File Investigator
  • Find Evidence: File Investigator
    • • Known Bad Files
    • • Image files (for Child Pornography Cases)
    • • Documents & Databases (for Corporate Crime Cases)
  • Locate Applications to view potential evidence: File Investigator
  • View Potential Evidence Files: FI File Find: Hex, Text, Some Images