Legal Forensics Scenario

Steps taken in a Legal Computer Forensics Case
Here is a detailed scenario of the steps typically taken in a Legal Computer Forensics Case, and the products that we recommend.

• • Create hard drive image: SafeBack (NIST Tested), TrueImage, Unix/Linux DD, Ghost
• • Verify image with hash code(s): SafeBack (NIST Tested)
• • Extract Individual Files: TrueImage
• • Create Duplicate Hard Drive: SafeBack (NIST Tested), TrueImage, Ghost
• • Undelete files
• • Recover Slack Space
• • Recover Unused Space
• • Capture Multi-stream files to standard files
• • Uncompress Archive Files (to temporary directories): PKZip, WinZip
• • Generate Hash codes for every file: File Investigator
• • Filter Out Known Good Files: File Investigator
• • Identify Files: File Investigator
• • Find Evidence: File Investigator
• • Known Bad Files
• • Image files (for Child Pornography Cases)
• • Documents & Databases (for Corporate Crime Cases)
• • Locate Applications to view potential evidence: File Investigator
• • View Potential Evidence Files: FI File Find: Hex, Text, Some Images