Legal Forensics Scenario
Steps taken in a Legal Computer Forensics CaseHere is a detailed scenario of the steps typically taken in a Legal Computer Forensics Case, and the products that we recommend.
- • Create hard drive image: SafeBack (NIST Tested), TrueImage, Unix/Linux DD, Ghost
- • Verify image with hash code(s): SafeBack (NIST Tested)
- • Extract Individual Files: TrueImage
- • Create Duplicate Hard Drive: SafeBack (NIST Tested), TrueImage, Ghost
- • Undelete files
- • Recover Slack Space
- • Recover Unused Space
- • Capture Multi-stream files to standard files
- • Uncompress Archive Files (to temporary directories): PKZip, WinZip
- • Generate Hash codes for every file: File Investigator
- • Filter Out Known Good Files: File Investigator
- • Identify Files: File Investigator
- • Find Evidence: File Investigator
• Known Bad Files
• Image files (for Child Pornography Cases)
• Documents & Databases (for Corporate Crime Cases)
- • Locate Applications to view potential evidence: File Investigator
- • View Potential Evidence Files: FI File Find: Hex, Text, Some Images