This week you are reading about some of the forensic tools used by Computer Forensics Examiners (there are many). While two of the more popular tools are Guidance Software’s EnCase and AccessData’s FTK, there are other tools that are available and should be part of your toolbox.
Once you have properly identified and collected digital evidence, the next step is to analyze it. It does not really matter if you are performing analysis as part of a criminal investigation or as part of a corporate investigation: you should always follow the same protocols. An emphasis in this course is on helping you understand why using an analysis protocol is important. Remember, you should NEVER, EVER work on original evidence, if it can be avoided by any means; instead, use a forensic image. When you work on the image, you pick the tools you will use. Again, it does not matter which tool you actually use, as long as the tool is accepted by the forensic community, and you are able to testify to the tool’s validity, as well as the process you used in your examination.
During your analysis, you should document every step you take and record all of your findings. Some tools have a report function that works well to capture both the identified data and the date/time of your various analyses. This should always be supplemented with your own notes and documentation.
This week, I would first like you to discuss ‘write blockers’ (hardware- or software-based. What do they do? Why do you need to use a write blocker in your examinations, whether for a criminal case or a corporate case?
Now imagine that you are a computer forensic examiner who has just received a suspect hard drive from a detective in your department. The drive was properly seized during a legally executed search warrant. The detective signs the chain of custody log and hands you the drive. Your job is to accept the drive, conduct an analysis, and store the drive until trial. Explain the steps you would take, from the time you receive the drive until you testify in court. Include the reasons why you would take each step. For just one example, what would you check for when you sign for the drive on the chain of custody?