Join Jungwoo Ryoo for an in-depth discussion in this video Indexing, part of Computer Forensics Essential Training.
…Indexing is another very important feature in a computer forensics software suite,…especially in terms of searching.…Indexing refers to the process of creating a catalog by going…through an evidence drive and recording the location of each data item.…To give you an analogy, creating an index for…a book is similar to creating an index for an evidence drive.…Once you create an index in your book,…you can get to a page of your interest very quickly based on a keyword.…
The same applies to your evidence drive.…Once you have an index created, getting to the data item is much, much faster…because you know where the data item is already located based on the keyword.…Especially in the context of searching.…Once you have your indexing done, the speed of searching gets really,…really fast because there is now a direct mapping between your search keyword and…the location of the keyword in your evidence drive.…
All you have to do is to go to that location based on the index,…without really having to do the search over and…
- Understanding computer forensics
- Understanding partitioning
- Using a hex editor
- Preparing a target drive
- Acquiring data
- Ensuring data integrity with hashing
- Indexing and searching
- Generating a report
Skill Level Intermediate
Q: Which operating systems support built-in write blocking?
<div>A: Microsoft introduced the registry concept into its OS with the release of Windows 95. As a result, registry-based write blocking has been available since then. In this course, we tested registry-based write blocking on both Windows 7 and Windows 8.</div><div> </div><div>If for whatever reason your OS doesn’t support registry-based write blocking, you can enable software-based write blocking via a forensics software suite such as EnCase. Finally, If all fails, you can always use hardware write blockers.</div>
Q: Are there other ways to access deleted files in the usbimage.001 file?
<div>A: When opening the usbimage.001 file in Autopsy and trying to recover the deleted file (i.e. dreamCar.jpg), as shown the chapter 5 movie “Searching,” if you don’t see the deleted file in the Data Sources tree, you can still view and extract the deleted file in the Views tree as shown below.</div><div> </div><div><span style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;" id="docs-internal-guid-c405f10c-f4d7-c786-b0d1-e968a60b8b2a"><img src="https://lh6.googleusercontent.com/ktvWtca7teVjVd-gxPugs27p140zywXc-S0fYJHAsgupzg6UMVpom9LuIE6jB3LRxvjTCQADfYs_d-Qk8yIVWMiPOUms2jl63dN5_oa0JT6tOA_Fao7M_kKcwl11kJD6nA" style="border: none; transform: rotate(0.00rad); -webkit-transform: rotate(0.00rad);" alt="faq2.jpg" height="388px;" width="624px;" /></span></div>