Join Jungwoo Ryoo for an in-depth discussion in this video Searching, part of Computer Forensics Essential Training.
…Having the ability to search in a computer forensics investigation is essential.…Investigators always have a need to do their search, based on…a keyword related to the nature of the case he or she is working on.…To demonstrate how a search is conducted,…using a computer forensics suite, we'll be using a tool called Autopsy here.…Autopsy, is one of the most popular computer forensic software suites out…there, and I highly recommend it.…
Let's start autopsy by clicking on the icon on the desktop.…Do a right click, select Run As Administrator.…We'll start by clicking on Create New Case.…Type your case name, we'll use searching.…Choose your base directory if it's not already chosen.…In my case, I used desktop.…Click on Next, and use case number 001,…examiner, and click on Finish.…
Now the step involves loading an image.…I already created an image of an evidence drive, so we'll be using that image for…this exercise.…Before you click on Browse, make sure the option Image File is selected.…Click on Browse, choose USB Image.001.…
- Understanding computer forensics
- Understanding partitioning
- Using a hex editor
- Preparing a target drive
- Acquiring data
- Ensuring data integrity with hashing
- Indexing and searching
- Generating a report
Skill Level Intermediate
Q: Which operating systems support built-in write blocking?
<div>A: Microsoft introduced the registry concept into its OS with the release of Windows 95. As a result, registry-based write blocking has been available since then. In this course, we tested registry-based write blocking on both Windows 7 and Windows 8.</div><div> </div><div>If for whatever reason your OS doesn’t support registry-based write blocking, you can enable software-based write blocking via a forensics software suite such as EnCase. Finally, If all fails, you can always use hardware write blockers.</div>
Q: Are there other ways to access deleted files in the usbimage.001 file?
<div>A: When opening the usbimage.001 file in Autopsy and trying to recover the deleted file (i.e. dreamCar.jpg), as shown the chapter 5 movie “Searching,” if you don’t see the deleted file in the Data Sources tree, you can still view and extract the deleted file in the Views tree as shown below.</div><div> </div><div><span style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;" id="docs-internal-guid-c405f10c-f4d7-c786-b0d1-e968a60b8b2a"><img src="https://lh6.googleusercontent.com/ktvWtca7teVjVd-gxPugs27p140zywXc-S0fYJHAsgupzg6UMVpom9LuIE6jB3LRxvjTCQADfYs_d-Qk8yIVWMiPOUms2jl63dN5_oa0JT6tOA_Fao7M_kKcwl11kJD6nA" style="border: none; transform: rotate(0.00rad); -webkit-transform: rotate(0.00rad);" alt="faq2.jpg" height="388px;" width="624px;" /></span></div>