From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Collecting disk attributes using Disk Map
From the course: Incident Response: Evidence Collection in Windows
Collecting disk attributes using Disk Map
- [Instructor] The first area of collection that we want to do when we start dealing with nonvolatile data is going to be things associated with our hard drive. And to do this, we're going to start with a command known as diskmap. The diskmap command is really useful in collecting information about the hard drive. It's going to go ahead and give us the attributes of the disks inside the Windows file system. And we can do that using the tool diskmap. So again, we're going to use our Trusted Tool, in this case, it's t_diskmap, and then we're going to use /d0, and what that means is I want to know the diskmap of drive zero. On a computer, we always start counting with zero, so our first hard drive, our C drive, is going to be the one located at D0. Our second hard drive, if there is one, will be D1, our third will be D2, and so on. And then we're going to go ahead and pipe that using our tee command by calling the file…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.