Digital Evidence and Computer Crime Forensic Science, Computers and The Internet 2nd Ed [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Digital Evidence and Computer Crime Forensic Science, Computers and The Internet 2nd Ed [Electronic resources] - نسخه متنی

Eoghan Casey

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
توضیحات
افزودن یادداشت جدید







24.4 Summary

The filtering process described in this chapter is superior to a less formalized analysis because all potentially useful data are extracted for examination. Less methodical approaches such as searching for specific keywords or extracting only limited file types may miss other important clues. Additionally, comparing the list of filtered files produced using different tools often highlights discrepancies such as incorrect MD5 calculations for some files and deleted files recovered by one tool and not the other. This type of tool validation is recommended for all cases to ensure that the maximum amount of useful data is extracted and that the examiner can explain any discrepancies between tools if the issue arises (e.g. in court).

Although the filtering process will enable investigators to gain a more complete understanding of the body of digital evidence, this is only the first stage in a thorough forensic analysis. Questions should arise in the investigator's mind while reviewing the evidence and, to answer these questions, it is usually necessary to examine specific aspects of the suspect systems. As discussed throughout the Handbook, there are many other system artifacts that can be useful in an investigation.

Each approach to filtering data has advantages and most people will find that it is desirable to combine command line and GUI approaches.

As a final stage in the filtering process, it is advisable to Bates number files in the working directory, for instance, using the Mareware bates_no utility as follows:


bates_no -p [path to source] -b [beginning bates number] -o [path\name of
output log] -R -i -v

/ 280