Computer Systems Forensic Analysis

Introduction

It is normal forensic practice to remove a hard drive from a computer, write-block it and then image that hard drive.

But sometimes that is not possible:

  • some thin laptops have SSD chips soldered to the motherboard.

  • the storage device has a non standard data interface and the examiner doesn't have the appropriate connector.

    • in these cases the imaging of the storage device needs to be done with the drive connected to the computer.

Use a forensic boot device on the computer:

  • boot diskette, bootable CD-ROM/DVD, or bootable USB device.

to ensure the storage drive is not altered either during the boot or the acquisition phase.

The normal startup of a computer alters data on the primary storage drive during the boot process.

  • it is required to protect the integrity of the original evidence.

  • we must modify the start-up process in order to prevent any changes to the data on the storage drive.

Boot process.

  • the normal boot process begins within the computer's hardware and moves to the boot device.

  • there are no changes made until the computer transfers control to the boot device.

PreviousEthical CodeNextBoot Process

Last updated