Computer Systems Forensic Analysis

Examining a computer

When examining a computer:

  • clock and time zone:

    • the system date and time should be collected, preferably from the BIOS.

    • date and time should be compared to a reliable known time source and any differences noted.

    • in the triage phase read the OS configured time zone. By default:

      • Windows OS configures the BIOS clock to local time.

      • Linux and Mac OS configure the BIOS clock to UTC.

  • if the BIOS is accessible then:

    • take note of the drive parameters and boot order.

    • if present, take note also of system serial numbers, component serial numbers, hardware component hashes, etc

BIOS Access – Warning

  • Before trying to access the BIOS, first unplug all storage media (SSD, HDD, memory cards, etc) from the computer.

PreviousPhysical examinationNextMedia Examination

Last updated