Computer Systems Forensic Analysis

Examples of things to write in the report

  • number and type of partitions or volumes (in SSD, HDD, or other large writable media).

  • number of sessions in optical discs.

  • file system type.

  • installed operating systems.

  • in some cases, e. g. illegal content, pedophile images, etc, include folder structure, filenames, date/time stamps, logical file sizes, and hash values (MD5 and SHA256).

  • files created by the OS including, but not limited to.

    • boot files, registry files, swap files, temporary files, cache files, history files, and log files.

  • list of installed applications.

  • user-created files should be examined using native applications, file viewers, or hex viewers.

    • this includes text documents, spreadsheets, databases, financial data, electronic mail, digital photographs, sound, other multimedia files, etc.

  • report unused and unallocated space on each volume.

    • search for previously deleted data, and deleted folders.

    • slack space data and data placed there by the user with the intent to hide it.

    • deleted filenames of apparent evidentiary value.

  • report any irregularities or peculiarities in the system area of the volume (i. e. FAT, MFT, etc).

  • report any hidden areas of the media, such as HPA.

  • report any recovered data and the process used.

  • forensic tools used.

    • name and version of the tool.

    • reference any validation test performed by examiner, the examiner’s agency, or other reputable organization.

PreviousMedia ExaminationNextForensic Report

Last updated