Examples of things to write in the report

number and type of partitions or volumes (in SSD, HDD, or other large writable media).
number of sessions in optical discs.
file system type.
installed operating systems.
in some cases, e. g. illegal content, pedophile images, etc, include folder structure, filenames, date/time stamps, logical file sizes, and hash values (MD5 and SHA256).
files created by the OS including, but not limited to.
- boot files, registry files, swap files, temporary files, cache files, history files, and log files.
list of installed applications.
user-created files should be examined using native applications, file viewers, or hex viewers.
- this includes text documents, spreadsheets, databases, financial data, electronic mail, digital photographs, sound, other multimedia files, etc.
report unused and unallocated space on each volume.
- search for previously deleted data, and deleted folders.
- slack space data and data placed there by the user with the intent to hide it.
- deleted filenames of apparent evidentiary value.
report any irregularities or peculiarities in the system area of the volume (i. e. FAT, MFT, etc).
report any hidden areas of the media, such as HPA.
report any recovered data and the process used.
forensic tools used.
- name and version of the tool.
- reference any validation test performed by examiner, the examiner’s agency, or other reputable organization.

Last updated 1 year ago

number and type of partitions or volumes (in SSD, HDD, or other large writable media).
number of sessions in optical discs.
file system type.
installed operating systems.
in some cases, e. g. illegal content, pedophile images, etc, include folder structure, filenames, date/time stamps, logical file sizes, and hash values (MD5 and SHA256).
files created by the OS including, but not limited to.
- boot files, registry files, swap files, temporary files, cache files, history files, and log files.
list of installed applications.
user-created files should be examined using native applications, file viewers, or hex viewers.
- this includes text documents, spreadsheets, databases, financial data, electronic mail, digital photographs, sound, other multimedia files, etc.
report unused and unallocated space on each volume.
- search for previously deleted data, and deleted folders.
- slack space data and data placed there by the user with the intent to hide it.
- deleted filenames of apparent evidentiary value.
report any irregularities or peculiarities in the system area of the volume (i. e. FAT, MFT, etc).
report any hidden areas of the media, such as HPA.
report any recovered data and the process used.
forensic tools used.
- name and version of the tool.
- reference any validation test performed by examiner, the examiner’s agency, or other reputable organization.

Last updated 1 year ago