CHAPTER 12
Investigating Windows Systems
When your initial response indicates that further investigation is warranted, you have two options: You could perform the investigative steps on the evidence media itself, or you could perform forensic duplication of the evidence media, and then perform the investigative steps on a restored image. If you choose to investigate the evidence media itself without creating a forensic duplication, you will be changing the actual evidence, and you will not have a baseline for comparison after your intrusive investigative steps have altered the system. For example, simply viewing a file or directory entry on the evidence system causes information on the system to be changed. But this information could be ...
Get Incident Response & Computer Forensics, 2nd Ed., 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
