Introduction

Often referred to as “Deadbox” forensics, this part of the examination focuses on locating any artifacts, malware, registry keys and any other evidence that can be found on the host or “victim” machine. You may here the initial point of infection referred to as “ground zero.” In this chapter we will examine the more common locations where evidence may be found. Today’s forensic tools are now capable of analyzing machines over the network “live,” which sort of eliminates the entire “deadbox” nickname. The results are the same none the less. EnCase[1], X-Ways[3], and FTK[2] are the more common computer forensic applications in use today. There are others, such as Paraben Enterprise Pro[6], ProDiscover[7], Autopsy ...