Forensic Investigation: An Example
In the following section, you will learn the basics of a forensic analysis using FTK. Since we have already discussed imaging, we will start from a previously acquired forensic image and will perform analysis, including:
- Import of the data into FTK, including indexing and case management
- Evidence of the data leakage
- Email communication with third parties about the files
- Web browser information pointing to anti-forensic activities
- Evidence of application installs
- Evidence of filesystem changes, including renaming files
Remember that a full forensic examination of a system can involve more tasks than those listed here and that the scope and direction of the investigation will help to determine what those tasks are. You are also likely to encounter additional clues that will point you in new directions for forensic examination as you explore a system image.