The Understanding the Digital Forensics Profession and Investigations lab provides you with the instructions and devices to develop your hands on skills in the following topics.
- Acquiring an Image of Evidence Media
- Analyzing Your Digital Evidence
- Hands-On Project 1-1
- Hands-On Project 1-2
- Hands-On Project 1-3
- Hands-On Project 1-4
- Hands-On Project 1-5
- Hands-On Project 1-6
Exercise 1 - Acquiring an Image of Evidence Media
After you retrieve and secure the evidence, you’re ready to copy the evidence media and analyse the data. The first rule of digital forensics is to preserve the original evidence. Then conduct your analysis only on a copy of the data—the image of the original medium. Several vendors provide MS-DOS, Linux, and Windows acquisition tools. Windows tools, however, require a write-blocking device (discussed in Chapter 3) when acquiring data from FAT or NTFS file systems.
Exercise 2 - Analyzing Your Digital Evidence
When you analyze digital evidence, your job is to recover the data. If users have deleted or overwritten files on a disk, the disk contains deleted files and file fragments in addition to existing files. Remember that as files are deleted, the space they occupied becomes free space—meaning it can be used for new files that are saved or files that expand as data is added to them.
The files that were deleted are still on the disk until a new file is saved to the same physical location, overwriting the original file. In the meantime, those files can still be retrieved. Forensics tools such as ProDiscover Basic can retrieve deleted files for use as evidence.