[FoRK] electronic forensics

Reese < howell.r at inkworkswell.com > on > Fri Dec 15 22:11:33 PST 2006

I'm curious what is entailed in a forensic examination of a hard drive.

I've heard that people with electron microscopes can pull things off of
a platter that have been overwritten several times but gee, how many
of these garden variety places* advertising their forensics services
can afford one of those and all it entails?

So they are presumably using some software solution, perhaps even hex
editing programs. What software though? Do these software solutions
have names? Browser history records, cookies, cache files, all the
usual places the OS will let you store files at. What else is there
to know about doing a forensic exam on a hard drive? The odd program
that will let the user save a file in an unusual place? Which programs
do that? And which programs check for existence of things like that?

Presumably, forensics examinations differ from simply data recover in
that there are chain of evidence protocols and added documentation
requirements on what is found, as well. Is there more?


*- Google it, they are legion and they clutter search results like the
many pieces of straw in a haystack concealing a few grains of rice.

More information about the FoRK mailing list