Hard Drive Investigation

660 Words2 Pages

The database administrators machine will be a little tricky as it is already considered to have malware. Good malware will want to stay on the computer and be looking out for forensic type activities. The first part is to assess from the above steps is if the machine is able to be shut down safely and not lose any data. Whatever data that can be attained should be documented and considered before moving forward.
Assuming the machine can be shut down properly and without alerting the malware of the current investigation, the following steps should be taken to image the hard drive:
1. Safely remove the hard drive or at least the outer computer shell to access the hard drive. Use a static guard mat and ground everything, especially after opening up evinced from a static free bag.
2. With the forensic computer off, attach to the evidence hard drive using a professional read only, write-blocker to assure the evidence doesn’t get tampered with or changed in the process of imaging.
3. Start up the computer forensic machine.
4. Before making an image, run a hash value (MD5 or SHA) on the evidence and document everything.
5. Using Encase, FTK Imager or any other …show more content…

A copy of the image file should be opened in a virtual environment matching the notes of the initial investigation of this computer. From here the most efficient starting point is to look at the Windows registry. A forensic investigator can characterize the valuable data from the Windows registry in five groups; system information, application information, network information, attached devices and history list (Alghafli, Jones, & Martin, 2014). This will give an investigator a good idea of whether the initial assessment of this computer is accurate and more or less time should be spent on this computer. Also, having a physical Windows machine that can be built as a backup is a good idea as some malware can detect

Open Document