Analysis of Digital Evidence

Examination

• Start a script with time, name and date.
• Examine the partition and directories on the hard drive.
• Use the Hex editor to view suspect areas.
• Search for terms related to case.
• Retrieve deleted files.
• Check unallocated and slack space.
• If evidence is found specify the cylinder, head and sector.
  

Authenticate your recovered evidence.

• Create an Electronic Hash of all electronic evidence.
• MD5SUM, SHA or Tripwire.
  

Analyze the data without modifying it.

• Make two backups of the original data.
• Perform a bit by bit (bit stream) backup.
• Create a hash of each backup prior to analysis.