Key Takeaways

  • Hard Drives remember: When you delete a file, the computer just marks the space as "available." The data remains there until it is overwritten. Forensics tools recover this.
  • RAM analysis: Investigators can freeze a computer's memory (RAM) and extract passwords, encryption keys, and open chat windows even if they were never saved to disk.
  • Chain of Custody: In a legal case, you must prove the hard drive wasn't tampered with between the seizure and the court. Evidence bags and logs are crucial.

CSIRT (Computer Security Incident Response Team) are the firefighters. Forensics analysts are the arson investigators who figure out how the fire started.

The Forensics Process

1. Identification & Preservation

Isolate the infected computer. Don't turn it off! (You lose RAM data). Instead, pull the internet plug.

2. Collection (Disk Imaging)

Use a "Write Blocker" hardware. This ensures that when you copy the Hard Drive, you don't accidentally write a single bit of data to it. You create a bit-for-bit clone image.

3. Analysis

Use tools like Autopsy or EnCase to analyze the image. Look for:
- Metadata (EXIF data in photos).
- Browser History (even Incognito mode leaves traces in DNS cache).
- Windows Registry (connect USBs history).

Steganography

Hackers sometimes hide stolen data inside innocent-looking JPEGs (pictures of cats). Forensics tools can detect slight color variations that betray hidden binary code.

Frequently Asked Questions (FAQ)

Can wiping a drive stop forensics?
Yes, if done correctly (DBAN, multiple overwrites with random 0s and 1s). Physical destruction (shredding) is best. Standard formatting is useless.
What is Metadata?
Data about data. A photo file contains the image, but the metadata contains the GPS coordinates, phone model, and time it was taken. This catches many criminals.

Learn how software is cracked.
Read Reverse Engineering