During the preparation phase, the investigative team discussed that it might not be possible to shut down one of the workstations and get a cold image of the hard drive.
Someone suggested that a live image analysis be performed, but not everyone was familiar with why this would work and any benefits associated with this technique.
- Describe a live image analysis and what information may be retrieved versus a situation where the system is shut down.
- Describe the types of information that you would be required to include in your report for a live image analysis.
- During the analysis phase, it was determined that the following programs were used:
- Windows 7 Operating System
- Internet Explorer
- Outlook e-mail
Describe the exact investigative techniques that you would use to analyze the users’ information, habits, and history for each program. Explain the reasons for your selected techniques.
The level of detail does not need to be at the bit level, but there is enough information to talk about directories and objects that should be reviewed for each.
Remember to address forensic evidence you might find relating to an employee’s use of these programs, not how the program itself operates. You should be making references to specific directories, files, file types, registry entries and log files which point to sources of forensic evidence.
The 12-16 slide PowerPoint presentation should include the following:
- Title Slide (1)
- Topics of Discussion Slide (1)
- Windows 7 Operating System (3 slides)
- Internet Explorer (3 slides)
- Outlook e-mail (2 slides)
- Photoshop (2 slides)
- Office (3 slides)
- References Slide (1)