Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Computer forensics
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Techniques === Various techniques are used in computer forensic investigations, including: ; Cross-drive analysis : This technique correlates information found on multiple [[Hard drive|hard drives]] and can be used to identify [[social networks]] or detect anomalies.<ref>{{Cite journal |last=Garfinkel |first=Simson L. |date=2006-09-01 |title=Forensic feature extraction and cross-drive analysis |journal=Digital Investigation |series=The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS '06) |language=en |volume=3 |pages=71β81 |doi=10.1016/j.diin.2006.06.007 |issn=1742-2876 |doi-access=free}}</ref><ref>{{Cite journal |last1=David |first1=Anne |last2=Morris |first2=Sarah |last3=Appleby-Thomas |first3=Gareth |date=2020-08-20 |title=A Two-Stage Model for Social Network Investigations in Digital Forensics |url=https://dspace.lib.cranfield.ac.uk/bitstream/1826/15732/4/Two-Stage_Model_for_Social_Network_Investigations_in_Digital_Forensics-2020.pdf |journal=Journal of Digital Forensics, Security and Law |volume=15 |issue=2 |doi=10.15394/jdfsl.2020.1667 |issn=1558-7223 |s2cid=221692362 |doi-access=free}}</ref> ; Live analysis : The examination of computers from within the operating system using forensic or existing [[sysadmin tools]] to extract evidence. This technique is particularly useful for dealing with [[Encrypting File System|encrypting file systems]] where encryption keys can be retrieved, or for imaging the logical hard drive volume (a live acquisition) before shutting down the computer. Live analysis is also beneficial when examining networked systems or cloud-based devices that cannot be accessed physically.<ref>https://espace.curtin.edu.au/bitstream/handle/20.500.11937/93974/Adams%20RB%202023%20Public.pdf?sequence=1&isAllowed=y</ref> ; Deleted files : A common forensic technique involves recovering deleted files. Most [[Operating system|operating systems]] and [[File system|file systems]] do not erase the physical file data, allowing investigators to reconstruct it from the physical [[Disk sector|disk sectors]]. Forensic software can "carve" files by searching for known file headers and reconstructing deleted data. ; [[Stochastic forensics]] : This method leverages the stochastic properties of a system to investigate activities without traditional digital artifacts, often useful in cases of [[data theft]]. ; [[Steganography]] : Steganography involves concealing data within another file, such as hiding illegal content within an image. Forensic investigators detect steganography by comparing file hashes, as any hidden data will alter the hash value of the file.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)