USA: +1(669)289-8683 
Sign in
This week you are reading and watching about the forensic tools used by Computer ForensicsExaminers. While the two most popular tools are Guidance Software’s EnCase and AccessData’s FTK,
there are other tools that are available and should be part of your toolbox. Once you have properly
identified and collected digital evidence, the next step is to analyze it. It does not really matter if you are
performing analysis as part of a criminal investigation or as part of a corporate investigation; you should
always follow the same protocols.
An emphasis in this course is on helping you understand why using an analysis protocol is important. It
goes back to our discussion in week one regarding best practices and industry standards. Remember,
you should NEVER, EVER work on original evidence if it can be avoided by any means; instead, use a
forensic image. When you work on the image, you pick the tools you will use. Again, it does not matter
which tool you actually use, as long as the tool is accepted by the forensic community, and you are able
to testify to the tool’s validity as well as the process you used in your examination.
During your analysis, you should document every step you take and all of your findings. Some tools have
a report function that works well to capture both the identified data and the date/time of your various
analyses. However, this should always be supplemented with your own notes and documentation.
For this week’s discussion, complete the following questions below in detail. Please discuss thoroughly
and substantively in your post. Additionally, respond in a thorough, substantive, intelligent way to at
least one of your fellow classmates that adds to our discussion and learning of this week’s topic!
1) Discuss in detail why you need to use a write blocker (either hardware or software) in your
examinations, whether for a criminal case or a corporate case.
2) Imagine you are a computer forensic examiner receiving a suspect hard disk drive from a detective in
your department. The drive was seized properly during a legally executed search warrant. The detective
signs the chain of custody log and hands you the drive. Your job is to accept the drive, conduct an
analysis, and maintain the drive until trial. Please explain the steps you would take, from receipt of the
evidence until testimony, including the reasons why you would take each step. For example, what would
you check for when you sign for the drive on the chain of custody document?
Helpful Resources:
*Andrew Hoog presents some data acquisition strategies if you want to get your hands wet in playing
around with digital forensics. This 55-minute video presentation will help you in understanding the
process of using forensic tools, the software, and what information you can gain in an examination.
* The SysAdmin, Audit, Network and Security (SANS) Institute is one of the largest information security
training and certification sources in the world today, and is globally recognized. In this paper you will
learn about the importance of volatile memory and the kinds of data that can be recovered. It further
discusses the issues involved in recovering data, inclusive of password protected and encrypted volatile
data.https://www.sans.org/reading-room/whitepapers/forensics/paper/33049
