| Popis: |
In digital forensics investigation, a general method of investigating the suspect’s computer was to duplicate storage media or image and then obtain the case-related data from these. However, the increase in the capacity of storage media made this method take much longer time. Also, this implies that more data can exist in the suspect’s computer so that finding relevant data will take a lot of time and efforts. Moreover, in case where imaging of the entire disk is not possible dueto legal matters, selective acquisition of data is needed. In this paper, we propose methods for selective acquisition offile system metadata, registry and prefetch files, web browserfiles, specific document files without duplicating or imaging the storage media. Furthermore, we suggest a method to analyze the acquired data stepwise and quickly and effectively trace the use of computer in the crime scene. |
