Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
Windows NTFS Log File..............................................................................................28<br />
TMP, BAK and Spool Files..........................................................................................28<br />
Windows Registry .......................................................................................................30<br />
Cookies ........................................................................................................................30<br />
Applicati<strong>on</strong> Metadata ..................................................................................................31<br />
Hidden Data..................................................................................................................32<br />
Shadow Data................................................................................................................33<br />
Other Revealing Data ..................................................................................................33<br />
C<strong>on</strong>textual Analysis ....................................................................................................34<br />
Going, Going, G<strong>on</strong>e.....................................................................................................34<br />
Bit Stream Backup.......................................................................................................35<br />
Now What?...................................................................................................................36<br />
Forensic Imaging Should Be Routine........................................................................37<br />
Answers to Frequently Asked Questi<strong>on</strong>s about Forensic Imaging ........................37<br />
Steps to Preserve the Evidence .................................................................................40<br />
What’s It Going to Cost?.............................................................................................41<br />
Who Pays? ...................................................................................................................42<br />
Is Digital Different?......................................................................................................42<br />
Shifting Costs: The Rowe and Zubulake Decisi<strong>on</strong>s .................................................44<br />
The Rough Road Ahead..............................................................................................45<br />
Note to Readers:<br />
This article focuses <strong>on</strong> technical matters impacting the cost, complexity and scope of<br />
e-discovery, rather than the burge<strong>on</strong>ing case law. For extensive resources <strong>on</strong><br />
electr<strong>on</strong>ic discovery law, please look at other materials available at www.craigball.com<br />
and visit the following helpful sites:<br />
K&L Gates Electr<strong>on</strong>ic Discovery Law Site<br />
http://www.ediscoverylaw.com/<br />
Berkman Center for Internet & Society at Harvard Law School<br />
http://cyber.law.harvard.edu/digitaldiscovery/library.html<br />
Discovery Resources<br />
http://discoveryresources.org/<br />
For extensive links to further informati<strong>on</strong> about computer forensics, visit:<br />
The Electr<strong>on</strong>ic Evidence Informati<strong>on</strong> Center<br />
http://www.e-evidence.info/index.html<br />
<strong>Page</strong> 5