Recently I was able to listen to a guest lecturer by a chap working the digital forensics field. There were a few interesting things to come out of the lecture. They are, in no particular order: document and timestamp everything you do - it doesn't matter if it's written down, or you use software, but you have to show the steps you went through to reach the conclusions you're putting forward EnCase is an industry favourite software small cases can take you in surprising directions and you can go from a $40,000 fraud case and end up with a $250,000 + fraud case! recovering RAID arrays can be a trick - but you can image each disk and use EnCase to rebuild the array which is pretty neat! you can't carve an SSD to recover data like you would a HDD That last point is the one I want to mention. On a magnetic hard disk drive (the regular type of drive people have been using) when a file is deleted, it's removed from the File Allocation Table and the computer reco
Angus Beath's Blog - a jotting down of thoughts, handy to remember things and general BS about the world.