DIGITAL FORENSICS: How to gather Forensics Investigation Evidence using ProDiscover Forensics
ProDiscover Forensics is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data. You can also search for data using the Search node based on the criteria you specify.
This activity completes your analysis of the USB drive.
1. Double ProDiscover on desktop.
 |
ProDiscover Compute Forensics Software |
2.In the main window, click Action menu, click Capture Image.
The following steps will show how to acquire an image of drive E called USB. Please note that this drive is not an actual USB drive but a fixed drive on the computer.
Note: On the USB drive, locate the write-protect switch (if one is available) and place the drive in write-protect mode. Then connect the USB drive to your computer.
3. In the Capture Image dialog box, click the Source Drive list arrow, and select the drive E:\[USB] Click the >> button next to the Destination text box and click Choose Local Path.
Click Save to save the file.
4.When ProDiscover is finished, click OK in the completion message box.
Using ProDiscovery to analyze evidence
5.In the tree view of the main window, click to expand the Add item, and then click Image File.
click the InChp01-prac.eve file.Click Open.
6.Click to expand Images, and click the image filename path C:\Work\Chap01\Chapter\InChp01-prac.eve.
7.In the upper-right pane (the work area), click the tracking.log file to view its contents in the data area.
Analyzing data
8.In the Search dialog box, click the Content Search tab, if necessary.
Next, in the text box under the Search for the pattern(s) option button, type: win810
9.Under Select the Disk(s)/Image(s) you want to search in section, click C:\Work\Chap01\Chapter\InChp01-prac.eve (substituting the path to your work folder), and then click OK to start the search.
For each search you do in a case, ProDiscover adds a new tab to help catalog your searches.
Click tracking.
Creating a Report
10.In the tree view, click Report. The report is then displayed in the right pane.
11. To print the report, click File, Print Report from the menu.
12.On the Save As Print Output As dialog box, click in the File name box and type:
opens the report.
13. Click Action, Export from the menu.
14.In the Export dialog box, click the RTF Format option button, then click Browse.
Click Save.
15.Review the report, close OpenOffice Writer application when done.
No comments:
Post a Comment