Let us start today’s topic but before that let me introduce you to some terms or concepts that you must know for better understanding of the
What is Digital Forensics?
Digital forensics is the branch of forensic science focused on the recovery and investigation of material found in digital devices, often in relation to computer crime. This involves the preservation, collection, examination, analysis, and presentation of electronic data in a manner that is admissible as evidence in a court of law.
What is Operating System Forensics?
Operating system forensics is a subfield of digital forensics that focuses on the investigation of computer operating systems and the artifacts they generate. It involves the examination of the underlying data structures, files, and system logs within an operating system to uncover evidence of criminal activity, malicious activity, or other events of interest. This requires a thorough understanding of the underlying operating system and its behavior, as well as the tools and techniques used to collect and analyze the data. The goal of operating system forensics is to identify and preserve the evidence of digital events in a manner that is admissible in a court of law.
Different types of Data.
In Digital forensics we classify data into two types according to their Volatile nature, They are:-
- Volatile Data
- Non-Volatile Data
Volatile data refers to information that is stored temporarily in a computer’s memory (RAM) and is lost when the power is turned off or the system is restarted. Examples of volatile data include system status information, running processes, open network connections, and the contents of memory-mapped files. Volatile data is considered important in digital forensics investigations because it can provide valuable information about the state of a computer system at a particular point in time, including information about what actions were taken and what programs were running. However, volatile data can be difficult to collect and preserve because it is ephemeral and often lost when a system is shut down or restarted.
Non-volatile data refers to information that is stored permanently or semi-permanently on a computer’s storage media (such as a hard drive or solid-state drive) and is not lost when the power is turned off or the system is restarted. Examples of non-volatile data include files, system configurations, and data stored in databases. Non-volatile data is considered important in digital forensics investigations because it can provide a historical record of activity on a computer system and can be used to reconstruct events that took place in the past. Non-volatile data is usually easier to collect and preserve than volatile data, and it can be analyzed to reveal patterns of activity and uncover evidence of criminal activity, malicious activity, or other events of interest.
Windows Forensics Methodology
- Collecting Volatile Data
- Collecting Non-volatile Data
- Windows Memory Analysis
- Windows Registry Analysis
- Cache,Cookie and History Analysis
- Event log Analysis
- Metadata Investigation
- Windows File Analysis
See you in the next blog where we will discuss the Collecting Volatile Data Phase
link to the part 2- https://hacklido.com/blog/273-windows-forensics-the-art-of-investigating-part-2