Analyzing System Storage

So far, the evidence that has been analyzed has focused on those elements that are obtained from the network or the system's memory. Even though an incident's root cause may be ferreted out from these evidence sources, it is important to understand how to obtain evidentiary material from a system's storage, whether that is removable storage such as USB devices or the larger connected disk drives. In these containers is a massive amount of data that may be leveraged by incident response analysts to determine a root cause. It should be noted that this chapter will only be able to scratch the surface as entire volumes have been devoted to the depth of forensic evidence that's available.

To provide a better understanding of analyzing system storage, this chapter will focus on the following topics:

  • Forensic platforms: There are a variety of commercial and open source platforms that we can use to conduct system storage analysis. This section will address the key features and potential options we have.
  • Autopsy: To provide you with an open source platform that can be leveraged in system storage analysis, the majority of this chapter will use the Autopsy tool. Some of its features will be highlighted by utilizing a test image.
  • Master File Table (MFT) analysis: Containing a comprehensive list of all the files on the system, the MFT is a key source of data for responders. This section addresses the extraction and analysis of the Master File Table.
  • Registry analysis: A favorite target of malware coders and other exploits, responders should become familiar with registry analysis. An overview of the extraction and analysis of the registry will be addressed in this section.

System storage analysis is a complex process. The depth and breadth of it cannot be explored in a single chapter; due to this, we hope that this chapter provides some concrete areas of focus with the understanding that responders will gain a better sense of some of the tools that can be employed, as well as an understanding of some of the critical data that can be leveraged.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.143.31