Understanding the analysis process
Once you have collected data from the scene, you return to your lab and it is now time to start your forensic analysis. You will find yourself quickly overwhelmed by the sheer amount of data you will find in storage devices. You have to quickly determine whether the information contained within the storage containers is pertinent to your investigation. This is the point where the information gathering that occurred in the case information and legal issues step of the process will play an essential part.
Therefore, you have to capture the five Ws of the investigation (previously mentioned in Chapter 1, Types of Computer-Based Investigations). Tie the activity on the computer system with a specific user and identify that user as a real-life person.
If the investigation already has a live suspect identified, you correlate that suspect and the user on the computer system. Some guidelines we are about to discuss can be done with...