Summary
In many ways, this chapter just scratches the surface of what information can be found by leveraging disk forensic tools. Exploring a disk image using Autopsy demonstrated some of the features that are available to responders. From here, extracting other data stores such as the Windows Registry and MFT were explored to provide responders with an idea of what data is available during an incident analysis.
Specific tools and techniques are largely dependent on the tool that’s utilized. What’s important to understand is that modern operating systems leave traces of their activity all over the disk, from file change evidence in the MFT to registry key settings when new user accounts are added. Incident responders should have expertise in understanding how modern operating systems store data and how to leverage commercial or freeware tools to find this data. Taken in concert with other pieces of evidence that are obtained from network sources and in memory, disk...