Performing a Forensic Analysis at the Physical and Logical Layers
1. Capture volatile information.
2. Document hardware configuration of the system in BIOS (take picture of screens and
show how the system is connected also).
3. Pull plug.
4. Transport system to a secure location.
5. Use either a forensic duplicate (preferred), hashing all data on the duplicate or do a
live system review of the system.
Media Forensic Duplication Software
Floppy Disks DOS 6.22 diskcopy command
Hard Disks SafeBack, Norton Ghost, EnCase, dd
6. Document system date and time.
7. Make a list of keyword search terms to use during investigation.
8. Perform a physical analysis of the duplicate or media
Looking for: Tools:
Partition Information Hidden Partitions NTFSDOS
String Search All Web site URLS StringSearch
All e-mail addresses http://www.maresware.com
Key word search strings BinText
Keywords within WinHex
executables/binaries Hurricane Trial (formerly
Search and extract File containing specific file WinHex
headers (i.e. a .JPG file that
is named as another file
type to hide its true file
File slack and free space NTI file extraction tools
Deleted Files Norton Unerase
Examine and note the hard drive geometry.
Examine the partitions, making certain that all of the partitions and unallocated
space add up to the total disk capacity. DOS’ FDISK can be used to view FAT
paritions, but you will need NTFSDOS or Partition Magic to view NTFS
Swap files, unallocated space and file slack contain mostly binary information –
which can be tedious to review. Slack space is random in nature so you might
find a logon name or password buried somewhere, or fragments of messages and
documents. Slack can also be found on floppies and other media.
Shadow data is data that remains on the disk, even after its been erased or
formatted. Shadow data requires very expensive, specialized equipment to
All recoverable deleted files should be restored. It is recommended that the first
character of restored files are changed from a HEX E5 to “-“ or other unique
character, to enable easy identification later!
Extract a list of all Web site URLs and a list of all e-mail addresses on the
computer- especially those that are deleted using WinHex.
9. Perform a logical analysis of the duplicate or media. A logical analysis attempts to
reconstruct what the user(s) were doing a the PC. Typically, people will try to cover
up their activities by hiding files, changing file extensions, deleting files and through
the use of encryption or steganography. Multiple file formats can even be combined
into a single file (metadata – see link on site). Watch for unusual file paths that make
it difficult to follow – particularly noticeable with Trojan programs is that the files
and processes running will have either been “trojaned” (check with trusted md5
checksums) or will using regular “system-type” of names (i.e. novell.exe – loading
an ftp server).
Hidden Files DOS attrib -h command
hfind.exe - JD Glaser
Search for file extensions QuickView Plus (no
Look for links to sites and other documents inside of URLSerch
Examine File Properties - created, modified, accessed filestat.exe by JD Glaser
(without changing file properties data)
Look for data hidden in the whitespace of documents BinText
Look for comments in Word documents displayed on screen Manual Inspection
Look for formulas in tables and other file names in Manual Inspection
Excel: Look for hidden Columns Manual Inspection
Database - Design View - look for links to other files Manual Inspection
Look for Spyware sfind.exe by JD Glaser
Look for Hidden Files hfind.exe c:/