New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here


by: Rupert Schulist


Rupert Schulist
GPA 3.89

Kirk Jones

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Kirk Jones
Class Notes
25 ?




Popular in Course

Popular in Computer Information Technology

This 3 page Class Notes was uploaded by Rupert Schulist on Friday October 2, 2015. The Class Notes belongs to CIT 3853 at Arkansas State University taught by Kirk Jones in Fall. Since its upload, it has received 23 views. For similar materials see /class/217720/cit-3853-arkansas-state-university in Computer Information Technology at Arkansas State University.

Similar to CIT 3853 at A-State

Popular in Computer Information Technology




Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/02/15
9 YM inicrnaiicnai ncmaiihn hi chmhhihiinynciigm pnc ialiili Forensic Pr ooedures Forensic Examlnahon orcoiiipuhers and Digital and Electronic Media iAcis has esiahiished ihe iuiiewine as a guide iuiieiensic cumhuiei and dieiiai eyidence eyaminaiiuns AH cumhuiei and dieiiai media eyaminaiiuns aie dineieni The ExaminEY mus1 cunsideiihe iuiainy uiihe ciicumsiancesasheishe hiuceeds sci them rim aii cumhunenisheie may he needed in eyery Snua mn and eyamineis may need in adiusi in unusuai DY unexpecied cundiiiens in ihe neid cases inyeiyine cemhuieis and eihei eieciiunic deyices aie huideiiess Muiiihie iuiisdiciiens and agencies may he inyuiyed in inyesiieaiiye and a iyiicai aEWmES and each agency DY iuiisdiciiun may emhiuy shecinc hiuceduies This ducumem them is nei iniended in suheicede uicuniiiciwiihiuiisdiciiun DY aeency huiiciesuihiuceduies Raiheiiiisa inundaiiun ducumeniihai uuiiines eeneiai hiincihies Gulde for Forensic Examinations emhuiei sysiem cumpunenis and uihei eieciiunic deyices inciudine dieiiai and eieciiunic media aie iiems eieyidenceiusiiihe any eiheiiiemsuieyidence Assuch iiisincumheni uhun ihe eyaminei in ieiiuw aeency pieceduiesiui ducumeniine ihe ieceim and handing hi ihe iiems e cumhuiei Wsmm andiuiihe media shuuid he eyamined hhysicaiiy and an imeniury hi haidwaie cemhunenis neied Decumeniaiiun shuuid inciude a hhysicai desciihiiun and deiaiied nuiaiiun hi any WEEU aYmESi hecuiiaiiiiesi idEn WmE Walking and numheiines 6 yyhen examining a cumhuieiihe sysiem daie and iime shuuid he cuHectedi hieieiahiy iium e h The daie andiime shuuid he cumhaiediuaieiiahie hnuymiime SDUVEE and any dineiences nuied iiihe Bios seiuh iniuimaiiun is accessihie ihen diiye haiameieis and bum uidei shuuid he nuied Depending mi ihe Bios eihei inieimaiiun such as sysiem seiiai numbevs cumhuneni seiiai numbevs hamyyave cumhuneni hashes eic shuuid he nuied minaiiun hi media shuuid he cunducied in a iuiensicaiy shund Examinaliun eny A iuiensicaiiy shund examinaiiun enyiiunmeni is cine which is cumhieieiy undeiihe ihe eyaminei Nu aciiuns aie iaken Wiihuui ihe ExaminEY heimiiiine ihemiu happen iiunmeni cuniiui di and when the examiner permits or causes an action heshe can predict with reasonable certainty what the outcome of the action will be Examiners may choose to employ a forensically sound operating system The use of physical writeblocking devices or software writeblocking devices may be used in operating system environments that are not forensically sound Conducting an examination on the original evidence media should be avoided Rather examinations should be conducted on a forensic copy of the original evidence or via forensic evidence files Properly prepared media should be used When making forensic copies to insure no commingling of data from different cases Properly prepared media is that which has been completely overwritten with a known character Regardless of whether the examiner performs a direct device todevice copy of the media or creates forensic evidence copies for examination or restoration the copy process should be forensically sound Examination of the media should be completed logically and systematically by starting where the data of evidentiary value is most likely to be found These locations will vary depending on the nature and scope of the case Examples of items to be noted might include If the media is a hard drive the number and type of partitions should be noted If the media is an optical disc then the number of sessions should be noted File systems on the media should be noted A full directory listing should be made to include folder structure filenames datetime stamps logical file sizes etc Installed operating systems should be noted User created files should be examined using native applications file viewers or hex viewers This includes such files as text documents spreadsheets databases financial data electronic mail digital photographs sound and other multimedia files etc I Operating system files and application created files should be examined if present This would include but is not limited to Boot files registry files swap files temporary files cache files history files log files etc Installed applications should be noted File hash comparisons may be used to exclude or include files for examination I Unused and unallocated space on each volume should be examined for previously deleted data deleted folders slack space data intentionally placed data Previously deleted filenames of apparent evidentiary value should be noted Files may be automatically carved out of the unallocated portion of the unused space based upon known file headers I Keyword searches may be conducted to identify files or areas of the drive that might contain data of evidentiary value and to narrow the examination scope I The system area of the volume ie FAT MFT etc should be examined and any irregularities or peculiarities noted I Examination of areas of the media that are not normally accessible such as extra tracks or sectors on a floppy disk or a hostprotected area on a hard drive may be required To facilitate examination of data user settings device and software functionality etc the computer may be booted using either a copy of the boot drive or by using a protected device on the original device to determined functionality of the hardware andor software The forensic software used during the examination should be noted by its version and should be used in accordance with the vendors licensing agreement The software should also be properly tested and validated for its forensic use by the examiner or the examiner s agency At the conclusion of the examination process sufficient notation of any discovered material of an apparent incriminating or exculpatory evidentiary nature should be made Sufficient documentation should be made of all standard procedures and processes initiated as well as detailed notation of any variations made to the standard procedures Any output of the recovered data should be properly marked with appropriate identifiers in accordance with policies from the examiner s agency


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Amaris Trozzo George Washington University

"I made $350 in just two days after posting my first study guide."

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.