티스토리 뷰
Chapter 4 Collection, seizing, and protecting evidence
Before shutting down the computer to seize, check what processor or program is running and take a photo of it. A command like netstat, net sessions, or openfiles can be used to determine external connection to computer. The system memory also can be saved before shutting down using tool like OSForensics. After the capturing process, turn off the computer by cut the power because it is possible that some malware or software configuration delete temp or swap file at the time of normal shutdown. After securely move the evidence, record and take photos of all configuration. Physical and logical analysis is conducted when the investigator look for invisible and visible things respectively. The acquisition of image can be done in linux or windows software.
'AU Study > CSG2305 Computer Forensics' 카테고리의 다른 글
| W9 Mon lecture note (0) | 2018.10.01 |
|---|---|
| W1 Mon Lecture 1 note (0) | 2018.09.26 |
| W8 Mon 17092018 (0) | 2018.09.17 |
| Mon Textbook Chapter 3 summary (0) | 2018.09.11 |
| Mon Textbook Chapter 2 summary (0) | 2018.09.10 |