Hard Drive Collection and Analysis

• Make image copies of drives FIRST!

• Mount file partitions or images "read-only"

• Use tools, like TCT, Task, or Autopsy, to examine MAC times for recent anomolus activities

• Use tools like TCT to examine the free space and slack space of the file system for clues

• Compare system images to known good baselines

• Identify root-kits and other malware left behind

• If you have a restartable image, reactivate an image on identical hardware and document its behavior

• Document, document, document, everything

Notes: