SHUTTING DOWN THE SYSTEM

We are finally ready to start the traditional dead analysis process. We have now progressed to the next block in our high level process as shown in Figure 4.1. If some time has passed since you performed your initial scans and live analysis captures described in the proceeding chapters, you may wish to consider rerunning some or all of the scripts.

FIGURE 4.1

High level forensic incident response process.

As you prepare to shut down the system for imaging you are faced with a decision to perform a normal shutdown or to pull the plug. As with many things in forensics, there is not one right answer to this question for every situation. The investigator must weigh the pluses and minuses for each option.

SHUTTING DOWN THE SYSTEM

SHUTTING DOWN THE SYSTEM

FIGURE 4.1

results matching ""

No results matching ""