Forensic methodology for Windows 7 and windows 8
Σούλας, Μάριος Β.
SubjectForensic genetics -- Computer programs ; Διαδίκτυο (Internet) -- Μέτρα ασφαλείας ; Windows (Computer operating systems)
In this thesis it is proposed a methodology for digital data analysis in Windows 7 and Windows 8 environments. The aim of this research is to map out how the analyst should be thinking and how he should modify the available tools in order to make them fit fully in his operational needs. When a new version of an operating system is released, the adaptation of the analyst is usually difficult. Through this work we try to emulate a proper way of thinking, in order to allow the analyst to have a full and smooth transition into the new version. In order to follow a specific forensics plan, one must first break the methodology into small independent processes. After that, one must come up with the tools that one is going to use in each process. The forensics methodology follows a basic rule, namely that we should make as few changes as possible to the system under review. The first step is to make sure that we have an incident. We achieve that with the process of incident handling (response). After we ascertain that we have an incident, we move on the next steps which are making copies of the memory, the registry and the hard disk. By using the mirror tool, we take a copy of the memory in order to make as few changes to the system (memory) as possible. We use some other tools for the registry and the hard disk copy. The work finishes with the analysis of the memory, the registry and the hard disk. This thesis is structured as follows: firstly we discuss the tools and the working environment chosen for this particular research. Second the methodology is applied to the windows 7 op¬erating system. After that, the tools we use are modified and applied again in the windows 8 operating system. In conclusion we make a comparison of our results between these two op¬erating systems.