Saturday, December 11, 2010

Computer Forensic Hard Drive Imaging Process Tree with Volatile Data collection

Following up on my previous post, here is an updated decision tree to include volatile data collection as well as a few of the suggestion I received by email/comments.

Click on the image below to view/download a large version, or click here.

As before, the focus of this decision tree is not to list every possible combination of scenarios, but to show some of the basic options that are available and remind examiners about things to think about when imaging. 

Feel free to add comments and suggestions below.


Jonathan Krause Sunday, 12 December, 2010  

The image above is too small to read. Clicking on the larger image gives an image that is way too big to be managable. Any chance of reproducing the image somewhere between tiny and enormous? Thanks.

Lance Mueller Sunday, 12 December, 2010  


Sure, here are the steps to get a smaller version.

1. Save original version to your desktop
2. Open in Paint (included with Windows), load saved image
3. Click on resize
4. Choose appropriate percentage somewhere between tiny and enormous
5. Save


Rob Dewhirst Sunday, 12 December, 2010  

The decision symbol (diamond) in a flowchart typically holds the questions, not the decision. The corners lead to decisions and the decision is labeled on the flow, not the symbol.
Look at the example in the wikipedia Flowchart entry if this is confusing. Using that format would reduce the size of the chart significantly. It is also much easier to read because you don't have to follow the flow in both directions and then backtrack to see the answers and evaluate the decision.

SS Monday, 13 December, 2010  

Hi Lance, great job.

Reading your process tree, three suggestions come to my mind:

1) in the fork "workstation" and "server", you may want to add *laptop* (procedure: remove battery first and then -> pull the plug,etc .. (= workstation..)

2) if the computer is running, take picture of screen (before the "volatile data" decision / for unlocked or locked)

3) after last action (verify the image), you might want to include the bag and tag procedures, so your process can adjust well with physical chain of custody procedures.

Greetings from Brazil,

Sandro Süffert, CTO Techbiz Forensics

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles