EWFacquire in action

root@zed:~/Public/images# ewfacquire /dev/sda

ewfacquire 20140608

Device information:
Bus type:
Vendor:
Model:
Serial:

Storage media information:

Type: Device
Media type: Fixed
Media size: 25 GB (25769803776 bytes)
Bytes per sector: 512

Acquiry parameters required, please provide the necessary input

Image path and filename without extension:

important tools :
ewfacquire, mmls, icat, fls, fsstat

2. Digital forensic dicipline and procedural

forensic = procedure (harus bisa dijadikan presentasi pada pengadilan)
investigation = result (hasil, mengarah ke konkrit / evidence yang kuat)

Step of forensic :
- prepare
- securing the sink
- survey and recon (dokumentasi)
- communication shielding
- evidence collection

Faraday bag / Faraday cage (blocking all signal)

force / hard shutdown for keeping volatile process

FTK vs encase

encase = realtime analysis when indexing

http://group.google.com/group/id-honeynet