SANS Digital Forensics and Incident Response Blog: Daily Archives: Dec 12, 2008

Give Your Forensic Images the Boot, Part I

At its worst, incident response in the past consisted of someone with a little bit of knowledge sitting down at the affected machine and poking around at its contents. Computer forensics has influenced the initial response, but you may still find quality information from taking a live look at a suspect machine. For instance, I have no idea where the settings are that effect how icons are arranged on the desktop. But by booting into the captured image, I get to look and feel how the user environment was actually set up.

Booting the image into a virtual environment has other advantages. First, you can interact with the computer in a more natural and

...