Chapter 5: Computer Investigation Process

The investigation process begins with strategic planning decisions that determine whether to employ a comprehensive data collection approach or a narrowly focused examination based on the specific scope and objectives of the case. Timeline analysis emerges as a central investigative technique, leveraging temporal metadata such as modification, access, and creation timestamps to reconstruct a chronological sequence of events and user activities. Investigators develop comprehensive timelines by aggregating data from multiple sources including system event logs, registry database entries, web browser activity records, and filesystem transaction logs, with redundant data sources serving to validate timeline accuracy and resolve discrepancies. The chapter details practical forensic tools and methodologies for timeline construction, including specialized software platforms designed for automated timestamp extraction and visualization. Media analysis then addresses the examination of various storage mediums such as hard disk drives, solid state drives, removable storage devices, and disk media, requiring investigators to systematically inspect both active data regions and residual data in unallocated clusters, slack regions, and damaged sectors where deleted or hidden information may persist. String pattern matching techniques and expression-based searching enable investigators to efficiently locate and isolate relevant keywords and data fragments within large datasets. Data carving methodologies allow recovery of fragmented or deleted files by identifying file signatures and reconstructing complete datasets from scattered data blocks, with different techniques required for different filesystem architectures. Throughout the investigation process, understanding the distinction between accessible and inaccessible data regions, coupled with knowledge of how different filesystem types organize and preserve data, remains fundamental to successful evidence recovery and analysis.