Motivation

Often you are put into an investigative mode to find out what happened or have a deep look into what happens right now.

Most important part (as with every forensic action) capture as much of "pure" (unchanged) data as possible.

Means when doind investigation of a harddrive, do NOT just connect it to you own computer as this will already spoil date and time stamps to the time you connected. Evidence might be useless as you can not prove any more that data was purely generated by the attacker/source.

So with analising harddisk, always use a connector that support block mode.

Analysing network traffic is much easier as you capture data which can ba easy proven to be original as it has timestamps embedded.

As having a stronger network background and being much easier to deal with, I'll show you a network traffic investigation with xplico first.