How to collect digital evidence in the operating system?

Operating System
After three initial process to go through, then the computer will be controlled using the operating system. As you know, a lot of operating systems currently available, but in this topic will only explained how digital evidence can occur and be extracted from the Windows operating system.

To explore the digital evidence in the operating system level, three important points that must be understood by the investigators is how the operating system itself, the file system, and applications running on it. The workings of the operating system includes an understanding of the system account on Windows NT and relatives, file access control, registry, system logging, and more.

All have equal importance, but generally the system of logging and the registry is a component that will be frequently seen. Logging system is an important component in the investigation because the log is recorded all the data movement.

In the Windows NT/2000/XP operating systems, logging is stored in the directory "% systemroot% \ system32 \ config \" (c: \ winnt \ system32 \ config \). Log files in it including Appevent.evt file (containing the records of the use of the application), Secevent.evt (record security-related activities, including logging), Sysevent.evt (record all events associated with such systems for example, the shutdown time).

In addition to these files much more log files that are available to be investigated by the investigator. In addition to a registry that is also one important component in a digital investigation. Windows systems use the registry to store the detail system configuration and operating system usage.

So of the keys in the registry, much information can you get such an application at the time of access, what files are accessed using the application, where the file is accessible, and more. To see the contents of the registry is typically used the default Windows is a simple program regedt32. Understanding the file system is useful to know how your data arranged in the disk, what data is modified, any data that is hidden, what data has been deleted, the system hard drive partition, and more. FAT and NTFS is a file system that is often used by Windows.

The process of collecting digital evidence from the file system is usually about the data recovery investigations that have been erased and the data is modified. Recovery deleted files becomes very important in the investigation because it can scrape back the old information is intentionally or unintentionally deleted.

This process usually relies on the recovery program such as Ontrack. Easy-Recovery Pro or DataLifter. Quite a lot of the types of data can be restored using this application. Files and data that have been modified can also be seen by examining the information contained in the file system FAT and NTFS.

When a file is entered into the PC through any media, a marker of the file system the system will be given to the file. Marker system is called datetime stamp. This marker contains the date and time when the file was first entered into the PC.

When a file is

Top Ro Ro Ro