https://padlet.com/danielfskik/knlmuu27romns8e8 Made with the strength to succeed en-us 2020-04-09 02:11:45 UTC 2020-04-09 04:14:07 UTC hello@padlet.com danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499760928 By default, Windows does show last modified file which are will destroy the evidence. If the investigator accidentally open or edit without having a full backup, the evidence will not be acceptable. In this case, the investigator need to use external hardware  called write blocker that need to be connected to USB drive or edit using REGISTRY EDITOR. The investigator also needs to have a full backup of the entire drive and edit the file on the backup file but not the real drive.

]]> 2020-04-09 02:20:27 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499760928 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499770426 If the computer/desktop is running, Investigator cannot simply shut down the computer or the background process will be removed from RAM. The backgroud process is also a evidence that need to bring to the lab. So, the right way to do before bring the evidence to lab, investigator need to plug off the machine on power supply.]]> 2020-04-09 02:34:24 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499770426 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499773670 If the machine is in the shutdown mode, investigator cannot simply turned on the machine, because it will messed up with BIOS configuration .]]> 2020-04-09 02:39:29 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499773670 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499784892 Some Linux distributions rely on device blocking scripts to set the underlying blocking devices of file systems to read only mode. However, there are certain downfalls to this approach, as read-only mode will only protect the filesystems memory from the process running under user space, but the driver code running under kernel space can still modify the filesystem memory.]]> 2020-04-09 02:53:07 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499784892 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499785564 For some machine, the user may install auto cleanup machine such as CCleaner, Wise Disk Cleaner and Clean Master. These application have feature that will clear all browsing history, temp file and cache of the machine on next reboot. This will destroy the evidence when the investigator trying to reboot the machine. To solve this problem, investigator might consider the safe mode option which will disable the unnecessary process. ]]> 2020-04-09 02:54:01 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499785564 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499795341 When booting an evidence system from a Live CD, a number of initrd scripts gets executed in order to create a temporary root file system. However, this will also result in several writes to the filesystem resulting in tampering of evidence data. This can occur for several reasons such as execution of hardware detection scripts during boot time, mounting file system in read-only mode while creating a temporary root file system etc.]]> 2020-04-09 03:08:40 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499795341 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499797923 Linux cannot read the NTFS drive. If the investigator using Linux as Main OS, it cannot read the NTFS drive which may be an evidence of the cases. Any attempt to convert NTFS to FAT format will tempering the evidence.]]> 2020-04-09 03:12:22 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499797923 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499808783 For some machine, the user may install auto cleanup machine such as CCleaner, Wise Disk Cleaner and Clean Master. These application have feature that will clear all browsing history, temp file and cache of the machine on next reboot. This will destroy the evidence when the investigator trying to reboot the machine. To solve this problem, investigator might consider the safe mode option which will disable the unnecessary process. ]]> 2020-04-09 03:28:53 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499808783 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499831798 Investigator can only use specific tool or software in order to show the evidence result to court. As some software are OS dependent, it will cause trouble to the investigator to investigate the evidence.]]> 2020-04-09 04:04:23 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499831798 danielfskik https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499836363 Window have registry database that collect all registry to one software call 'registry editor'. Linux does not have the registry database that can show the registry files on it. It may difficult the investigator to investigate the evident like showing the last modified file of the system.]]> 2020-04-09 04:09:58 UTC https://padlet.com/danielfskik/knlmuu27romns8e8/wish/499836363