R3 Digital Forensics is a full-service digital forensics firm with the expertise to quickly identify, recover, preserve and analyze relevant data to maximize investigative and evidentiary value for our clients.
Windows 7 ShadowVolumes – Imaging & Extracting Data
The Internet contains numerous writings referencing the forensic examination of Windows 7 ShadowVolumes. They often go into great detail explaining what a ShadowVolume is and/or how it works. Then these writing bombard you with multiple examples of different command prompt scenarios on how to mount, image and analyze ShadowVolumes. I am not going to do that here. This paper explains procedures and tips for the forensic examiner who wants to cut through the technical clutter and get to work. The assumption here is – the reader has computer forensic experience, a copy of EnCase with Physical Disk Emulator (PDE) and knows how to apply both.
How microsoft word metadata works
Digital forensic training and experience provides an understanding of how Microsoft Word metadata functions. However, in order to confirm opinions and conclusions derived from Microsoft Word metadata analysis, “in-house” experiments were conducted using Windows 7 Professional and Microsoft Word 2010. Experiment results were considered conclusive if the same process generated the same result three consecutive times.