Operating System Forensic

An operating system forensic investigation is the process of collecting, analyzing, and preserving evidence from a computer's operating system in a forensically sound manner. This can include analyzing system and application logs, identifying and analyzing system and application artifacts, and recovering deleted or hidden files.

The purpose of an operating system forensic investigation is to provide evidence for a criminal or civil case. This evidence can be used to establish the actions of a user or identify unauthorized activity on a computer.

The first step in an operating system forensic investigation is to create a forensic image of the suspect computer's hard drive. This is done using specialized software that creates an exact copy of the hard drive, including any deleted or hidden files. The forensic image is then analyzed using forensic tools to identify and extract relevant evidence.

Once the forensic image is analyzed, the investigator can begin to look for specific artifacts, such as recently accessed files, recently installed programs, and internet history. These artifacts can provide information about the user's activities on the computer and can be used to establish a timeline of events.

Another important aspect of operating system forensics is the ability to recover deleted or hidden files. Specialized software can be used to scan the hard drive for deleted files and recover them. This can be important in cases where the suspect has attempted to hide or destroy evidence.

Overall, operating system forensics is an important tool for investigating criminal and civil cases involving computers. By collecting and analyzing evidence from a computer's operating system, investigators can establish a timeline of events and identify the actions of a user. This information can be used to build a case and potentially identify the suspect responsible for any unauthorized activity.

Indian Cyber Securiry



Research Papers


Case Study



Cyber Police


Newsletter