You're told by the systems administrators that the "typical" desktop computer at the company has a 1 Terabyte hard drive, a CD/DVD burner drive, USB ports, etc.; and that by policy, external devices, thumb drives, etc., are all enabled. Late Friday night, after everyone went home, you found that Tom had powered his desktop computer off at the end of the day; you were able to boot Tom's computer with a postmortem analysis tool kit, and image copy his hard drive to an external drive you brought with.
- Outline the steps you'd take to examine that drive image for hidden data. Where would you look, for what sorts of suspect information?
- Suppose you find a lot of files that have file types you do not recognize immediately. Outline the steps you might take to help determine whether these files have information pertinent to your investigation. Are there software tools you could use to help you deal with thousands of such files, without your having to look at every single one? See if you can find any.
- What sort of ongoing surveillance activities would you suggest to management? What are the risks that such surveillance techniques might compromise your investigation? How can you control those risks?