Disk analysis

from Wikipedia, the free encyclopedia

The data carrier analysis describes various methods to examine the contents of data carriers . In IT forensics , this is used to document data from the attack on an information technology system after a possible damage event and to secure existing user data.

A data carrier analysis can be carried out online while the system is still running or offline by connecting the data carrier to be analyzed to a special computer.

With the online analysis, the actual status of the (still) running system including programs, services, memory content and processor status can be examined and saved. This information can be falsified by rootkits and other malware . In offline mode, the data carriers can be examined without being falsified. Any changes to the data carrier can be detected using special analysis tools.