Please answer the question in the attached case file.
What approach should John take in examining the two computers? What are some specific things that he should include in his examination?
The office computer has not been powered down and so the information that is stored solely in RAM should be recovered before the computer is powered down. The unstable data from the computer should be collected at the outset. Each open port should be analyzed and opened or mounted encrypted files should be analyzed.
In case of home notebook computer the RAM should be analyzed by John for prior content even though the power has been cut off. Data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The un-powered RAM of the notebook should be sent for storage at below -60 C will preserve the residual data and help successful recovery at a later time.
John should examine every mapped at the office from which the alleged terrorist was sending the message. Next since the computer at the office ...
CTU Forensic Accountant is discussed very comprehensively in this explanation..