How can the investigator decide which tools to use for disk analysis?
First question is why do you want to analyse the disk?
this is the question which i dont know the answer?
The tools you use depend on a number of factors…what you hope to achieve, what you're familiar with, what you (or your employer) can afford…
this a a question for an exam?
this a a question for an exam?
I'm not sure what institution you're at, but I'm pretty sure that they'd take a dim view of soliciting exam answers from an online forum.
The question is too broad.
Does the disk work, ie physically OK.
Has it been formatted, or corrupted, or is it still valid.
What is the investigation for, eg suspected internet dealing, fraud, CP, stolen goods etc etc.
Is there suspicion that file may have been deleted or hidden
Was encryption used? Any passwords?
There are many ways and tools to examine disks. Knowing the head seek time and spin rate are probably irrelevant unless one is trying to discover if it was possible to write a 25GB file in a short period of time.
The following are the principles to decide which tool to use..
1. What OS does the forensics tools work on?
2. Is the tool versatile? For example, will it work on both Windows 98 and XP and produce the same result on both OSs?
3. Can the tool analyze more than one file system, such as FAT, NTFS, and Ext2fs?
4. Does the tool have any automated features that can help reduce the time to analyze data?
5. What is the vendor’s reputation for providing product support?
like that if u want analysis a hard disc, first of all u must come to a conclusion that what u want from that disc… deleted data- use recovery software tool, password recovery- use passware or PRTK ( Password recovery tool kit), with out any idea its useless to think about disk analysis….
For an exam question YOU need to figure this out for yourself. If you've been attending your classes, paying attention, and doing independent research then the question should be quite a simple one to answer. Sadly some people have already given you more than enough to start with.