- jhup

Hmmm. I am corporate FI so all my work is tied to my firm, therefore all the cases are intertwined with the quirkiness of this specific corporate culture...

- keydet89

If you were asked to analyze the system of someone suspected of "cyberbullying" or stalking, I would think that the approach would be something like:

1. Get as much information as you can about the activities...user accounts, screen names, etc., of both the suspect and the target. Also look for specific unique words or phrases the suspect may have used. You can also use these to perform Google searches to look for any other possible accounts or screen names.

2. Determine which browser(s) were used, and retrieve and analyze the history and cache.

3. Perform an examination of unallocated space, the pagefile, or any hibernation files to look for indication of activity. This is where EnCase's Search Preview capability is very useful...I've written my own versions of this using Perl, as the technique itself is valuable.

4. Look for indications of smart phone backup files on the system as a secondary source of data.

HTH