Notifications
Clear all

SID not found

leadpathfinder
(@leadpathfinder)
New Member

Hi,

Newbie here. We are doing a forensics on a portable hard drive and it shows connectivity of the hard drive to a computer system on a particular date but not the SID or computer name. 

Is it possible that if a hardware lock was used with the hard disk to image the hard drive, no computer name or SID will show up ?

How can we find out more information from the forensic image about the computer system the hard disk was connected to ?

 

Best

 

Pathfinder

Quote
Topic starter Posted : 02/07/2021 7:38 pm
Topic Tags
rohano
(@rohano)
New Member

 forensic clone is an exact, bit for bit copy of a hard drive. It's also known as a bit stream image. In other words, every bit (1 or 0) is duplicated on a separate, forensically clean piece of media, such as a hard drive. Why go to all that trouble? Why not just copy and paste the files? The reasons are significant. First, copying and pasting only gets the active data. That is, data that are accessible to the user. These are the files and folders that users interact with, such as a Microsoft Word document. Second, it does NOT get the data in the, including deleted and partially overwritten files. Third, it doesn't capture the file system data. All of this would result in an ineffective and incomplete forensic exam.

This post was modified 10 months ago by rohano
ReplyQuote
Posted : 13/07/2021 11:34 am
Share:
Share to...