OSForensics for ICAC Investigations and Forensic Examinations

Many law enforcement and ICAC investigators are so often focused on simply finding the images and videos, that they miss the vast amount of critical forensic artifacts that are easily available to them with the right tool. This presentation will introduce ICAC investigators and forensic examiners with simple, yet effective ways to recover and make sense of a variety of forensic artifacts. Attendees will learn how to create a timeline of all user activity, retrieve passwords, recover deleted data, acquire and analyze RAM, Event Logs, Thumbcache, Volume Shadow Copies, Virtual Machines and more. Attendees will also learn how to automatically create a Virtual Machine of the suspect’s system (including attached drives), and how to effectively use this approach for both courtroom presentations as well as hunting for additional evidence. Both ICAC Investigators and Forensics Examiners alike, will learn how to harness the incredible speed and versatility of the OSForensics toolkit for processing live computers in the field, or while performing traditional forensics back in the lab.