Information

Make sure to clone the harddrive before doing any forensic !!! Video ---> https://www.makeuseof.com/tag/2-methods-to-clone-your-linux-hard-drive/ (opens in a new tab) & https://www.youtube.com/watch?v=cCNzl2x5Gdk (opens in a new tab)

To retrieve information on a harddrive, there is 2 possibility

• Retrievement of lost partition (Autopsy [Tool]([[Red Team/Others/Hardware/HardDrive/Tools]]))

  • Trying to find the whole partition (Arboressence (tree) and file name))

• File Carving (GHex (view) & Photorec (Find Docs) [Tool]([[Red Team/Others/Hardware/HardDrive/Tools]]))

  • Scanning all the hexadecimal of the drive and search for documents (with finguer print)