During the preparation phase the investigative team discussed that it might not be possible to shut down one of the workstations and get a cold image of the hard drive.
Someone suggested that a live image analysis be performed but not everyone was familiar with why this would work and any benefits associated with this technique.
Describe the exact investigative techniques that you would use to analyze the users’ information habits and history for each program. Explain the reasons for your selected techniques.
The level of detail does not need to be at the bit level but there is enough information to talk about directories and objects that should be reviewed for each.
Remember to address forensic evidence you might find relating to an employees use of these programs not how the program itself operates. You should be making references to specific directories files file types registry entries and log files which point to sources of forensic evidence.
The 12-16 slide PowerPoint presentation should include the following: