Ok. This is again related to my dissertation. one of the problems I am having is that I'm not sure of all the different methods of computer forensics, and indeed what reasons for searching a computer are. Also there are different OS's: Windows (different versions so will differ), Linux, Mac OS, PDA's

It seems obvious to split it up into two sections:

a) Intrusion detection, and forensically investigating the specifics of the attack by an other user (trying to find user)

b) Searching a computer for evidence of some illegal activity, or files that should'n be on the users computer. (found user, trying to find evidence)

For part a) I am struggling a bit here, it isn't where I have done to much research, so I will leave it for now...I'm more bothered in the searching of a computer aspect.

For part b):

-Legal requirements for evidence to be given in court
-Imaging the hard drive, so as to carry out tests on another computer (links back to first point) Using tools such as Encase, Safeback, data Dumper.
-Check MD5 to make sure image is made correctly
-Search for evidence: Using TASK, Autospy, CookieView. Search in logs, cookies, NTUSER.DAT, temp internet files, printed docs.
-If deleted from recycle bin etcand had a format, still possibly retrievable(use which tools here?)
-encryption (problems that encryption gives to a forensic)

Is there anything else I could add in here? Obviously it depends on what exactly the forensic would be looking for, but I am going for either a file or some sort that has been on the comp; OR a website which is illegal. I am also assuming that all this info will be somewhere on the hard drive, even if its not actually there at the moment (if you understand what i mean)

Part b) I would like to add in somehow, but my knowledge of this type of intrusion is a lot less, and it seems a lot less hands on, which is what my dissertation is all about.

thanks for any help
Andy