| <<< Evidence Searching Phase | Index | Case Example -- Mucko McDermott >>> |
Use the evidence that has been recovered and determine what events occurred in the system
Reconstruction requires knowledge about the applications and the OS that are installed on the system
A hypotheses is created based on OS/Application capabilities
| <<< Evidence Searching Phase | Index | Case Example -- Mucko McDermott >>> |