In the article it is considered that when carrying out the computer-technical expertise an important aspect is the study of the information store not only as a structure of files and catalogs. Since the perception of digital information by an expert and a computer user is different. The user interacts with the hardware component using the buffer, which is the operating system. Therefore, although the study of file structure with the help of specialized software is more relevant, but the view from the user’s side should not be underestimated. Since, if you put yourself in the place of a criminal, you can see the events with his eyes. The same happens with the computer and the operating system installed on it.
That is, the article proposes a method for studying the information store «live». At the same time, the virtual copy is being changed. This approach allows not to violate the main principle of computer forensics, namely the preservation of digital tracks. And this same principle is subject to all forensic science.
In addition, the virtualization method allows you to study the psychology of the user of the computer. This applies, then what and how are the shortcuts of applications on the desktop, the names of the folders on the logical disks, the logins and passwords that web browsers store, etc. All this and much more speaks about the person who used the computer. And so we come to the fact that computer forensics is much more than just running the application, ticking the checkboxes or doing something, which is the algorithm.
As a result, the article cites a method that will greatly expand computer research and, most importantly, will allow to touch on aspects that were not even thought of earlier.