Performing Disk Forensics Investigation When to Use - A security incident requires forensic analysis of a system's persistent storage - Evidence preservation is needed for potential legal proceedings or HR investigations - Deleted files, browser history, or application artifacts must be recovered - A timeline of user or adversary activity must be reconstructed from file system metadata - Malware persistence mechanisms stored on disk need identification and documentation Do not use for volatile evidence (running processes, network connections); use memory forensics with Volatility instead. Pre…