Hey all, I've been presented with a sensitive situation and I'm hoping to get some insight.
So, my wife's cousin's son died unexpectedly a few months ago. Younger guy, in college, was found in dorm room. He had been in regular contact with his mother, most recently like 4 or 5 days prior to his death. The assumption is overdose. I say assumption because apparently it wasn't immediately evident and they needed a toxicology, which they say should have results by next month. I don't know all the details, but the mother is unsatisfied with basically no information having been provided to her.
Now, his mother has collected his things, including his phone and laptop. Phone is iPhone and they don't know his passcode or password to icloud. They've reached out to Apple for support and need the proper death certificate, which they won't get until the coroner's report comes back? I think? Laptop is Windows.
However, somehow she was able to access his laptop (Windows, 11 I think. At least 10)... I'm unsure whether she knew his password or if it didn't have one, but I know she has access to it because she has a picture taken from her phone of his file explorer. In the Pictures shortcut folder, there's a subfolder called Photos that has a date modified date 2 days after his death. This doesn't sit well with her, so she's reached out to me to see if I can figure out what was modified in that folder and if anything else out of the ordinary comes up.
I've worked in cyber security for 7ish years, including as a pen tester and in DLP support, so I feel confident in my ability to at least be careful in not fucking with it further until I have a plan.
My question to the community is this: should I first and foremost just image the whole drive? I've used FTK Imager on an engagement for a USB, but not an entire OS before. Does it grab all drives or just C?
Then use a tool to look at that image? From cursory research, I see Autopsy and Digital Forensics Framework might be good open source options, but I'm confident I can get a hold of proprietary tools if needed.
I appreciate any insight into this. Once I have a good foundation for what tools to use and how to image and save the drive(s), I plan on looking into tutorials for next steps or just playing around with them on my devices first.