How to do it:
=====================================================================
Image disks and disk partitions
	- Press "Image" and select where you want to image to (or From TCP)
	For from IP
		- Select seconds per image, number of images, and ethernet device
		- Press "Go" and wait for the imaging process to run its course
	For to file
		- Select source device from those available or use "From other device"
		- Press "Go" and wait for as long as it takes - could be a while...
	For to CDs
		- Select "List CD Devices" and press "Go"
			Figure out which Channel, Id, and LUN to use
		- Select the proper CD device specification
		- Select the source device from the list or use "From other device"
		- Press "Go" and feed CDs for as long as it asks you to...
	For to tapes
		- Select the proper tape device or use "From other device"
		- Select the source device from the list or use "From other device"
		- Press "Go" and feed CDs for as long as it asks you to...
	For to tar tapes
		- Select the proper tape device or use "From other device"
		- Select the source path (/ or /ForensiX/) or use "From other directory"
		- Press "Go" and feed CDs for as long as it asks you to...
--------------------------------------------------------------------
Track and timestamp the evidence collection process
	- This function is automatic. All activities performed via ForensiX
	  is logged in the file /ForensiX/log and can be recreated by the
	  automated "rerun" facility. To generate a rerun script, from the
	  command line, enter "/ForensiX/ForensiX.rerun"
	- The rerun program will detect alterations to the log file and report
	  them. The output of the rerun program can be executed by piping it
	  to the shell (i.e., "/ForensiX/ForensiX.rerun|/bin/bash")
--------------------------------------------------------------------
Collect evidence in a 'read-only' mode without alteration
	- This is the default and is automatic.
--------------------------------------------------------------------
Mount and review disk imaged contents in a READ ONLY mode
	From MAC, DOS, WIN, UNIX, and other file systems
	From tapes, ethernets, CDROMS, and other media
	- Press "Mount" and select device or Disk Image
		- Select the proper image or mount device
		- Select the OS type (or if needed) disk format
	- Press "Go"
--------------------------------------------------------------------
Examine deleted areas, unused areas, end of block areas,
	'bad sectors' and ALL OTHER AREAS of these media
	- This is automatic when "search"ing an image file rather than a
	  mounted file system
--------------------------------------------------------------------
Search for strings or regular expressions
	- Fill in the set of search tems in the "Search for:" area
		- If the last search term is empty it is ignored
		- The 'connector can be 'and', 'not', and 'near'
		  AND means that both terms are in the same file
		  NOT means the first IS present and the second is NOT
		  NEAR means the first and second are on the same line
		- search terms do NOT apply to images
	- Press "Search" and select:
		o Analyze /mnt - to analyze the mounted filesystem for
			known good files, checksum changes, file starts, etc.
		o Files/images to search images of files
		o IP dumps to search IP dumps
		o Plug-ins for pre-defined searches
		o Search in to change where you search
		o verbose or quiet mode if you wish to change it
	- Press "Go!" to begin the search
--------------------------------------------------------------------
Rapidly find and examine graphics files
	- Press "Search" and select:
		o Files/images -> graphics to do graphic image searches
		o Files/images -> minimum size to eliminate too small images
	- Press "Go"
	- As things appears, examine them
		- to stop looking at a file, press the "X" button at the upper
		  right hand corner of the examination window.
--------------------------------------------------------------------
Play sound files
	- Not Yet Implemented
--------------------------------------------------------------------
Unzip, Uncompress, Deflate, and otherwise handle compressed files
	- Not yet implemented
--------------------------------------------------------------------
Do this process while assuring integrity of original images
	- The checksum made of collected images provides proof that alteration
	  was not made in the search and analysis process.
--------------------------------------------------------------------
Add comments to the process
	- Press "Document" "Comment" to add a short comment to the log file.
	  This comment will be time and date stamped and its integrity will be
	  assured along with the rest of the logfile information.
--------------------------------------------------------------------
Track the process automatically
	- The analysis process is documented in the "log" file. This includes
	  system date and time, user name, and detailed commands executed.
--------------------------------------------------------------------
Rerun the analysis processes
	- To replay and confirm the integrity of the replayed analysis process,
	  from the command prompt, type: /ForensiX/ForensiX.rerun
--------------------------------------------------------------------
Trace Internet sites and determine ownership information
	- Fill in the system name or the IP address in the first search term
	- Select "WebTrace" from the "Tracer" menu selection
	- Press "Go"
--------------------------------------------------------------------
