With the rise of digitalization, nearly every aspect of our lives is now captured and stored in digital form, leading to a significant increase in data volume. This presents an immense challenge to forensic investigators who must process a vast amount of data during a post-mortem analysis. The purpose of such analysis is to uncover key evidence and collect the necessary artifacts to reconstruct past events. This is typically done after an information security incident has occurred. To better manage such critical events, most forensic examiners follow a pre-defined "Digital Investigation Process Model"to analyze digital evidence. While there are several models available, they all typically include a "reduction"phase. During this phase, known data is identified and filtered out. This is done through a hash comparison with an existing database, known as a baseline. The remaining data is considered modified or attributed to users and must be processed and analyzed. In this thesis, we focus on disk analysis. We begin by explaining the general structure of a file system and delve into the specifics of Microsoft’s NTFS file system andWindows Registry. This descriptive approach helps us understand the critical role these components play in digital investigations and how they can be effectively analyzed. Furthermore, we develop an innovative tool designed to create a baseline database of the file system andWindows Registry for a known system. By utilizing the differential approach, the database is established with the metadata and cryptographic hashes of trusted files collected from disk images at different time intervals. To implement this tool, we start by conducting a comprehensive survey with experts from the three of the largest automotive companies in Germany. This survey aims to uncover the various challenges forensic analysts encounter when analyzing disk images and to identify the practical requirements necessary for efficient implementation. Finally, we evaluate the tool through a detailed case study and gathered feedback from the stakeholder to assess its performance and ensure that it met all requirements. We show that our approach could improve the efficiency and accuracy of forensic investigations, particularly in terms of time and resources required.