 |
Evidence will be most often found in files that are stored on hard drives, whether internal or external. Files may, of course, have been deleted and will need running of sophisticated recovery programmes. Dates and time of creation can be of vital importance, as can modification dates, deletion dates etc. Temporary back up files, web cache , address books etc may be re-created with application.
Areas for consideration include: |
 |
User Created Files: May contain evidence of relevant activity, e.g. address books and database files that can prove associations with persons external or internal, or undisclosed communication. Images can be rebuilt even if deleted, as can video or scanned documents. Such files may be in the form of: |
 |
- Address books
- Email files / folders
- Images
- Text Documents e.g. Word
|
- Internet Browser bookmarks
- Database files
- Spreadsheets
- Audio and Video links
|
|
 |
User Protected Files: A user may encrypt or password-protect important data, or hide files on a hard disk, within other files, or attempt to hide incriminating data under an innocent sounding name. User Protected files may be in the form of: |
 |
- Compressed or Zipped Files
- Renamed or misnamed files
- Encrypted files
|
- Password Protected Files
- Messages written in a manner that only writer and recipient can understand
- Hidden Files
|
|
 |
Computer Generated Files: Evidence may also be found in files and data areas that are created routinely by Operating Systems - something of which the user is often not aware. Password recovery is often achievable through recovery and examination. Some file components hold evidentiary value such as time and date creation/ modification / deletion / access; even turning the machine on may alter some of this information e.g. the last time a PC was booted may be of importance. The attributes of a particular file may be a solid indication or pointer. Data may be retrieved from: |
 |
- File backups
- Dates times, passwords
- Deleted Files
- Free space
|
- Hidden Partitions
- Lost clusters
- Boot records
- Other partitions
|
|
