Finding Digital Evidence

To find digital evidence on a storage device, you first need to know what you’re looking for.if you’re looking into an embezzlement case, you know to look for spreadsheets or other documents that usually contain currency amounts.Modern computer forensic software is very good at extracting all kinds of data and in copious amounts, which is a double-edged sword. You often end up with so much information that unraveling the parts you truly need is a problem.

a) Deleted files

• When a file is deleted, the file system puts a marker in its file management system to let the system know that the file is no longer at that cluster or block.
• the file system logically deletes the file from its records in an efficient manner, but hasn’t physically worked its way through the storage device and wiped out the binary data.
• as storage devices get bigger, the amount of data left over from previous deletions stays intact longer because so much more storage space is available to work with.

b) Unallocated space

•  is space that the file system considers empty and ready for use. Even though the operating system thinks the area is empty, data can be found there.

c) Retrieving deleted files

• Using computer forensic software, retrieving deleted files is quite easy.
• Depending on the software you use, the process of listing deleted files can be as easy as letting the forensic software generate a list automatically for you when you search for deleted file markers.
• This scenario usually works when the file is still intact or was once listed in the FAT or MFT, but it doesn’t work as well when file caching was used to write the file to the storage device.

d) Retrieving cached files

• Aiming to find files that are primarily the product of file caching, such as Web pages or temporary application cache files, a specialist have to do a more detailed and manual search than when looking for deleted files 
• Several methods can be employed to Retrieve cached files: 

• Let the computer forensic software find all references to the keywords you enter into the search. 

• Use a keyword search on a unique aspect of the file, and manually find the information you need.

e) Retrieving files in unallocated space

• When dealing with files or file fragments in unallocated space, the files can be damaged in some way that doesn’t allow you to perform a regular search, such as for file headers or file extensions. 
• Additionally, metadata is often lost in these areas because of the nature of how the application may cache the data.
• sometimes the expert get lucky and find metadata embedded in the file, which is still complete.

f) Retrieving files in file slack areas

• Old files may still be found in the file slack area on modern computers even though the beginning of the data block or cluster has been overwritten.
• often these files can’t be opened using normal means because the file header information has been overwritten.
• In this case, just find the data and use it as is as part of your case.

g) RAM

• Computer forensic technology focuses on not changing a single bit when doing an investigation.
• The issue with RAM forensics is simply that if the computer don’t already have a forensic agent or software client of some type running on it, adding one alters, and possibly overwrites, data. 
• In cases where the RAM contents hold potential evidence that’s critical to the case, using a program such as WinHex (a hex editor) may be the only option.

h) Windows Registry
     The types of data you can find in the Registry are as the following:
     Password information:

• Although most usernames and passwords are encrypted, using third-party software to read the information is possible. 
• Depending on the version of Windows and the application, the username and password information are stored in different parts of the Registry. 
• Some types of passwords (or usernames) you might encounter in the Registry include : Computer,Internet e-mail,Internet Web sites.
• Startup application: 

• This Registry area contains the list of startup programs, and their configuration information, on the computer system.

• Storage device hardware: 

• The Registry stores a list of currently connected, and any previously connected, storage devices.

• Wireless network: 

• The Registry records every wireless network that the computer system logs in to by logging the service set identifier (SSID).

• Internet information: 

• The Registry stores information such as the typed URL history and download path information.