There is a very large amount of evidence on any given computer system, An old adage that exists in the computer forensic community is a response to clients who ask for "everything". If i was to print out all the possible evidence from a single computer system onto A4 paper, the stack would be higher than the Auckland Skytower.
A computer system contains not only user data but also critical system data, deleted data and also cached content. The below has always been a great way for our team to break down whats available for clients when they are considering what they are looking for regarding evidence. Ill dive a bit further into these categories to provide some insight;
This is everything a user intentionally stores on their system. Documents on the desktop, photos in their gallery, emails in their mail application and the list goes on. For the most part, this data will also present "metadata" or "the data about the data". Metadata tells an analyst when the file came into being on that system, who created it, when it was last accessed and potentially a slew of other factors around use, sharing and versions.
User data can be housed in complex folder trees as designed by the user themselves or it may be as simple as the pre determined folder structure Windows provides. Every system is vastly different.
This data tells an analyst how a user or group of users engages with a system. When the computer was turned on, what devices are attached to it, how the user behaves online and so on. This data, for us, is usually more revealing than the above noted user data. It confirms behaviors, proves connections and details actions.
When was a USB stick last plugged into a system and what was accessed on it? System data will tell us.
How often does a user visit the website Trademe (or insert your concern here)? System data will tell us.
The longer a system has been in use, the more we can mine from the system area to tell us about a user or users.
This is normally broken down into recently deleted data and then, well, everything else.
Recently deleted files will normally be uncovered with names, dates and system location still intact. A word document that has been deleted recently will likely show up in scans in the correct location with other relevant data such as author, size and dates still intact.
Data that has been deleted a long time ago may still be present and able to be recovered on a system if it has yet to be overwritten. If the user isn't that data heavy ie they aren't constantly downloading or storing masses of files we can sometimes recover files that are years old.
Our labs are fluent in uncovering and collating data from all aspects of a users hardware. Be it phones, laptops, servers or even USB sticks there is a myriad of content and information about a users behavior available to a skilled forensic analyst. If you have a need for forensic services or assistance with electronic evidence, call the lab today on 0800 328 2522 to discuss how we might help.