Currently the Microsoft Windows platform dominates the personal computer market for both business and personal use. The forensic software tool development industry has focused on the Windows environment and a computer forensic analysis can be extremely involved complete or treated ala-carte and tailored to the clients needs.

Forensic analysis can include, but is not limited to some of the following areas.

• Deleted File Recovery - An INFO 2 record is created by Windows and tracks files deleted by the operating system into the recycle bin.  When the recycle bin is emptied, the INFO2 record is reset.  Using carving tools, these deleted INFO2 records can be recovered.
• Unallocated Space - Unallocated space is the unused portion of the computer.  When a file is deleted, only the pointers to the file are removed and the data resides in unallocated space until it is over written.  Unallocated space can be keyword searched and data carved.
• Data Carving - Each file has a header (beginning) and a footer (end).  A data carve utility searches for the header and then tries to find a matching footer.  When the carve is successful, a file is recovered and is readable.  Data carving is not always successful.
• Data Wiping - Data wiping is the act of intentionally over-writing data to prevent recovery.   Data wiping utilities will sometimes leave remnants that can be search for.  The unallocated space can also be reviewed.  If a hard drive has been wiped, then no data should exist in the unallocated space.
• Link Files - Link Files are shortcuts to other files.  Link files can be examined to determine if certain files were access and when.  Link files are also good indicator of external media being attached to the computer, such as a USB thumb drive.
• Attached USB Devices - The registry files and setupapi.log file can be checked and often times it can be determined when a USB device was first plugged in.
• Date / Time - Windows tracks the creation date (when the file first landed on the media), the last access date (when the file was last view or accessed by another program), and last modified or written date (last time changes were made).   Using these dates and times, the examiner can build a timeline of the use of the computer.
• Metadata - Metadata, both system and program specific metadata can be reviewed.  System metadata (see Date / Time) is created by the operating system for each file on the system.  Program specific metadata can include such things as last 10 authors, last printed, or camera specific data.
• Email - Email programs stored the individual emails in a container (database) and computer forensics will create separate emails from the database into individual email that can be keyword searched and reviewed.
• Email (web based) - Web based email can be review by keyword searching and reviewing the HTML code (web pages) from the Internet cache.
• Internet History - Windows track Internet Explorer and other browser activity.  This is done to improve performance, but can also be very useful in civil litigation.  Internet Histories are created from the active history files (index.dat).  Forensic software can also be used to carve for Internet history files from unallocated space.
• Windows Registry - The windows registry can be reviewed for user specific settings and other information such as Internet searches completed.
• Virus / MalWare - using anti-virus tools each hard drive can be scan for viruses or WalWare and reports created.
• MD5 Comparison - An MD5 calculation (mathematical algorithm of the contents of a file or device) is created and known files can then be compared against the client data to filter out known system files or to identify known suspect files.
• Signature Analysis - Signature analysis uses the same header information as the data carve utility.  Signature analysis is used to find files that the user might have changed the name or file extension for in order to hide the file.  By reviewing the file signature (header) it can be determine what type or file or what program was used to create the file.
• File Listing - A complete file listing can be created of the entire device or media the includes the file location, file name and system metadata.
• Keyword Searching - Keyword searching is used to review both active and unallocated space for specific keywords that will help find the relevant documents.  CCF works with our clients to develop good keywords and searching strategies.
• Document Review - Each document can be review for relevant content.
• Graphic File Review - each graphic (picture) cab be reviewed depending on the nature of the case.  A cursory review is often done to search for tiff files (pictures) that come from fax machines.  These files are not keyword searchable and by manually reviewing the graphics can be located.