When investigating a computer system for forensic purposes, various types of evidence can be recovered. These pieces of evidence are invaluable for digital forensics experts in understanding the activities performed on the computer, determining whether any malicious actions have occurred, and identifying the parties responsible. Below are the main categories of evidence that can be retrieved from a computer:
1. Files and Documents
Files and documents on a computer, such as text documents, spreadsheets, PDFs, and images, are crucial pieces of evidence. These may include:
User-generated content: Personal notes, business documents, financial records, or personal communications saved on the system.
Illicit content: Images, videos, or other illegal material stored on the system.
Metadata: Metadata in documents (such as author, creation/modification dates, and GPS coordinates in images) provides additional insights into how files were created, edited, or transferred.
2. Deleted Data and File Fragments
Even when files are deleted, they often leave traces that can be recovered using specialized forensic tools. Deleted data, which may appear to be gone to the casual user, can still exist in the following ways:
Unallocated space: When a file is deleted, its space is marked as available for new data but isn't immediately overwritten. Forensic tools can recover the file as long as it hasn’t been overwritten.
File slack: The unused space in a disk block after a file is saved, where fragments of previously deleted files may still reside.
File carving: Techniques used to recover files based on their structure, even if no file system information exists to reference the file directly.
3. Operating System Artifacts
Operating systems maintain a significant amount of logs, settings, and configurations that help in digital forensic investigations. Common OS artifacts include:
Registry entries (Windows): The Windows Registry records details about software installations, user activity, connected devices, and system configurations.
Event logs: Windows, macOS, and Linux all store event logs that track system errors, login/logout activities, network connections, and other significant events.
Prefetch files (Windows): These files track applications that have been run on the system, showing the date and time the programs were launched, aiding investigators in tracking user activity.
4. Browser and Internet Activity
Internet history is a critical part of forensic investigations, revealing user behavior, searches, downloads, and website visits. Information recoverable from web browsers includes:
Browser history: Records of websites visited, timestamps, and the sequence of visited URLs.
Cookies: Small data files that store information about user preferences, login status, and website activity.
Download history: A log of files downloaded from the internet, including timestamps and URLs.
Cached files: Web pages and images stored locally on the hard drive that may provide information about content viewed by the user.
Search history: Details of keywords and terms entered into search engines.
5. Email and Messaging Data
Emails, instant messaging conversations, and other forms of digital communication are commonly stored on computers and can be recovered, even if deleted. Data recoverable from email and messaging applications includes:
Email content: The full body of sent and received emails, including attachments and metadata (such as timestamps, sender/receiver details).
Messaging logs: Chat logs from instant messaging platforms (such as WhatsApp, Skype, Slack, and others).
Deleted messages: In some cases, even deleted emails and messages can be retrieved through backups or forensic recovery tools.
6. Temporary and Swap Files
Computers often store temporary data in swap files (used for virtual memory) or temporary file folders. These can contain fragments of files, images, passwords, and other sensitive information. For example:
Temporary internet files: Web browsers and operating systems store temporary versions of files or pages that can be recovered for evidence.
Swap and hibernation files: Data temporarily stored in these files while the system is running or hibernating may contain traces of opened documents or memory dumps.
7. System Logs and Event Records
System logs and event records are often generated by both the operating system and individual applications to track system health and functionality. They can provide a timeline of events that occurred on the computer, including:
Login/logout records: Times when users logged into or out of the system, often paired with the user account used.
Audit logs: Security logs tracking access to critical system functions or files.
System crashes: Logs of system errors, crashes, and restarts, which can indicate when someone tampered with the machine or attempted malicious actions.
8. Network Activity and Connections
Recovering network activity can reveal who connected to the machine, which websites were visited, and whether data was transferred to remote systems. This type of evidence includes:
IP addresses: Logs of inbound and outbound IP addresses, which can help trace connections to other devices or identify where a user was accessing the internet.
Wi-Fi and network connections: Information about networks the device connected to, such as the SSID and timestamps.
Packet captures: If packet capture tools like Wireshark were running, forensic investigators can examine detailed network traffic, including file transfers and communication between computers.
9. External Device Connections
Records of external devices, such as USB drives, external hard drives, or other peripherals, are commonly found in the logs and registry of a computer. These logs are useful for identifying:
USB drive history: A list of external storage devices that were connected to the machine, including details like manufacturer, serial number, and the first/last time it was used.
Connected peripherals: Printers, smartphones, or other hardware that interacted with the machine.
10. Passwords and Encryption Keys
Digital forensic techniques can sometimes uncover passwords, encryption keys, or other authentication credentials stored on the computer. This may include:
Password hashes: Hashed versions of user passwords can be recovered from the system and potentially cracked using brute-force or dictionary attacks.
Saved passwords: Web browsers and operating systems often store credentials for websites and applications, which can be extracted by forensic software.
Encryption keys: In cases where a user encrypted files or drives, the keys might be recoverable from the system's memory or key management software.
11. Software and Application Artifacts
Applications installed on a computer generate logs and store settings that can provide clues about the user's behavior. Forensic investigators can recover the following types of artifacts:
Application usage logs: Some software stores logs about when it was used, how long it was active, and what actions were taken.
License information: Details about licensed software, which can indicate what applications were installed and used.
12. Virtual Machine Data
Many users and organizations use virtual machines (VMs) to run isolated environments for different tasks. A forensic investigator can recover evidence from virtual machines, such as:
VM snapshots: Snapshots of virtual machines can reveal system states, files, and data from a specific point in time.
Virtual disk files: VMs use virtual disk files (e.g., .vmdk, .vdi) to store the contents of the virtual machine's disk, which can be examined similarly to a physical drive.
13. Cloud Storage and Synchronization Data
If the computer is synchronized with cloud storage services like Google Drive, Dropbox, or OneDrive, investigators can often recover files from the computer’s local copies or logs that detail file transfers. This evidence includes:
Synced files: Files that were uploaded or downloaded from cloud storage.
Access logs: Information about when cloud accounts were accessed, what files were modified, and from which IP addresses or devices.
14. Malware and Malicious Software
In cases where a computer has been compromised by malware, forensic investigators can recover:
Malware samples: Copies of the malicious software itself, which can be analyzed to understand its functionality and behavior.
Payloads and scripts: Additional components that the malware may have downloaded or executed on the system.
Logs of malicious actions: Forensic tools can reconstruct the malware’s actions, such as files it modified or commands it executed.
15. Mobile Device Artifacts (When Connected or Synced)
If a computer has been used to sync or manage mobile devices (e.g., smartphones or tablets), evidence related to these devices may be available, such as:
Backup files: iOS or Android device backups stored on the computer, containing call logs, messages, contacts, and other data.
Device sync logs: Details of when the mobile device was connected to the computer, including what data was transferred.
16. Virtual Memory (RAM) and Memory Dumps
During an investigation, forensic experts may extract and analyze the computer’s memory (RAM) to uncover transient data that only exists while the machine is powered on, such as:
Running processes: Information about what applications and processes were active at the time of memory acquisition.
Decrypted content: Encryption keys and decrypted versions of files or communications, which would normally be protected.
Network activity: Active connections and network traffic captured in memory.
17. Time Stamps and Timeline Analysis
Time stamps embedded in files and logs can help establish a timeline of activity. These include:
File creation/modification times: When files were created, last accessed, or modified.
Login times: When users logged in or logged out.
Access times: When particular applications or services were accessed.
18. Proprietary Software and Database Data
If proprietary software or databases are used on the computer, forensic investigators may recover:
Database logs: Records of database transactions, including when data was inserted, modified, or deleted.
Proprietary software logs: Logs specific to the software, which can reveal user actions and events within the application.