IST2901 Digital Forensic Examiner
WK3 Three Categories of Evidence Discussion
To add to this week’s discussion, I have opted to break down my three types as followed:
Archival Data-Archival data is information that is not immediately accessible to a user of a computer system, but that is maintained for long-term storage, recordkeeping, or research purposes.
Back Up Data-When going over your backup and recovery audit checklist, err on the side of more evidence, rather than less. More audit findings mean more remediation work once the audit report has been approved and published. Many organizations will likely circulate the audit report to senior IT and corporate management, so plenty of relevant evidence goes a long way.
Residual Data-Residual data is deleted or overwritten data that may contain digital evidence if successfully recovered. Since it’s not typically visible through a file browser, it’s classified as an invisible data type. To understand the concept, you have to keep in mind that when someone deletes a file from a device, the data is still there – it’s just unlinked from the file structure itself, so it doesn’t show up in a search or when viewing the contents of a hard drive or storage device through a file browser.
Great discussion! Looking forward to learning more for each of you!