Viewing 3 reply threads
  • Author
    • #85316
      Manny Varela

      Discuss the 3 major categories of evidence that our E-book discusses.  Describe each type and give at least two examples of each.

    • #86269
      Kevin Mehok

      IST2901 Digital Forensic Examiner
      Week Three
      Assignment #2
      WK3 Three Categories of Evidence Discussion

      Hey Class,

      To add to this week’s discussion, I have opted to break down my three types as followed:
      Archival Data-Archival data is information that is not immediately accessible to a user of a computer system, but that is maintained for long-term storage, recordkeeping, or research purposes.

      Back Up Data-When going over your backup and recovery audit checklist, err on the side of more evidence, rather than less. More audit findings mean more remediation work once the audit report has been approved and published. Many organizations will likely circulate the audit report to senior IT and corporate management, so plenty of relevant evidence goes a long way.

      Residual Data-Residual data is deleted or overwritten data that may contain digital evidence if successfully recovered. Since it’s not typically visible through a file browser, it’s classified as an invisible data type. To understand the concept, you have to keep in mind that when someone deletes a file from a device, the data is still there – it’s just unlinked from the file structure itself, so it doesn’t show up in a search or when viewing the contents of a hard drive or storage device through a file browser.

      Great discussion! Looking forward to learning more for each of you!

      God Bless,



      • #86509
        Kelly Crooks

        Kevin, you did a nice job describing the three major categories of evidence. Have you had the opportunity to work with or have experience in the three categories? I am sure we all have at one time or another, probably before we knew what it was and how it worked. I found it interesting in my reading outside of the textbook how many people assume that if you delete a file from a system, it has been deleted for good.

        I am not picking on my mom here but she should not have a computer or any technology of any kind. I can’t tell you how many times I have had to help her recover a file or tax item that she accidentally deleted. She has the same problems with her cell phone, fortunately, my son is able to help her with that as well.

    • #86277

      Great point, Kevin, that when something is “deleted”, it’s references are usually just removed from a table so it can still be recovered many times. This is the type of knowledge that a forensic scientist uses to recover evidence.

      • #86281
        Kevin Mehok


        Thanks for the response. I always tell my kids that browser history and footprints are digital crumbs. Clearly, as a Forensic Examiner our goal is for the greater good. However, keep in mind, that hackers also lover forensics and sniffing for crumbs.

        God Bless,


    • #86440
      Kelly Crooks

      The three major categories of evidence that are discussed in the book are Archival Data, Backup Data, and Residual data.

      Archival Data is data that is no longer active. Archival data is stored separately on another device to free up space on the system hard drive or media device. Some examples of Archival data include things such as letters, maps, and statistics. Archival data is retained so that it can be accessed at a later time but not stored on the operating system drive. Archival data is like data that has been put into storage, it is there when needed but not taking up space on your hard drive.

      Backup data is just that, files or programs that have been backed up to a safe location or area. Backup data is used in case a file is lost, stolen, or deleted from the system hard drive. Backup data can be easily accessed in the case of emergencies or a system failure. Backup data is usually stored on a portable device like a USB flash drive, the cloud, an external hard drive, or any portable media device. I have my Quickbooks back up all the data after every third time I log out of the system. It is stored on a USB flash Drive that I can take between computers if I need to.

      Residual data is data that the end user thinks is gone but is recoverable from digital media. Residual data can include files or programs that a user “deletes” from the system but is not deleted at all, it is just not visible anymore. The data is stored at other locations within the system. Residual data, while being deleted and no longer visible with the application with which the file was created is still on the system. Residual data is inactive data on a computer system.

Viewing 3 reply threads
  • You must be logged in to reply to this topic.


Please Note:

The support ticket system is for technical questions and post-sale issues.


If you have pre-sale questions please use our chat feature or email .

Cybersecurity Certifications for Today's INFOSEC Careers

Mile2 Cybersecurity Certifications is a world-leader in providing accredited education, training, and certifications for INFOSEC professionals. We strive to deliver the best course ware, the strongest Cyber Range, and the most user-friendly exam system in the market.


Our training courses follow our role-based Certification Roadmap. Plus, many of our classes include hands-on skill development in our Cyber Range.  We train students in penetration testing,disaster recovery, incident handling, and network forensics.  Additionally, our Information Assurance training certification meets military, government, private sector and institutional specifications.  



We've developed training for...

Canada Army Navy Airforce

The Canadian Department of National Defense


The United States Air Force

Defense Logistics Agency

A United States Counterintelligence Agency

Texas Workforce Commission

Texas Workforce Commission

error: Alert: Content is protected !!