[Manny Varela]

Discuss the 3 major categories of evidence that our E-book discusses.  Describe each type and give at least two examples of each.

[Kevin Mehok]

IST2901 Digital Forensic Examiner
Week Three
Assignment #2
WK3 Three Categories of Evidence Discussion

Hey Class,

To add to this week’s discussion, I have opted to break down my three types as followed:
Archival Data-Archival data is information that is not immediately accessible to a user of a computer system, but that is maintained for long-term storage, recordkeeping, or research purposes.

Back Up Data-When going over your backup and recovery audit checklist, err on the side of more evidence, rather than less. More audit findings mean more remediation work once the audit report has been approved and published. Many organizations will likely circulate the audit report to senior IT and corporate management, so plenty of relevant evidence goes a long way.

Residual Data-Residual data is deleted or overwritten data that may contain digital evidence if successfully recovered. Since it’s not typically visible through a file browser, it’s classified as an invisible data type. To understand the concept, you have to keep in mind that when someone deletes a file from a device, the data is still there – it’s just unlinked from the file structure itself, so it doesn’t show up in a search or when viewing the contents of a hard drive or storage device through a file browser.

Great discussion! Looking forward to learning more for each of you!

God Bless,

Kevin

ist

[Kelly Crooks]

Kevin, you did a nice job describing the three major categories of evidence. Have you had the opportunity to work with or have experience in the three categories? I am sure we all have at one time or another, probably before we knew what it was and how it worked. I found it interesting in my reading outside of the textbook how many people assume that if you delete a file from a system, it has been deleted for good.

I am not picking on my mom here but she should not have a computer or any technology of any kind. I can’t tell you how many times I have had to help her recover a file or tax item that she accidentally deleted. She has the same problems with her cell phone, fortunately, my son is able to help her with that as well.

[jpurdy@ohiochristian.edu]

Great point, Kevin, that when something is “deleted”, it’s references are usually just removed from a table so it can still be recovered many times. This is the type of knowledge that a forensic scientist uses to recover evidence.

[Kevin Mehok]

Professor,

Thanks for the response. I always tell my kids that browser history and footprints are digital crumbs. Clearly, as a Forensic Examiner our goal is for the greater good. However, keep in mind, that hackers also lover forensics and sniffing for crumbs.

God Bless,

Kevin

[Kelly Crooks]

The three major categories of evidence that are discussed in the book are Archival Data, Backup Data, and Residual data.

Archival Data is data that is no longer active. Archival data is stored separately on another device to free up space on the system hard drive or media device. Some examples of Archival data include things such as letters, maps, and statistics. Archival data is retained so that it can be accessed at a later time but not stored on the operating system drive. Archival data is like data that has been put into storage, it is there when needed but not taking up space on your hard drive.

Backup data is just that, files or programs that have been backed up to a safe location or area. Backup data is used in case a file is lost, stolen, or deleted from the system hard drive. Backup data can be easily accessed in the case of emergencies or a system failure. Backup data is usually stored on a portable device like a USB flash drive, the cloud, an external hard drive, or any portable media device. I have my Quickbooks back up all the data after every third time I log out of the system. It is stored on a USB flash Drive that I can take between computers if I need to.

Residual data is data that the end user thinks is gone but is recoverable from digital media. Residual data can include files or programs that a user “deletes” from the system but is not deleted at all, it is just not visible anymore. The data is stored at other locations within the system. Residual data, while being deleted and no longer visible with the application with which the file was created is still on the system. Residual data is inactive data on a computer system.

[Author]

Posts