Chapter 5 – File Analysis

Publisher Summary Each investigation undertaken is different from the last, much like snowflakes. However, some basic concepts can be common across investigations, and knowing where to look for corroborating information can be an important key. Too often it might be tugged or driven by external forces and deadlines, and knowing where to look for information or evidence of activity, beyond what is presented by forensic “analysis” graphical user interface (GUI), is very important. Many investigations are limited because of time and resources for merely a search for keywords or specific files, whereas there could be a great deal of information available if only we knew where to look and what questions to ask. Knowing where to look and where evidence should exist based on how the operating system and applications respond to user action are both very important aspects of forensic analysis. Knowing where log files should exist as well as their format can provide valuable clues during an investigation, perhaps more so if those artifacts are absent. A lack of clear documentation of various file formats is a challenge for forensic investigations. The key to overcome this challenge is thorough, documented investigation of these file formats and sharing of this information. This includes not only files and file formats from versions of the Windows operating system currently being investigated but also newer versions, such as Vista.