You are on page 1of 69

The Discovery, Processing, Acquisition and Presentation of Digital Evidence

Amitesh Bharat Singh, IRS Additional Commissioner
Presentation made at NACEN, India

ABS

1

The First Responder 

After securing the scene and all persons at the scene, the first responder should visually identify all potential evidence and ensure that the integrity of both the digital and traditional evidence is preserved. Digital evidence on computers and other electronic devices can be easily altered, deleted, or destroyed. First responders should document, photograph, and secure digital evidence as soon as possible at the scene.
ABS 2

« 

When securing and evaluating the scene, the first responder should²  secure crime scenes.  Immediately secure all electronic devices, including personal or portable devices.  Ensure that no unauthorized person has access to any electronic devices at the crime scene.  Refuse offers of help or technical assistance from any unauthorized persons.  Remove all persons from the crime scene or the immediate area from which evidence is to be collected.  Ensure that the condition of any electronic device is not altered.  Leave a computer or electronic device off if it is already turned off.
ABS 3

Types of Computers ABS 4 .

Types of Hard Drives ABS 5 .

External Hard Drives ABS 6 .

ABS 7 .

ABS 8 .

ABS 9 .

Memory CARDS ABS 10 .

Memory Cards ABS 11 .

Handheld devices ABS 12 .

ABS 13 .

Other sources of digital evidence ABS 14 .

ABS 15 .

ABS 16 .

servers ABS 17 .

ABS 18 .

and to the Internet. mouse. and motor vehicles. to computers. other household appliances. and other items may hold latent evidence such as fingerprints. or other physical evidence that should be preserved. digital video recorders. Developments in technology and the convergence of communications capabilities have linked even the most conventional devices and services to each other. removable storage media. ABS 19 . This rapidly changing environment makes it essential for the first responder to be aware of the potential digital evidence in telephones. First responders should take the appropriate steps to ensure that physical evidence is not compromised during documentation.Evaluating the potential sources of evidence   Components such as keyboard. DNA.

´ or ³wipe.´ ³move. Check the display screen for signs that digital evidence is being destroyed. No one should be allowed access to any computer or electronic device.Is it on or off?  If a computer is on or the power state cannot be determined. or check to see if light emitting diodes (LEDs) are on. ABS 20 .´ ³format. Look for signs of active or ongoing communications with other computers or users such as instant messaging windows or chat rooms.´ ³copy. Take note of all cameras or Web cameras (Web cams) and determine if they are active. Words to look out for include ³delete. drives spinning. First responders should separate and identify all adult persons of interest at the crime scene and record their location at the time of entry onto the scene.´ Look for indications that the computer is being accessed from a remote computer or device.´ ³cut. the first responder should²        Look and listen for indications that the computer is powered on. Listen for the sound of fans running.´ ³remove.

All instant message screen names. first responders should obtain as much information from these individualsadult persons of interest.           Internet service provider. Purpose and uses of computers and devices.Preliminary Interviews  Within the parameters law. Data access restrictions in place. Any offsite storage. All login names and user account names. Web mail account information. All destructive devices or software in use. Security provisions in use. or other online social networking Web site account information. ABS 21 . All computer and Internet user information. Any other relevant information. All e-mail accounts. Any automated applications in use. All passwords.as possible. including:         Names of all users of the computers and devices. MySpace. Installed software documentation. Facebook. Type of Internet access.

and condition of computers. PDAs. It is important to accurately record the location of the scene. and other data storage devices. the state. storage media. Computers and other electronic devices should not be moved until they are powered off. power status. The first responder should be aware that not all digital evidence may be in close proximity to the computer or other devices. wireless network devices. Internet and network access. ABS 22 . Moving a computer or another electronic device while it is on may damage it or the digital evidence it contains. Officials may need to move a computer or another electronic device to find its serial numbers or other identifiers. the scene itself. and other electronic devices.Keep Documenting   Documentation of a crime scene creates a record for the investigation. smart phones. mobile phones.

including the type. The existence of network and wireless access points may indicate that additional evidence exists beyond the initial scene. and position of computers. photography. and other electronic devices. these devices should be included in the first responder¶s documentation of the scene. All activity and processes on display screens should be fully documented. The scene may expand to multiple locations. their components and peripheral equipment. and notes and sketches to help recreate or convey the details of the scene later. however.Documenting the crime scene      The initial documentation of the scene should include a detailed record using video. Documentation of the scene should include the entire location. Certain factors may prohibit collecting some computer systems and other electronic devices and the information they contain. Some circumstances may not permit first responders to collect all electronic devices or components at a scene or location. Record any network and wireless access points that may be present and capable of linking computers and other devices to each other and the Internet. location. ABS 23 . first responders should document all physical connections to and from the computers and other devices.

and pagers should be secured and prevented from receiving or transmitting data once they are identified and collected as evidence. the data it contains may become inaccessible. If data encryption is in use on a computer. Data can be damaged or altered by electromagnetic fields such as those generated by static electricity. smart phones. magnets. data storage device. and other devices. packaging. PDAs. radio transmitters. and transportation techniques. ABS 24 . or other electronic device and it is improperly powered off during digital evidence collection. Communication devices such as mobile phones.Evidence Collection   Digital evidence must be handled carefully to preserve the integrity of the physical device as well as the data it contains. Some digital evidence requires special collection.

Check for flashing lights. off. running fans. If the power state cannot be determined from these indicators. ABS 25 . or devices.Assess the Situation    To prevent the alteration of digital evidence during collection. first responders should first² Document any activity on the computer. and other sounds that indicate the computer or electronic device is powered on. Confirm the power state of the computer. or in sleep mode. components. observe the monitor to determine if it is on.

3. application.   1. 2.    1.Identify computer¶s power status   After identifying the computer¶s power status. 2. Proceed to ³If the Computer Is ON´  Situation 2:The monitor is on and a screen saver or picture is visible. e-mail. Proceed to ³If the Computer Is ON´ ABS 26 . work product. Note any onscreen activity that causes the display to change to a login screen. It displays a program. Move the mouse slightly without depressing any buttons or rotating the wheel. picture. follow the steps listed below for the situation most like your own: Situation 1:The monitor is on. or Internet site on the screen. or other visible display. Photograph the screen and record the information displayed. work product. Photograph the screen and record the information displayed.

Proceed to ³If the Computer Is ON´ ABS 27 . work product. 3. the display is blank as if the monitor is off.Move the mouse slightly without depressing any buttons or rotating the wheel. Note the change in the display. 2. Photograph the screen and record the information displayed. The display will change from a blank screen to a login screen.Monitor on  Situation 3:The monitor is on. or other visible display. 1. however.

Photograph the screen and the information displayed. turn the monitor on. 5. or other visible display. 6. 3. 4. 1. The display does not change. Note that no change in the display occurs. Proceed to ³If the Computer Is ON´ Situation 5:The monitor is powered off. it remains blank. If the monitor¶s power switch is in the off position. work product. 2. The display changes from a blank screen to a login screen. turn the monitor on. Photograph the blank screen. If the monitor¶s power switch is in the off position. Note the change in the display. The display is blank. The display is blank.Monitor off   Situation 4:The monitor is powered off. Proceed to ³If the Computer Is OFF´ ABS 28 .

listen for fans spinning or other indications that the computer is on. 2. Move the mouse slightly without depressing any buttons or rotating the wheel. proceed to ³If the Computer Is OFF´ ABS 29 . If the display does not change and the screen remains blank. If the screen remains blank and the computer case gives no indication that the system is powered on. check the computer case for active lights.Monitor on. The display is blank. wait for a response. confirm that power is being supplied to the monitor. 3. 1. If the display remains blank. display blank  Situation 6:The monitor is on.

Uniquely label the power supply cord and all cables. photograph. wire. or battery backup device. cables. cable. ABS 30 . tower. 3. power strip. 4. cables. Photograph the uniquely labeled cords. and USB drives and the corresponding labeled connections. 2. wires. and sketch all wires. Remove and secure the power supply cord from the back of the computer and from the wall outlet. or USB drives attached to the computer as well as the corresponding connection each cord. and minicomputers follow these steps: 1. Document. or USB drive occupies on the computer. wires.Computer if Off   If the Computer Is OFF For desktop. and other devices connected to the computer.

if present. Record the make. 7. Make sure that the CD or DVD drive trays are retracted into place. 10. 9. Record or log the computer and all its cords. and any user-applied markings or identifiers. 6. and tape the drive slot closed to prevent it from opening. and USB drives from the computer and document the device or equipment connected at the opposite end. Place tape over the power switch. 8. 11. contain disks. Place tape over the floppy disk slot. cables. devices. wires. model.Computer is off« 5. Package all evidence collected following agency procedures to prevent damage or alteration during transportation and storage. ABS 31 . or are unchecked. and components according to agency procedures. note whether these drive trays are empty. serial numbers. wires. Disconnect and secure all cables.

and devices connected to the laptop computer and the corresponding labeled connections they occupied. Make sure that the CD or DVD drive trays are retracted into place. Disconnect and secure all cables. note whether these drive trays are empty. 2. 4. and USB drives from the computer and document the equipment or device connected at the opposite end. Uniquely label all wires. Record or log the computer and all its cords. Record the make. 9. wires. 11. and components according to agency procedures. cables. Place tape over the floppy disk slot. and sketch all wires. and devices connected to the laptop computer. if present. and devices connected to the laptop computer as well as the connection they occupied. Place tape over the power switch. 3. Document. cables. and any user. 5.Laptops«  For laptop computers follow these steps: 1. wires. 10. 8. Remove and secure the power supply and all batteries from the laptop computer. cables. model. devices. cables.applied markings or identifiers. 6. photograph. wires. 7. serial numbers. and tape the drive slot closed to prevent it from opening. ABS 32 . Photograph the uniquely labeled cords. contain disks. or are unchecked. Package all evidence collected following agency procedures to prevent damage or alteration during transportation and storage.

If evidence of a crime is visible on the computer display. Pulling the power from the back of the computer will preserve information about the last user to login and at what time the login occurred.If the Computer is ON   For practical purposes. most recently used commands. you may need to request assistance from personnel who have experience in volatile data capture and preservation.  There is indication that a destructive process is being performed on the computer¶s data storage devices. most recently used documents.  The system is powered on in a typical Microsoft® Windows® environment. removing the power supply when you seize a computer is generally the safest option. and other valuable information. however. immediate disconnection of power is recommended:  Information or activity onscreen indicates that data is being deleted or overwritten. ABS 33 . In the following situations.

The first responder should seek out personnel who have experience and training in capturing and preserving volatile data before proceeding  Indications exist that any of the following are active or in use:  Chat rooms. the first responder should secure the scene and request assistance from personnel who have training in collecting digital evidence from large or complex computer systems. or other Obvious illegal activities. Instant message windows. or a group of networked computers. Child pornography. ABS 34 .   In the following situations. Open text documents.When not to switch it off. servers. For mainframe computers. Data encryption. immediate disconnection of power is NOT recommended:  Data of apparent evidentiary value is in plain view onscreen. Remote data storage. Financial documents. Contraband..

and text or graphic material printed from the computer that may reveal information relevant to the investigation. Look out for pieces of paper with possible passwords. blank pads of paper with impressions from prior writings. literature. calendars.Other Forms of Evidence  Be alert to the crime scene environment. hardware and software manuals. These forms of evidence also should be documented and preserved. ABS 35 . handwritten notes.

Scanners. GPS accessories. copier. Cellular telephones.Other Electronic and Peripheral Devices of Potential Evidential Value   Electronic devices such as those listed below may contain information of evidentiary value to an investigation. Computer chips. Facsimile (fax) machines. Cordless landline telephones. Data may be lost if a device is not properly handled or its data properly accessed. Videocassette recorders (VCRs). PDAs ABS 36 . If a situation warrants accessing these devices and the information they contain immediately.. Copy machines. Personal Computer Memory Card International Association (PCMCIA) cards. Smart cards. Pagers. Telephone caller ID units. Wireless access points. and peripherals that first responders may need to collect as digital evidence:  Audio recorders. Multifunction machines (printer. Answering machines. all actions taken should be thoroughly documented. and fax). components. Hard drive duplicators. scanner. The following are examples of electronic devices. Printers. such devices should not be operated and the information they might contain should not be accessed directly. Laptop power supplies and accessories. Except in emergency situations.

ABS 37 . In addition. databases. such as incoming and outgoing phone and fax numbers. or printed documents. software. DNA. smart phones. photographs. Handheld devices such as mobile phones. These items may be used to enhance the user¶s access of and expand the functionality of the computer system.Where is the potential evidence?     Data Storage media including the hard drive. in conjunction with. image files. image files. Internet browsing history. digital multimedia (audio and video) devices. and global positioning system (GPS) receivers may contain software applications. Information stored on the device regarding its use also is evidence. digital cameras. and other identifiers. e-mail messages. such as electronic devices. or other equipment. financial records. PDAs. Internet browsing history. or attached to computer systems. pagers. or other technology that can function independently. the device itself. faxed. these devices can be sources of fingerprints. databases. and information such as documents. Internet chat logs and buddy lists. photographs. Other elements of the crime scene that are related to digital information. Internet chat logs and buddy lists. may contain information such as email messages. hardware. and financial records Peripheral devices themselves and the functions they perform or facilitate are all potential evidence. recently scanned. and event logs. data. equipment. and information about the purpose for or use of the device.

ABS 38 . smart phones. Evidence stickers. and other mobile communication devices after they have been seized. or other communications signal that may alter the evidence. Nonmagnetic tools. Antistatic bags. text message. Crime scene tape. Evidence inventory logs. Paper evidence bags. Permanent markers. or tags. Gloves. Notepads. First responders should also have radio frequency-shielding material such as faraday isolation bags or aluminum foil to wrap cell phones. Wrapping the phones in radio frequency-shielding material prevents the phones from receiving a call.Tools and Materials for Collecting Digital Evidence              Cameras (photo and video). Cardboard boxes. Evidence tape. labels.

 ABS 39 . and peripherals such as those listed above. Due care should be taken in packing. and adapters for those devices as well. When collecting electronic devices. components. First responders should secure the devices and request assistance from personnel who have advanced training in collecting digital evidence. cables. transporting and storing the evidence so as not to damage it in anyway.Special Handling   Special handling may be required to preserve the integrity and evidentiary value of these electronic devices. remember to collect the power supplies.

particularly when a business is operated from the home. Improperly shutting down a system may result in lost data.Computers in a Business Environment    Business environments frequently have complicated configurations of multiple computers networked to each other. to network devices. lost evidence. In some instances. ABS 40 . or a combination of these. to a common server. Securing a scene and collecting digital evidence in these environments may pose challenges to the first responder. and potential civil liability. The first responder may find a similar environment in residential locations. the first responder may encounter unfamiliar operating systems or unique hardware and software configurations that require specific shutdown procedures ±this will again require expert help.

Labeling properly ABS 41 .

Helping out the Forensics  To assist in the forensic examination. ABS 42 . Preliminary reports and documents. Investigation point-of-contact information. the first responder should document the following information when possible:      A summary of the case. Passwords to digital evidence seized. Keyword lists.

address books.  Removable media. notes.  Forged identification.  Databases.Narcotics.  External data storage devices.  Blank prescription forms.  Handheld mobile devices.  Information regarding Internet activity. and contact information.  Printed e-mail.  Financial asset records.Pointers to where evidence may lie. ABS 43 .  GPS devices.  PDAs. and letters.example 1  Potential digital evidence in narcotics investigations includes:  Computers.  Drug receipts.

Accounting or recordkeeping software.Online or Economic Fraud . Financial asset records. Printed photos and image files. Information regarding Internet activity. and scanners. and contact lists. PDAs. and letters. Telephone numbers and call logs.example 2  Potential digital evidence in online or economic fraud investigations includes:                        Computers. address books. Printed e-mail. Removable media. Calendars or journals. Suspected criminal activity. Customer credit information. ABS 44 . Credit card statements or bills. Records or notes of chat sessions. Printers. Mobile communication devices. copiers. Suspect information including nicknames. notes. External data storage devices. Online banking information. Online auction sites and account data. List(s) of credit card numbers. Credit card magnetic strip reader. Databases.

text and graphic files. Concealing their identity.g. sound files..Internet ± Purpose of Use  The investigator should be aware that criminals may use the Internet for numerous reasons. documents. Identifying and gathering information on victims. meeting sites. including² Trading/sharing information (e. photographs. Communicating with co-conspirators. Assuming another identity. movies. or parcel drops. ABS 45 . Coordinating meetings. Distributing information or misinformation. and software programs).

such as² Victims and suspects and their computers. Data on workstations/servers/routers of third parties such as businesses. Sources of information needed to investigate the case may be located anywhere in the world and may not be readily available to the investigator. Complex evidentiary issues are frequently encountered in Internet and network investigations. Internet Service Provider records.Scope of Investigations   Investigations vary in scope and complexity. and educational institutions. Evidence of the crime may reside on electronic devices in numerous jurisdictions and may encompass multiple suspects and victims. ABS 46 . government entities.

date. For example: It can change with usage. time. Server and computer clocks may not be accurate or set to the local time zone. evidence should be expeditiously retrieved and preserved. ABS 47 . It can be altered due to improper handling and storage. Also consider that when investigating offenses involving the Internet.Preserve the evidence  Digital evidence is fragile and can easily be lost. It can be maliciously and deliberately destroyed or altered.  For these reasons. The investigator should seek other information to confirm the accuracy of time and date stamps. and time zone information may prove to be very important.

imminent threat of loss of life or serious physical injury) should an investigator attempt to gain information directly from a computer on the scene. the best judgment of the investigator (based on training. In some cases a forensic examination of the computer will be needed. and available resources) will dictate the investigative approach.g. Only in exigent circumstances (e.Crime Scene Investigations  At the scene.. The investigator should be aware that any action taken on the computer system might affect the integrity of the evidence. ABS 48 . experience. Any action taken should be well documented.

document the incident. if a suspect¶s computer is identified and recovered. ABS 49 . However. in most situations it should be submitted for forensic examination to preserve the integrity of the evidence. and forego a forensic examination of the complainant¶s computer. An investigator should not attempt to examine a computer system if the investigator has not received special training in forensic examination of computers.Action at the Crime Scene«   In some cases it may be sufficient to collect information from the complainant (and computer). The investigator should follow agency policy or contact an agency with a forensic examination capability.

In addition. and chain-of-custody and the legal process must be followed. evidence must be collected. investigative processes should be documented. the investigator should consider the following: Was a crime committed? Who has jurisdiction? What resources are needed to conduct the investigation? Are sufficient resources available to support the investigation? What other resources are available? Are there legal issues for discussion with the prosecutor? ABS 50 .It is important to remember that traditional investigative process must be followed   Witnesses must be identified and interviewed.

ABS 51 .6.13.23 Street Building Floor Apartment Unit Address MG Road..IP address and apartment address   Major provider Local provider Network Device IP Address 129.16 Maple Apt. Flat #2 The IP address does not denote a physical location of the device at the time it is connected to the Internet.

Regardless of the addressing scheme used.776 unique addresses.627. which allows for a total of 256^4 or 1.511.099. This addressing scheme is being expanded to accommodate additional Internet usage.IP address«  IP addressing uses four decimal-separated numbers. the method of tracing the IP address will likely remain the same ABS 52 .

0.0. Information for these IP addresses comes from the owner of the network.168.31. The ranges are:    10.255.255 ABS 53 .255.255.0 to 10.255 192.255.Private IP address  Three groups of IP addresses are specifically reserved for use by any private network and are not seen on the public Internet.0.0 to 172.168.255 172.0.16.0 to 192.

they may be kept for a limited time depending on the established policy of the ISP. ABS 54 . no general legal requirement exists for log preservation. If logs are kept. They may reserve blocks of IP addresses that can be assigned to its users. Currently. and ANI (Automatic Number Identification) or caller line identification at the time of connection. such as a business or government entity. account user information. therefore. ISPs may log the date. some ISPs do not store logs.Internet Service Providers   Internet Service Providers (ISPs) may be commercial vendors or organizations. time.

The ISP may maintain historical log files relating these dynamically assigned IP addresses back to a particular subscriber or user at a particular time.Dynamic & Static IP addresses   ³Dynamic´ IP addresses are temporarily assigned from a pool of available addresses registered to an ISP.  ABS 55 . or organization maintaining a constant Internet presence. generally requires a static IP address. As a result. The date and time an IP address was assigned must be determined to tie it to a specific device or user account. A person. These addresses are assigned to a device when a user begins an online session. a device¶s IP address may vary from one logon session to the next. such as a Web site. business. ³Static´ IP addresses are permanently assigned to devices configured to always have the same IP address.

Each of these packets includes the address of the destination. the network operating system divides the information into chunks of an efficient size for routing.Packets    Data sent over the Internet are divided into packets that are routed through the Internet and reassembled at the destination. ABS 56 . HyperText Markup Language (HTML) documents. When information such as files. When they have all arrived. or Web pages are sent from one place to another on a network. e-mail messages. The individual packets for the information being routed may travel different routes through a network. they are reassembled into the original file.

3 proxy servers/gateways. By design.5 and Dynamic Host Configuration Protocol (DHCP). these devices and services may or may not have a logging feature that captures source and destination IP information.4 Network Address Translation (NAT). ABS 57 . and date and time of logins. Some or all of these network devices and services may alter or mask the true source or destination IP address. It may be necessary to work with the network administrator to determine the true source or destination IP address.Network Devices   Network devices and services include routers.2 firewalls. login user name.

DNS 

Domain Name System (DNS) servers are the ³phonebooks´ of the Internet. They maintain directories that match IP addresses with registered domains and resolve the text that people understand (the domain name) into a format that devices understand (the IP address).

ABS

58

Registering Domain Names  

A person or an organization can register a domain name as long as it is not already registered. Domain names are registered with the Internet Corporation for Assigned Names and Numbers (ICANN), a nonprofit organization responsible for Internet address assignment and domain name server management. Information required to register a domain name includes name, address, phone number, billing information, e-mail address, and technical and administrative contact information. In addition to this information, the date that a domain was registered may be available from the registrar. Although this information may provide investigative leads, the investigator should be aware that the information originates from the person registering the domain name and may be fictitious.

ABS

59

Spoofing, masking, and redirecting 

Advanced methods of obscuring actions on the Internet include hiding the IP address, pretending to be someone else, and sending traffic through another IP address. These methods are commonly referred to as masking,7 spoofing,8 and redirecting.9 Advanced training is required to investigate or identify when these actions have taken place. Therefore, even after completing legal process, traditional investigative methods may still be necessary to identify the end user. In some cases, masking, spoofing, or redirecting may prevent the identification of the user.
ABS 60

ABS 61 . and potentially locate a suspect. the investigator may need to use traditional investigative methods to identify the person using the account at that time. enabling the investigator to request additional information. corroborate victim and witness statements. The key to investigating crimes relating to the Internet and networks is to identify the originating IP address and trace it to a source. Given an IP address and a date and time (including the time zone).The Key   All communications on the Internet and across networks rely on an IP address to reach their destination. most ISPs can identify the registered user assigned to the IP address at the specific time. These skills enable an investigator to locate additional sources of evidence. However.

ABS 62 . it is vital that it can be proven in a court that the examination has been conducted thoroughly and the evidence is authentic and unaltered. This process of examination of computer evidence is painstaking and tedious. It has to be performed with extreme care. During this process it is important that the investigator ensures that the examination is conducted only on duplicate evidence. In addition. Once these initial procedures have been completed the actual process of data recovery can begin.RECOVERY OF DIGITAL EVIDENCE   Every cyber crime has certain unique points and these determine the initial steps to be taken towards the recovery of digital evidence while investigating the crime.

The original media should not be used for the examination.HARD DISK/ FLOPPY EXAMINATION    The following procedures must be followed for examining computer hard disks: The media used for the examination process should be virus free. ABS 63 . Only a bit-stream image of the original hard disk should be used. The bit-stream image should be taken in a non-invasive manner.

The boot record data. command files such as the CONFIG.SYS file and the AUTOEXEC.BAT should be examined. All the files contained on the hard disk should be listed.EXAMINATION«       The bit-stream image should be verified by MD-5 hash value. Attempts should be made to decrypt password-protected files. The unallocated storage space and slack space should be examined. ABS 64 . All recoverable deleted files should be restored.

RECOVERY PROCEDURE   Normal Files: These are regular files used by the user and are usually easy to access. Deleted files: These are the files that have been deleted by the user. Usually when any file is deleted it may be possible to recover it from the Recycle Bin of the computer. etc. users do not encrypt this information and nor do they have any passwords to protect it. It may be possible to recover the deleted data or at least fragments of the deleted data by inspecting the unallocated storage space on the computer ABS 65 . But not impossible. figures. then this recovery becomes difficult. Most of the time. These files may contain evidence like incriminating letters. If the user has been cautious enough to empty the recycle bin. notes.

ABS 66 . Until and unless the contents are decrypted. can understand these contents. even if they see the contents of a file. The encryption software makes the original contents of the files look like incomprehensible gibberish.STILL OTHER KINDS OF FILES   Password protected files: Most programmes offer the user the option of protecting the information contained in a file through the use of a password. Encrypted files: By utilizing some encryption scheme it is possible for the user to ensure that no one else. no one can understand them. Only a particular user will be able to access the information. This means that this information will no longer be available to everybody.

CONCEPTS    FILE SLACK RAM SLACK DRIVE SLACK DELETED IS NOT DELETED FILE ALLOCATION TABLES   ABS 67 .

OTHER SOURCES OF EVIDENCE   INFORMATION CONTAINED IN BROWSERS¶ EXAMINATION OF LOG FILES ABS 68 .

Thank You ABS 69 .