24.3 Identify and Process Special Files

Compressed and encrypted files require special processing as do e-mail and associated attachments. As discussed in Chapter 2 of the Handbook, this special processing often requires a combination of tools with different features. Using tools of your choice, identify e-mail data files and move to \Prepare\special\ email\[spool directory, if applicable]. Extract e-mail messages to text and attachments. Identify encrypted data and move it to \Prepare\special\ encrypted and archived/compressed data to \Prepare\special\archive. If it is possible to decrypt or decompress these files, place the readable files in \Review\converted and add a list of these files in \Accounting. For a discussion of decrypting files, see Practical Approaches to Recovering Encrypted Digital Evidence (Casey 2002).

Perform a similar process for any other special files. For instance, if virus infected files may be important configure AntiVirus checking directory to log activity, virus check files to identify infected files, clean or move infected files, and save log to \Accounting\virus.log.