Chapter 6: Extracting Information from Data

In This Chapter

• Understanding the different types of evidence

• Understanding how people think

• Picking the low-hanging fruit

• Finding hidden evidence

• Locating trace evidence

• Preparing evidence

• Presenting evidence

After you capture the data image as described in the last chapter, what should you look for? How do you figure out what portion of what you have captured is useful to your investigation? What happens if you can't find what you are looking for? These are some of the questions that run through the mind of every forensic investigator .

After the data is imaged , the forensic examiner can search and index all contents of the drive without changing or modifying the data, thereby preserving the evidence. But what if the evidence is missing? Criminals or intruders can use programs to delete e-mail, pictures, and documents. Trained forensic investigators must have tools available that will help them recover this information and help them prepare the evidence for presentation.

In this chapter, you'll look at the process of divining the information you need from the data you have captured. You'll study the process of analyzing and organizing the information you have gathered. You'll learn when to grab the low-hanging fruit and when to dig deeper for data that may or may not exist. You'll study the various types of hidden and trace evidence. Finally, you'll move on to preparing and presenting evidence.