Trace evidence is a term that applies to all types of physical evidence that may be circumstantial evidence in the trial of a case. Trace evidence, although often insufficient on its own to make a case, may corroborate other evidence or even prompt a confession. Tracing some piece of data present at a crime scene to its origin can assist in an arrest and conviction . Similarly, finding some trace of data from the victim or crime scene on a suspect's computer can have a strong impact on a case.
Traces of data either left behind or found with a criminal that can be used to prove that a crime was committed.
Computer evidence can be found in file slack and in unallocated file space called slack space . Sometimes a good portion of a computer's hard disk may contain data fragments from word processing documents, or almost anything that has occurred in the past. This space can be a valuable source of computer evidence because of the large volume of data involved and because most everyday computer users are unaware of it. In the following graphic, a utility called Karen's Disk Slack Checker was used to check the slack space on a computer. As you can see, there is quite a bit.
The space on a hard disk between where the file ends and where the cluster ends.
Slack space is a result of how data is written to disks. Operating systems normally write in clusters. Clusters are made up of blocks of sectors. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file. For example, say that the cluster size is 32KB and you create a file that is 2KB. That 2KB file is allocated 32KB of space; therefore, 30KB is unused. Let's go a bit further and say that you create a 31KB file. You decide that you no longer need the file and delete it. At some point in the future, you create another file that is 4KB. When the system is looking for a location to write this new 4KB file, it finds the space from the old 31KB file that you supposedly deleted and places the data there. Now you have 4KB of the new data plus the remainder of the old data in the same space. So, to recover data, you would trace evidence from the first file in the new file. These pieces of files or file fragments can contain a significant amount of information.
On computers running a Microsoft Windows operating system, large quantities of evidence can be found in the Windows swap file . In Windows 2000, XP, and Server 2003 the file is named PAGEFILE.SYS by the operating system. This is a memory management function within the Windows operating environment. It uses space on the hard drive to swap data in and out of memory in order to better utilize the memory. Swap space can be found on computers running Linux as well. In fact, when you install the operating system, you actually specify a Linux swap file partition.
Space on the hard disk used as the virtual memory extension of a computer's actual memory.
Trace evidence can also be found on backup tapes. This option is frequently forgotten. If files are deleted from computers, they might still be available on backup tapes. Most companies have some type of backup tape rotation and perform full backups at least once per quarter. Third-party service providers might back up e-mail and keep the tapes of that e-mail backup for some period of time. Even though the files may be gone from the computer, in most cases, e-mail systems are backed up and you have the option of finding out how long the messages are kept.
Fax buffers, printer buffers, and floppy disks can hold trace data as well. Often people put one or two files on a floppy disk and tend to forget about them, usually accruing a sizeable number of partially filled disks. Floppy disks can be imaged and then processed . The following graphic shows a picture from The Legal Imager and reaSsembly Application (LISA).