Steps taken by a computer forensic specialist

The computer forensic specialist takes several careful steps to identify and retrieve evidence that exists on the subject computer system.

Protects the subject computer system during the forensic examination from any alteration, damage, data corruption, or virus introduction.

Discovers all files on the subject system. This includes existing normal

files, deleted yet remaining files, hidden files, password protected files, and encrypted files.

Recovers all of discovered deleted files.

Reveals the contents of ‘hidden files’ as well as temporary or ‘swap files’ used by both the application programs and the operating system.

Analyzes all relevant data found in special (and typically inaccessible) areas of a disk.

This includes but is not limited to what is called  'unallocated' space on a disk (currently used, but the repository of previous data that is relevant evidence), as well as 'slack' space in a file (the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data, but once again may be a possible site for previously created and relevant evidence).