There are many places potentially useful data can reside in a Windows computer hard drive. The types of data regions can be thought of in three categories:
• When most people think of “computer files” they think of user files. These are the documents and files we create and edit on the computer.
• System files are considered to be the files that make up critical parts of the Windows operating system and installed software.
• Inaccessible data refers to the many parts of the hard drive where data may reside, but are not accessible to any computer user, not even to Windows. This is frequently where the most interesting information is found.
Windows keeps documents and settings segregated for each computer user. When a user logs onto a computer, the user is only allowed access to the portion of the hard drive that is dedicated to them. Other documents and files are not visible. While this user’s documents are freely available to this user account, no other user has access to this user’s documents. One exception is shared files, which are available to any user.
Many user files are dedicated to their respective owner, but are not readily directly accessible to any user, not even the owner. These files include all of the Outlook data files used to manage email. Even if the “Deleted Items” folder is emptied, the deleted items can remain for forensic examination.
System files are generally hidden from users and users’ programs. These files include many interesting areas. The Temp folder contains files that may have been viewed from the Internet. The Recent folder contains shortcuts to recently run programs, including when they were executed and with which parameters, such as which files have been viewed on removable media such as USB drives.
Windows stores vast amounts of user and computer activity information in the Registry. The Registry is a set of data files that keeps track of many things, including when users have logged on and off, even for user accounts that have been deleted. The Registry also contains details about any USB devices that have ever been connected to the computer. It can also contain user IDs and passwords for websites that have been visited.
The Recycle Bin contains deleted files for easy recovery. If anything happens to be in the Recycle Bin when Windows does an update, these files are memorialized in system restore files accessible only to the Windows Restore program.
Windows at times stores the memory contents on the hard drive to use it as if it were additional RAM. This is referred to as a paging file or virtual memory. This is completely invisible to the computer user. The contents of the paging file can be fresh or quite old, depending upon the amount of RAM that has been called for.
One way to shut off a computer and quickly return to the same state is to invoke hibernation. When this is done, the entire contents of RAM are stored in a file called hiberfile.sys, which is again invisible to the user. The hibernation file can also contain information from prior usage.
Windows also keeps track of searches on the local hard drive. These searches are done automatically when some programs start up.
There are many areas of the hard disk that contain data that aren’t viewable by any user or even Windows. Forensic software is able to retrieve these data.
The most common area is deleted files. Although files can be restored from the Recycle Bin, once the Recycle Bin has been emptied, the data cannot be viewed by Windows or the user. However, they are still available to forensic software until the disk sectors have been overwritten.
...login to read the rest of this article.