Locating evidence from the all-too-common large dataset requires some filtration of extraneous material, which has until recently been a mainly manual task of sorting the wheat from the chaff. But it is important to clear the clutter and noise of busy operating systems and applications, from which only a small amount of evidence really needs to be gleaned. This section describes the processes involved that practitioners follow in their endeavors to locate relevant material to assist an investigation.
Search processes involve searching in a filesystem and inside files; common searches for files are based on:
Their names or patterns in their names
Keywords in their content
Temporal data (metadata), such as the last-accessed or last-written time
A pragmatic approach to the examination is necessary, where the onus is on the practitioner to create a list of keywords or search terms to cull specific, probative, and case-related information from very large groups...