Chapter 2, Hardware and Software Environments, described different operating systems and filesystems and introduced processes for locating evidence of potential value. Filesystems have become ponderously complex, perhaps unnecessarily so, but in doing so, they do retain information about past transgressions that may have otherwise been erased. The challenge is knowing where to look—assuming the practitioner knows how to navigate new operating systems and applications.
The traditional processes of imaging-indexing-searching or imaging and manually searching are becoming untenable; the sheer size and complexity is time-consuming and not necessarily guaranteed to locate the evidence, except by chance in many instances. There will always be a place for "deep rinse" analysis, but there are more effective ways. My research and fieldwork has shown that while it is difficult to part with familiar processes such as these, there exists...