In This Chapter

Digging through a suspect's data, documents, memos, e-mail, instant messages (IMs), Internet histories, financial files, photos, and other information is what most people think of when they hear the term computer forensics — and for good reason. What you've done up to now, (getting subpoenas, lugging computers back to the lab, preserving evidence) has been in preparation for this big event — examining the e-evidence and figuring out what it says.

The stage is set. You made forensically sound images (see Chapter 6). What you have now is a forensic image (forensic copy) of each device to review and analyze. For evidentiary purposes, the images are on recordable-only CDs or other read-only media to retain the exact information that's copied and nothing more.

Examining e-evidence marks a shift from the science of forensics to the art of investigation. It's a demanding art. No technology or artificial intelligence exists that can pick up the scent and assemble clues, test theories, follow hunches, and interpret e-evidence. Human intelligence and determination are needed to find e-mails or files that are smoking guns of guilt or white knights that exonerate.

In this chapter, we explain the e-evidence examination process. Your objective is to search for and analyze the facts in full, interpret ...