So far, the evidence that has been analyzed has focused on those elements that are obtained from the network or the system's memory. Even though incident root cause may be ferreted out from these evidence sources, it is also important to understand how to obtain evidentiary material from a system's storage, whether that is removable storage such as USB devices or the larger connected disk drives. In these containers is a good deal of data that may be leveraged by incident response analysts in determining root cause. It should be noted that this chapter will only be able to scratch the surface, as entire volumes have been devoted to the depth of forensic evidence available. Rather, it is hoped that this chapter provides ...