There are many criminals who work hard to ensure that they slow down the investigation process. They do this by deleting digital evidence while trying to cover up their mistakes, and also drag and fail the case at hand.
This action is commonly used by criminals who use computers but who are not necessarily computer gurus, meaning that retrieving whatever information they deleted is possible with a little more effort. There are many areas that the computer forensics examiner can look while trying to locate the deleted file. Normally the first thing that one needs to do is find out exactly where the deleted file is. Once it is found, the rest is easy.
The history logs keep some of the vital information that is needed when one wants to locate a file that has been deleted. Here you will find where the file was last, just in case the history log is not also deleted. It is therefore to start with the simple steps before going to more tricky and complex methods.
The digital evidence include temporary files, videos, compressed archives, documents, contacts and address books, browser history amongst others. It is therefore important to know what types of evidence you are looking for so that you can be able decide on the first areas that you need to visit.
Once you know the type of evidence you are looking for, you will be in a position to know which area to look. For example the current windows keep Data Recover created by the user and those that have been generated by an application in AppData, documents, settings folders and program files. The search can be further complicated when it is in AppData folder, since it is not found in a particular fixed location in the disk.
Once the data has been located, the next action is to retrieve the information. For one to successfully do this, you have to know the format in which the files are. There are many different formats that the information can be in. There are applications that can be used to determine the formats.
Apart from deleting files, the criminals can also decide to change the file name so that it is not easy to locate, they can also delete the history files, they can also decide to encrypt the full volume and they can also change the location of the files and also the default location of the history files. All these are ways that will definitely drag the investigations and if there are no proper forensics examiners to retrieve the information, the evidence can stay hidden and affect the case.
It is therefore important to contact a reliable and more experienced computer forensics examiner who can be able to conduct proper search in the computer and retrieve information that is necessary for the investigations and the case as a whole. The forensics examiner should be in a position to know what type of evidence that is being looked for by the investigators.