The Traces We Leave Behind

AND HOW TO FIND THEM

Mattias Wecksten

2009 (cc) by-nc-sa

What Traces Do You Leave If…

…you delete a file?

…you format a hard drive?

…edits a document without saving?

…use an USB memory?

Files on the Hard Drive

• Hard drive = Binder with index

• Write file = Insert document

• Remove file= Erase from index

• Format = Replace index

Data Extraction: deleted file

• Recreate the entry• Analyze data• Recreate data

Data Extraction: formatted hard drive

• Recreate the register• Analyze data

Data extraction: Word-recovery

The Windows Registry

Metadata

Questionnaire:

• Who is responsible if erased information turns up?• What information seeps out?• What ethical aspects are considered?• Are you prepared for the incident?

References

Presentation: M. Weckstén (cc) by-nc-sa

wecksten@gmail.com

Photo: Bitxo (cc) by-nc-sa

Illustrations: T. Weckstén (cc) by-nc-sa