- Since the initial publication of this guide, the electronic world and the manner in which it is investigated has changed considerably. This guide has been revised in the light of those developments. Information Technology is ever developing and each new development finds a greater role in our lives. The recovery of evidence from electronic devices is now firmly part of law enforcement...

- In August 2004 at the annual cryptography conference in Santa Barbara, California a group of cryptographers, Xianyan Wang, Dengguo Feng, Xuejia Lai, and Hongbo Yu made the announcement that they had successfully generated two files with different contents that had the same MD5 hash. This paper reviews the announcement and discusses the impact this discovery may have on the use of MD5 hash functions for evidence authentication in the field of computer forensics...

- An orphan is defined for files just as it is for humans. Orphan files are files that no longer have a parent; the parent being the folder they were in. If a folder is deleted, the files within it are deleted as well but are not orphans...

- This document reviews common locations in the Windows and Windows Internet-related registries where you can find data of forensic interest...

- A thumbnail view is commonly known to be a miniature picture that represents a larger graphic. Thumbnails are used in FTK and FTK Imager to present large numbers of graphics to the user in a small amount of space. The investigator can review the images to locate files of interest.

- In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives. This allows us to examine and duplicate USB devices with write protection that previously didn’t exist...