ABSTRACT
This chapter explores in detail the examination/analysis phase of the digital forensics process by describing how and where potential evidence may be uncovered from a digital device, including the ability to recover deleted files. Data preservation is the first step in uncovering digital evidence and occurs during the collection/acquisition phase of the digital forensic investigation. However, the data preservation process relies on the use of digital forensic tools, many of which are dual purposed in that they both image and hash hard drives: EnCase and Forensic Toolkit (FTK). The FTK includes Explicit Image Detection (EID) which sorts through the images on a digital device and flags the ones that are more likely to be child pornography by using algorithms that search for flesh tones, certain shapes, and orientations. The chapter concludes with a discussion of report objectivity and forensic confirmation bias; after all, the integrity of the report is just as important as the integrity of the evidence itself.
