Electronic Evidence where to find in Files
Electronic Evidence where to find in files Windows Searches — For years, one challenge in digital investigative analysis has been proving a user not only had something significant to an investigation on their computer, but that he knew it was on there. Two of the easiest ways help prove knowledge of a file is to prove the user was searching for it or accessed it. In order for Microsoft to enhance the user experience, Windows tracks the names of files you access and search for in multiple locations. As previously discussed, the Windows registry is essentially several databases called registry hives. Each user has his own primary registry hive called the NTUSER.DAT. This registry hive tracks information specific to each user’s activity and preferences. Starting in Windows 7, when a user conducts a search on his computer using the Windows search function or the “Charm Bar” in Windows 8-10 (the magnifying glass that appears when you move your mouse to the right edge of the screen