The joys of complexity and the deleted file

This article considers the improved quality of evidence which may be extracted from computers running under modern operating systems and file systems. By way of illustration the author discusses the treatment of deleted files under legacy DOS systems, Windows 9x systems and the NTFS file system, and illustrates the various data artefacts associated with each. It is clear that, although the evidence resulting from more modern systems is more complex, and that analysts require more in-depth training to understand them, the rewards in terms of evidential probity can be considerable, enabling the analyst to produce evidence which in earlier systems was simply not there to be found.