Our newest course is the File System Analysis course, which allows us to dig deeper into the world of file systems and how to recover evidence from suspects harddrive. For me this is a particular exciting field, since I have my primary interest in doing “detective” work deep inside images for finding information.

First of all, performing an investigation is to develop and test a hypothesis about an event. And you can do that by looking at digital evidence, which is a digital object that contains reliable information that supports or rejects the hypothesis. (Drange, 2016).

An investigation can be initiated for two different reasons, investigative use or legal use. Whilst you might perform an investigation for legal use in the court of law (both criminal and civil), you could also do it purely for an investigative use – like examining evidence in order to provide information used privately (like cheating spouses, family matters and so on) or in business (competition spying, unfaithful employers).

Since computers play a key role in a digital investigation, they can not only hold information about a crime – but also be used for a criminal purpose. Either to fascilitate a physical crime, or to be have functioned directly in performing a crime (like hacking, sending threats, malware, sharing illegal material).

All in all, this is right to the core of digital investigation and our function as specialists.


Drange, T. (2016) Introduction to File Systems Analysis
Lecture slides