A good deal of traditional computer forensic analysis revolves around the existence of files or file fragments. Windows systems maintain a number of files that can be incorporated into this traditional view to provide a greater level of detail of analysis.

Many of the log files maintained by Windows systems include timestamps that can be incorporated into the investigator s timeline analysis of activity on the system.

The term metadata refers to data about data. This amounts to additional data about a file that is separate from the actual contents of the file (i.e., where many analysts perform text searches).

Many applications maintain metadata about a file or document within the file itself.

In addition to the traditional means of computer forensic analysis of files, additional methods of analysis are available to the investigator.

Booting an acquired image into a virtual environment can provide the investigator with a useful means for both analysis of the system as well as presentation of collected data to others (such as a jury).

Accessing an image as a read-only file system provides the investigator with the means to quickly scan for viruses, Trojans, and other malware.