A group of Stanford Special Collections staff just returned from a two day training course on computer forensics. The training was very intensive and focused on the DOS and Windows operating systems. I found the training excellent as we spent a large part of the course understanding how computer hardware and operating systems interact. More importantly, we were introduced to how forensic tools take advantage of operating system design. File allocation tables in DOS and Windows environments leave specific forensic trails. The same can be said of the NTFS file system and strangely this more modern file system leaves a more extensive audit trail which is of benefit to law enforcement and archivists.
During the final hands on component of the course we spent a few hours attempting to forensically recover evidence from a thumb drive, a SD flash card and a hard drive. This was an excellent hands on exercise and exposed many problems a digital archivist is likely to encounter such as incompatible write blocker drivers. Another take away from the course was that any digital archivist will very frequently need to be able re-image their workstation due to computer viruses and to maintain a clean forensic capture station.