In Forensics, once the evidence has been collected, tagged and prepared, the next step is analysis. This involves taking a write protected copy and subjecting it to various analytical techniques. These may involve:
- Timeframe analysis - the sequence in which actions were completed i.e files created, editied or deleted
- Data hiding - whether files have been deleted, placed in unusual locations, disguised as other file types etc.
- Application and file use - which applications were used and when
- Ownership and possession - can individuals be tied to the computer at the times in which the alleged crimes were committed.