what to look for first?

'Standard' picture file types really are .jpg, gif, png, and bmp. Not forgetting movie file types such as avi, mov, mpg, mpeg.

Yes encrypted or compressed files also need some examination, but if you are looking for a quick method of identifying notable (illegal) files or already known (and irrelevant files for filtering), then simply use hash sets.

Andy

I'd suggest that not every case involves images or encrypted/compressed files. What you look for depends on your case.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

Just to be a pain I agree with both posts. Some cases can be very targeted, I worked on a fraud case last week where the whole case focused on just one database file, however I also believe its important to get a wide view of the data you are working on.

At the start of a case I often 'take a walk' through the data and just browse around with the subject matter in mind but not really looking for anything. It is amazing how often pertinent data or patterns of use jump out at you. This is where visual tools like FTK or Encase come into their own.

Cheers

Nick

This is where I love FTK. You can use the overview tabs and pretty much start where the needs of case point you. If you want to look at the known bad files, look at the KFF Alert files, or if you want to see pictures, click the graphics tab.

Every case is different to be sure, and it is apparent each time what those standard file types should be in a particular case. One thing that's pertinent in nearly every case however is email. Always a good place to start.

I tend to look for encrypted files last rather than first however. I don't think there's a 90/10 rule in computer forensics, probably more like 70/30. That is I'll find 70% of what I need in 30% of the time. It's kind of like searching a car for dope. I don't take the tires off the rims right off. I check the glove compartment first.