This part covers the basic component of computer forensic investigations: finding electronic data, documents, or dirt to use as evidence. And we tell you in Chapter 1 not only how to find it but also how to ensure that it can be used to win or prevail in a legal action. Let's face it: If you're involved in a computer forensic mission, it's not because you want to recover your lost vacation photos. For less money than you would pay for an investigation, you could redo the vacation and retake those photos. Computer forensics is more like the art of war — strategies and tactics to successfully navigate a tough environment, as you find out in Chapter 2.

In the first two chapters, you start to understand the number of ways in which your data and digital content get "out there," how investigators find and recover e-evidence, and how lawyers use the evidence to win their cases. You'll find out about technical issues and the dumb mistakes made by users trying to erase their tracks. Big Mistake #1 is thinking that the Delete key is the cyberequivalent of a paper shredder.

Mistakes stemming from delusions of grandeur can harm an investigation, as you read in Chapter 3. If you're about to start an examination, you have to avoid Big Mistake #2 — jumping into an investigation without appreciating how fragile electronic data, and your posterior, are. Either one might get damaged if you don't have the authority to proceed. Then in Chapter 4 you see strategies from the trenches for documenting and managing the scene of a crime.