Whether you're given a client’s computer to obtain forensic images or to collect records, it can be difficult to find the correct user data without getting mixed up in all the system files, programs and other data that isn't of value for your legal review. In today’s Tuesday Tip, I'm sharing the easiest way to find this user data, plus a few unusual places to look that also contain useful information.
Ever since Windows released Vista in 2006, the system has been pretty consistent when it comes to where it holds data. Unless you’re using an operating system older than Windows XP (2001), the following tips should work for you.
Where is user data stored?
Once you've logged into your Windows machine, you can find all of the data on the computer’s “Local Disk (C:) > Users.” When working with corporate machines, it's normal to see multiple users, including Administrator or IT users.
Inside each of the "User" folders, you'll find the same folder structure: contacts, desktop, documents, downloads and more. An important point to note is that you will only have access to your own user folder. If you try to open a folder you do not have access to, you’ll be given a notification window like this:
Note: Local administrators (meaning you have administrator rights on that computer) can access any of the other users' folders.
What folders contain user data?
Desktop, Downloads, My Documents, My Pictures, My Videos and My Music are all folders that will contain user data that you'll most likely want to review. Additionally, you can find files and programs being used by the user in the general “User” folder mentioned above.
How to find hidden folders on Windows
Many programs keep their data in the "AppData" folder within each “User” folder. However, the “AppData” folder is "Hidden" which means you will not see it without editing the Folder Options within Windows Explorer first. To make hidden folders visible, go to the “View” tab (in the upper left corner of the window) then select Options (on the far right):
This will open a new window. Again, click the “View” tab and you’ll see a list of available options. Update the preferences to “Show hidden files, folders, and drives” as seen in the screenshot below:
Once you click “OK”, you should see the hidden “AppData” folder, among others. You can tell which folders are marked as hidden by the transparency of their icon; hidden folders won’t be as solid as the rest.
Inside the "AppData" folder, there will be three sub-folders:
In this tutorial, we’ll explore the “Local” folder only. Let’s start with looking for Outlook data using the address below.
.png?width=560&name=MicrosoftTeams-image%20(3).png)
Here, you will likely see at least one Offline Storage (OST) file. This is the working file for Outlook and anything that can be seen inside Outlook will be located here. This file won't necessarily contain all of the user's emails in full. If the user has set Outlook to only download headers, the email data may be missing its body copy and attachments. However, this folder will contain all drafts and any additional data that has been downloaded to the local computer drive. It's also quite common to find Personal Storage Table (PST) files here since Outlook uses this as the default file format. During a review, all OST and PST files should be assessed.
Lastly, you may also want to look in the “Windows Mail” folder inside the “Microsoft” folder. If the user uses Windows Mail as opposed to Outlook, then its email data will be found there.
Where to find hidden internet and email history data
Inside the “Local Disk (C:) > Users > name” and “AppData” folders, you can find some other possibly useful data such as the cache from Internet Explorer (IE). This data contains all the files that IE downloaded to display on a webpage. There may be lots of junk here, but there can also be valuable evidence. Additionally, the “Microsoft > Internet Explorer” folder contains .DAT files that contains browser history from IE.
There is a similar cache that contains files attached to Office documents (images, charts, etc.) which you can find under "AppData > Microsoft > Office." While some of this information might not be useful (as it likely contains junk), there can sometimes be important data hidden in this location like files that have been attached, embedded or drafted in Office documents.
The last location worth noting is easy to miss if you don't know to look for it. When a user connects to a network with Windows, they can make data on that network available when they're offline. In many versions of Windows this data will be saved in the “Windows” folder, specifically in “Local Disk (C:) > Windows > CSC.” This stands for Client-Side Caching. In Widows 10, the default location was changed to “Local Disk (C:) > CSC.” There can be some useful pieces of information hidden in this folder as well.
---
Remember, a user can save their data wherever they want. Because of this we utilize a tool, available through our managed services, to crawl through all the data on the drive and report on specific file types. Remember you can always send your data to us here at Ricoh eDiscovery and we can report on the user data for you.
You may also be interested in…
eDiscovery 101: 5 Easy Ways to Plan a Successful eDiscovery Project
If you're new to the world of eDiscovery, starting on your first project can be intimidating. Here are five tips to ensure an easy transition.
How to Collect, Copy and Move Data Without Changing its Metadata
Learn how to collect, copy and move data without accidentally changing the hidden (and extremely important) details about the file.
