Forensic examiners are constantly facing a number of technical issues or obstacles which may result in incomplete evidence collected.
Diversity of technologies – Computer system is highly complex and evolving each day with new hardware, software, operating system and protocols. Today we have Windows, Mac, Linux and each OS has many variants with different fine tunes crucially affecting the forensic investigation. In fact, forensic analysis is also evolving and the technique used is very specific to the types of files systems, be it FAT16, FAT32, NTFS 3.x, NTFS 5.x, Ext2FS, Ext4FS and so forth. In fact, single computer forensic examiner can not be expert in all areas and it is common that the examiner may often analyse something for the first time as the situation calls for. This may cast some uncertainty in completeness of evidence. That is why a postmortem is necessary for the investigator to work and progress.
Disk or File Encryption – Without the correct key or passphrase, encrypted data can not be opened for review. Due to limitation of computational power, brute-force attack is normally out of question. However, the examiner could look into other password data stores which may be easier to crack (such as the windows screen lock or user login passwords). Frequently, the suspect may use the same passwords to encrypt the data so it may be worth looking into such alternative avenues.
Another effective way to overcome this is to look into the volatile RAM memory but this will require live acqusition without computer shut-down.
Storage space – With the advent of technology, 2 to 4 TB single disk is common place. This will require substantial amount of memory and computing power over longer time to complete the analysis cycle. The output findings are normally large and without proper filtering tools, manual examination could even be more difficult. Cost and time of examination is also going spirally upward as a result.
Anti-forensics means – Tools with capability to do data wiping (by overwriting), file encryption, cache cleaning are commonly availabe over internet. Very often, the examiner could only end up proving the installation of data cleaning tools without the actual data being recovered, resulting in some what incomplete findings.
Physical media damage – It is not uncommon that the offender may purposely damage the media phsically to make it unreadable. In such cases, the examiner may need to seek separate data recovery expert with increasing difficulty in maintaining a smooth chain of custody and protection of evidence.