Active data can be seen by a computer’s operating system (OS) or the software used to create it. It excludes data not stored on a local storage media or device. It may also refer to information that a user can see on a computer screen.

Think of it as everything forensics experts can see with their naked eyes at a crime scene—the murder weapon, perhaps. Active data in such a case would thus exclude sweat or other bodily fluids that may have fallen onto the carpet while the crime was being committed. Investigators would need specialized tools like a DNA kit for that.

Active data is the easiest data to retrieve during a digital forensics investigation. It includes all the files, programs, and system information a computer’s OS uses.

Other interesting terms…

Read More about a “Active Data

We mentioned that active data is the easiest data a digital forensics investigator can retrieve. But what are the other types of data?

What Are the Different Kinds of Data That Digital Forensics Experts Collect?

Three types of data are typically collected during a digital forensics investigation. These are:

  • Active data: The information all computer users can see. This data includes data files, programs, and system files, making it the easiest to obtain. You can easily see, for instance, a ransom email draft that a cybercriminal forgot to delete from the Temp folder.
  • Archival data: The information a computer user has backed up and stored. This data can be saved on backup tapes, compact discs (CDs), floppy disks, or external hard drives, among many others. An example would be phishing templates bought online and saved on an external hard drive that you find lying around.
  • Latent data: The information investigators need to use specialized tools to get. An example is data that has been deleted or partially overwritten. You can learn more about latent data here.

Digital forensics investigators should look at all these data types. Among the three, latent data is the most time-consuming and costly to retrieve. It is, however, critical since it can make or break an investigation. Why? Cybercriminals and cyber attackers won’t leave any trace of their nefarious acts on their computers, but you can still find information traces on a system despite deletion.

What Are Examples of Active Data?

Practically all the information currently viewable and accessible on a computer when it’s turned on is considered active data. Examples are:

  • Installed applications: These refer to all the programs a user can utilize on a computer. If you have Microsoft Office installed, for instance, you can create documents using Microsoft Word, spreadsheets using Excel, or presentations using PowerPoint, or send emails via Outlook. All the programs you downloaded or purchased and installed would fall under this category, too.
  • Saved files: These include all your Microsoft Word documents, Excel spreadsheets, and PowerPoint presentations so long as you saved them on your computer. Practically all the files you created with the available applications on your system fall under this umbrella.
  • Data files: Computers need to keep so-called “system files” to work. For instance, Microsoft Word won’t work correctly if one of its drivers is missing. A driver is a set of files that tells hardware how to function by communicating with your computer’s OS.

Digital forensics experts look at all this information when investigating the computers of suspected cybercriminals or cyber attackers. They may have left or forgotten to delete phishing page images (like the logos of the brands they mimicked) on their systems. These could serve as evidence when they’re tried for their crimes.

Even if the crime is of a physical nature, digital forensics investigators may find a log of the ransom note the criminals printed from the print driver.

These reasons make active data collection helpful in digital forensics.

When conducting investigations, digital forensics experts must gather all available electronic data, including active data. Only by doing so can they uncover solid evidence of a suspect’s involvement in any computer-assisted crime.