PenrodEllis FDD - Certified Experts in Electronic Discovery & Computer Forensics
A variety of different digital electronic devices can be forensically preserved in Electronic Discovery, Digital Forensics and Incident Response cases.  
PenrodEllis FDD of Denver, Colorado conducts e-discovery, digital forensics and incident response processes against any digital electronic device on which ESI is stored. All these devices can be forensically preserved using bit steam images. PenrodEllis FDD forensic computer examiners  have been conducting computer investigations since 1997.
Although quite small, USB flash memory keys and compact flash cards can contain very large amounts of ESI. They are  simple to use and easy to conceal. USB keys and CF cards are often overlooked in matters involving e-discovery and computer forensics.
Recovery of ESI from computer internal and external hard drives are the most common objective of Electronic Data Discovery and Computer Forensics in civil and criminal litigation.In civil and criminal litigation, ESI is most frequenlty recovered from computer hard drives and external storage media, such as USB flash memory keys. However, any electronic appliance that processes or stores data in digital format can be imaged and analyzed.
ESI can be recovered forensically from mobile phones, such as Apple's iPhone, RIM's Blackberry and Google's Android. Mobile phones are basically hand held computers; they process and store ESI the same way as their full size cousins. Mobile phones are become favorite subjects of eDiscovery and forensic computer examinations in civil and criminal litigation.Mobile phones are just one example. For all intents and purposes they are hand held computers with processors and memory as well as onboard and removable storage. They handle ESI the same way as desktop and laptop computers. E-discovery processes and forensic examinations therefore can be conducted against them.
Tablet computers, such as Apple's iPad, and netbook computers, such as Asus's Eee PC, are fully functioning computers. With the sole exception of the iPad, the ESI stored on these devices is  easily preserved and examined in any matter involving e-discovery and computer forensics.
Other devices from which ESI can be recovered include tablet computers such as the iPad, digital cameras and video recorders, GPS navigation devices, satellite and cable television DVRs, and digital audio recorders such as telephone answering machines.
Any digital electronic device that processes and stores ESI, such as digital cameras and video recorders, can be forensically preserved and examined.
External USB hard disk drives are a primary source of ESI in matters involving e-discovery, digital forensics and incident response.When formatted, all digital electronic devices organize ESI into a series of contiguous clusters. Each cluster is limited in size and therefore can contain only a set amount of data - just like a page in a book, which can only contain a certain number of alpha-numeric characters.
Only two types of formatted clusters exist on an digital electronic devices, allocated and unallocated:
Computer Storage Devices (CSD) contain Electronically Stored Information (ESI). ESI can be captured through Electronic Discovery, Computer Forensics or Incident Response. When formatted, a computer storage device consists of both allocated and unallocated clusters. Allocated Clusters contain Operative ESI and file slack. Unallocated Clusters contain Inoperative ESI and residual data.
On Windows-based computers, allocated clusters are called Used Space; unallocated clusters Free Space:
Windows refers to allocated clusters are Used Space and unallocated clusters and Free Space.
Allocated clusters contain Operative ESI and file slack; unallocated contain Inoperative ESI and residual data.
Allocated Clusters contain Operative ESI and file slack. Unallocated Clusters contain Inoperative ESI and residual data.
Operative ESI includes both Active and Dormant Files. Inoperative ESI includes Deleted, Temporary and Discarded Files. Residual Data are remnants of partially overwritten or fragmented Inoperative ESI. File Slack is residual data located within an Allocated Cluster.
Operative ESI consists of both Active and Dormant Files. Active Files are files the user and system can access and manipulate. Dormant Files are files requiring special handling procedures and are not easily accessible to the user.
For more information on Operative and Inoperative ESI, see the Data page.