This is related to after the fact; the system is shut down forensics. The probable cause has been tripped; you seize the computer, and make forensically sound copies of the hard drive for further analysis. The interesting thing about data is that once it has been written to a drive, it will ALWAYS be on the drive until overwritten by other data. If you delete a file, there is a possibility of recovering it years later. There are a lot of variables in place here, but if a suspect is breaking policy or the law, there is a good chance there may be artifacts of that activity on the system (computer, tablet, phone, game console, etc�).
META information is the data in a file just after the header (first few bytes) and the meat of the file. Graphics, Office files, and a lot of other files have this META data. For example, a lot of graphics have an extra section of META called EXIF. This is usually inserted into pictures taken from a phone or a camera and some editing applications such as Photoshop. Midrange and higher cameras add serial numbers. Phones with location services can even add the GPS location when the picture was taken. This is prime intel for stalkers and undesirables. This is an example of why one should watch what they post online.
Some of the information that can be found:
- Browser history
- Email / Webmail
- Documents (PDFs, spreadsheets, videos, pictures, intellectual property, etc.)
- Physical locations (GPS)
- Programs (malware, hacker tools, pirated software, etc.)
- Basically anything to touch your hard drive.