Data remnants analysis of document files in Windows: Microsoft 365 as a case study

In the era of digitization, electronic evidence has become increasingly important for investigations and legal proceedings. However, traditional digital forensic technologies, such as recovery and carving, face limitations because of difficulties acquiring unallocated areas intact. Furthermore, artifacts and files previously used for tracing can be easily deleted manually or via anti-forensic tools, which hinders traceability. This paper presents a novel framework to overcome these limitations. This method facilitates a more precise and comprehensive tracing of residual files through data remnants analysis, a forensic approach that investigates traces of deleted or overwritten data. By systematically constructing a dataset based on user action, we identify and analyze all data remnants within the system, thereby revealing file traces. The results of a case study on Microsoft 365 demonstrate our proposed framework's superior efficacy and accuracy compared to existing methods. Our approach offers valuable insights into data remnants analysis and contributes to digital forensic investigations conducted on Windows systems.