So far, the evidence that has been analyzed has focused on those elements that are obtained from the network or the system's memory. Even though incident root cause may be ferreted out from these evidence sources, it is also important to understand how to obtain evidentiary material from a system's storage, whether that is removable storage such as USB devices or the larger connected disk drives. In these containers is a good deal of data that may be leveraged by incident response analysts in determining root cause. It should be noted that this chapter will only be able to scratch the surface, as entire volumes have been devoted to the depth of forensic evidence available. Rather, it is hoped that this chapter provides some concrete areas of focus with the understanding that analysts will gain a better sense of some of the tools that can be employed, as well as an understanding of some of the critical data that can be leveraged.