During your computer forensic examination with different tools, both commercial and free or open source, you will face so-called false positives, especially if you are planning to use data carving techniques.

So why do we all face them? No, it's not bugs in your forensic software. The thing is, these false positives just match the criteria used by your piece of software to carve data from, for example, unallocated space of the hard drive or its forensic image.

You will most likely face false positives working with tools which support a large number of different apps, for example Magnet AXIOM. But you must understand, it's better to have a number of false positives than one false negative!

As you can see in the preceding figure, it's not difficult to identify such artifacts: they look messy and don't make any sense.

Anyway, you as a computer forensic examiner must analyze all of them thoroughly, because you can find valuable pieces of evidence even among false positives.