Forensic Strategy: Vol 1 Issue 2
Forensic Strategy Newsletter
fss at forensicstrategy.com
Fri May 9 05:24:11 UTC 2003
***********************************************************************
The Forensic Strategy Data Recovery Newsletter Vol. 1, Issue 2
***********************************************************************
-------- IN THIS ISSUE: -----------------------------------------------
COMMENTARY
- COMPUTER FORENSICS 101: What evidence can be RECOVERED?
UPCOMING NEWSLETTER ISSUES
- Items you can look forward to in future issues!
CONTACT US
- For more information on Forensic Strategy Services.
-----------------------------------------------------------------------
* COMPUTER FORENSICS 101: What evidence can be RECOVERED?
By: Scott Moulton, Computer Forensic Specialist
mailto:scott at forensicstrategy.com
"What evidence can possibly be recovered that can help my client's
case?"
Like other types of investigations, the answer will not be fully
determined until after the data has been recovered and the findings are
meticulously researched. The process involved to investigate a computer
can be exceptionally time intensive. An average of seven hours is
required before a basic assessment can be created. The assessment will
help establish if the computer contains valuable information that would
justify additional resources. Because it is initially uncertain what
evidence a computer contains, it is essential to qualify a particular
computer before investing additional resources.
"When is there a good possibility to recover useful data so that it is
cost effective to involve a Computer Forensic Investigator?"
* Qualifying a Computer for Forensic Recovery:
In practically every computer there is "deleted" data that can be
recovered; however, the data recovered is not always relevant to the
case. Typically, it is a judgment call which computers should be
investigated when there is more than one computer involved. It helps to
establish an order of priority for the computers to be recovered. Using
this method, vital data would be revealed first which would eliminate
wasting resources on less credible computers. It is possible to
predict and prioritize the best computers for recovery based on a
series of questions.
Q: Did any person involved use the computer? Note that this could
include receiving email or files from the party involved.
When a file or email is deleted it is not immediately removed from the
hard drive. It still exists even though it can not be easily accessed.
There is a section of the hard drive that is similar to a "Table of
Contents" and when a file is deleted it is just removed from this
"Table of Contents". The originally deleted file or email is left as
dead space on the hard drive. Since the file exists on the hard drive,
special tools that bypass the "Table of Contents" can search for files
and potentially recover them. A file can be divided in to several
pieces and exist in various locations on a hard drive. Because of this,
it is possible that only part of a file might be recovered. A vital
component to a case might exist in one of those small pieces.
If the item that was deleted was an email, a different set of rules
apply. An email, by its nature, exists in more than one place. There is
always a From:(the sender) a To:(the recipient) and at least one server
(the machines that processed the email). If there was CC:(carbon copy)
or BCC:(blind carbon copy) addresses then more copies exist. An email
has a greater potential to be recovered because an email is stored in a
file similar to a database. Consequently, when an email is deleted it
is removed from the "Table of Contents" of the database and not the
hard drive itself. It is possible for the email to persist in a file or
server for quite a long time after the email is "deleted" by a user.
This includes Outlook Express, Outlook 2002, AOL, Exchange Server and
several other types of email programs.
If email is read via a web browser (i.e. Hotmail) a copy of the email
will usually exist in the Internet cache or temporary files on the hard
drive of the computer it was viewed from. There is an even greater
probability that this might be recovered.
Q: How long has it been since files were deleted?
Because of the way files are left behind as dead space on the hard
drive, as space is needed by different programs or web pages, the file
pieces are gradually overwritten. The longer time that has transpired
since the files were deleted the less probability that something can be
recovered. Although in some past instances data has been recovered
dating back several years.
Q: How much has the computer been used since files were deleted?
Because files are overwritten gradually, the more the computer is used
the more likely new files have overwritten older files erasing your
valuable information. A computer writes files every time that a program
is used (including internet accesses). The Windows Operating System
will overwrite certain files every time the system is powered on. These
standard files are not very large but they account for a significant
percentage of the destruction that occurs to recoverable files. This
is an excellent reason to stop using a computer as soon as it is
learned that it is involved in a case until a Computer Forensic
Specialist can examine it. If this computer is necessary for operations
of the business the specialist can safely and effectively "clone" the
hard drive to preserve the information.
If there is someone who can answer these questions there is a good
chance of determining the usefulness of the computer in a case. This is
not intended to be a final list of questions but is a common set to
help determine the possibility that something useful might exist. In
some cases the client might not be able to answer any of these
questions and it is also often that the answers given are incorrect.
Even when there is no one to answer those questions, there is still a
good possibility of recovering valuable evidence from the right
computer, even when the files never existed on the computer.
Example #1:
To the surprise of the CEO of one company, five of its members of a
branch office left overnight to start their own company. No notice was
given and it wasn't until someone arrived at the office after no one
answered the phone for hours that it was discovered they had departed
to start a new company. Initially, there was no major concern except
that the employees were gone. The CEO stated that nothing was taken but
they wanted to review the hard drives for company security purposes.
During a data recovery several printer spooler files were recovered.
Since it is sometime a pattern of employees to bring floppy disks and
print documents that never existed on the server, a spooler file can be
very revealing. In this case, the spooler indicated that it had
printed to several high-end HP Color Laser Printers. During the
recovery it was noted that the office had no HP Color Laser Printers.
This was brought to the attention of the CEO and he claimed that it was
not possible for the employees to purchase an asset that large as they
have to have approval for purchases over $500. After investigating, it
was determined that the employees had used company funds to purchase
equipment by each individual pooling their purchase below $500 into one
large purchase together.
Often a case will involve someone that believes they are a "computer
guru." They consciously attempt to delete incriminating evidence
believing they knew what they were doing. Their egos make them believe
that they know how to delete a file and that it is permanently
unrecoverable and that they are safe. Many times they are mistaken.
Example #2:
In a divorce case, the husband was accused of having an affair. He was
also chatting and emailing his girlfriend over the Internet. He also
spent several hours a week on illicit adult web sites. The wife
described her husband as a very computer savvy person. She stated
several times that he knew everything about a computer and that he
always deleted everything. Because of this statement there was a great
discussion about wasting time with a court order for the computer.
After the computer was investigated, many incriminating items were
recovered. There were chat logs, emails found in the Internet cache
files, and dozens of revealing photos of the girlfriend. When
questioned during depositions he was shocked at the printed material
and declared that he had used a special program in his attempt to
overwrite all the deleted files.
Share this email by forwarding to your colleagues!
If this was forwarded to you by a colleague and you'd like to
receive your own edition as soon as it is published, subscribe
by clicking here: http://www.forensicstrategy.com/contacts.asp
-----------------------------------------------------------------------
==== UPCOMING NEWSLETTER ISSUES ====
* Equipment used for forensic recovery of data
* Details of Forensic Data Gathering
* Profiling a person based on the content of their computer
==== CONTACT US ====
* COMMENTS OR QUESTIONS ABOUT THIS NEWSLETTER:
To suggest a topic for a future issue or to send a comment to
the editor email: mailto:comments at forensicstrategy.com
* WEBSITE: http://www.forensicstrategy.com
* MAILING ADDRESS/PHONE/FAX:
Forensic Strategy Services, LLC.
601B Industrial Court
Woodstock, Georgia 30189
ph: 770.926.5588
fax: 770.926.7089
* FOR PERMISSION TO REPRINT PLEASE CONTACT
mailto:scott at forensicstrategy.com
-----------------------------------------------------------------------
For a quick UNSUBSCRIBE Click Here:
mailto:fss at forensicstrategy.com?subject=unsubscribe
or - Send an e-mail to: fss at forensicstrategy.com
with "unsubscribe" (no quotes) in the subject line.
Thank you for reading Forensic Strategy Data Recovery Newsletter.
__________________________________________________________
Forensic Strategy Services, LLC. Copyright 2003
More information about the Discussion
mailing list