Forensic Strategy: Vol 1 Issue 2

Forensic Strategy Newsletter fss at
Fri May 9 05:24:11 UTC 2003

The Forensic Strategy Data Recovery Newsletter          Vol. 1, Issue 2

-------- IN THIS ISSUE: -----------------------------------------------

     - COMPUTER FORENSICS 101: What evidence can be RECOVERED?

     - Items you can look forward to in future issues!

     - For more information on Forensic Strategy Services.


* COMPUTER FORENSICS 101: What evidence can be RECOVERED?
     By: Scott Moulton, Computer Forensic Specialist
         mailto:scott at

"What evidence can possibly be recovered that can help my client's 

Like other types of investigations, the answer will not be fully 
determined until after the data has been recovered and the findings are 
meticulously researched. The process involved to investigate a computer 
can be exceptionally time intensive. An average of seven hours is 
required before a basic assessment can be created.  The assessment will 
help establish if the computer contains valuable information that would 
justify additional resources. Because it is initially uncertain what 
evidence a computer contains, it is essential to qualify a particular 
computer before investing additional resources.

 "When is there a good possibility to recover useful data so that it is 
cost effective to involve a Computer Forensic Investigator?"

*   Qualifying a Computer for Forensic Recovery:
In practically every computer there is "deleted" data that can be 
recovered; however, the data recovered is not always relevant to the 
case. Typically, it is a judgment call which computers should be 
investigated when there is more than one computer involved. It helps to 
establish an order of priority for the computers to be recovered. Using 
this method, vital data would be revealed first which would eliminate 
wasting resources on less credible computers.  It is possible to 
predict and prioritize the best computers for recovery based on a 
series of questions.

Q: Did any person involved use the computer? Note that this could 
include receiving email or files from the party involved.

When a file or email is deleted it is not immediately removed from the 
hard drive. It still exists even though it can not be easily accessed. 
There is a section of the hard drive that is similar to a "Table of 
Contents" and when a file is deleted it is just removed from this 
"Table of Contents". The originally deleted file or email is left as 
dead space on the hard drive. Since the file exists on the hard drive, 
special tools that bypass the "Table of Contents" can search for files 
and potentially recover them. A file can be divided in to several 
pieces and exist in various locations on a hard drive. Because of this, 
it is possible that only part of a file might be recovered.  A vital 
component to a case might exist in one of those small pieces.

If the item that was deleted was an email, a different set of rules 
apply. An email, by its nature, exists in more than one place. There is 
always a From:(the sender) a To:(the recipient) and at least one server 
(the machines that processed the email). If there was CC:(carbon copy) 
or BCC:(blind carbon copy) addresses then more copies exist. An email 
has a greater potential to be recovered because an email is stored in a 
file similar to a database. Consequently, when an email is deleted it 
is removed from the "Table of Contents" of the database and not the 
hard drive itself. It is possible for the email to persist in a file or 
server for quite a long time after the email is "deleted" by a user. 
This includes Outlook Express, Outlook 2002, AOL, Exchange Server and 
several other types of email programs.

If email is read via a web browser (i.e. Hotmail) a copy of the email 
will usually exist in the Internet cache or temporary files on the hard 
drive of the computer it was viewed from.  There is an even greater 
probability that this might be recovered.

Q: How long has it been since files were deleted?

Because of the way files are left behind as dead space on the hard 
drive, as space is needed by different programs or web pages, the file 
pieces are gradually overwritten. The longer time that has transpired 
since the files were deleted the less probability that something can be 
recovered.  Although in some past instances data has been recovered 
dating back several years.

Q: How much has the computer been used since files were deleted?

Because files are overwritten gradually, the more the computer is used 
the more likely new files have overwritten older files erasing your 
valuable information. A computer writes files every time that a program 
is used (including internet accesses).  The Windows Operating System 
will overwrite certain files every time the system is powered on. These 
standard files are not very large but they account for a significant 
percentage of the destruction that occurs to recoverable files.  This 
is an excellent reason to stop using a computer as soon as it is 
learned that it is involved in a case until a Computer Forensic 
Specialist can examine it. If this computer is necessary for operations 
of the business the specialist can safely and effectively "clone" the 
hard drive to preserve the information.

If there is someone who can answer these questions there is a good 
chance of determining the usefulness of the computer in a case. This is 
not intended to be a final list of questions but is a common set to 
help determine the possibility that something useful might exist. In 
some cases the client might not be able to answer any of these 
questions and it is also often that the answers given are incorrect.

Even when there is no one to answer those questions, there is still a 
good possibility of recovering valuable evidence from the right 
computer, even when the files never existed on the computer.

Example #1:
To the surprise of the CEO of one company, five of its members of a 
branch office left overnight to start their own company. No notice was 
given and it wasn't until someone arrived at the office after no one 
answered the phone for hours that it was discovered they had departed 
to start a new company. Initially, there was no major concern except 
that the employees were gone. The CEO stated that nothing was taken but 
they wanted to review the hard drives for company security purposes. 
During a data recovery several printer spooler files were recovered. 
Since it is sometime a pattern of employees to bring floppy disks and 
print documents that never existed on the server, a spooler file can be 
very revealing.  In this case, the spooler indicated that it had 
printed to several high-end HP Color Laser Printers. During the 
recovery it was noted that the office had no HP Color Laser Printers. 
This was brought to the attention of the CEO and he claimed that it was 
not possible for the employees to purchase an asset that large as they 
have to have approval for purchases over $500.  After investigating, it 
was determined that the employees had used company funds to purchase 
equipment by each individual pooling their purchase below $500 into one 
large purchase together.

Often a case will involve someone that believes they are a "computer 
guru." They consciously attempt to delete incriminating evidence 
believing they knew what they were doing. Their egos make them believe 
that they know how to delete a file and that it is permanently 
unrecoverable and that they are safe. Many times they are mistaken.

Example #2:
In a divorce case, the husband was accused of having an affair. He was 
also chatting and emailing his girlfriend over the Internet. He also 
spent several hours a week on illicit adult web sites.  The wife 
described her husband as a very computer savvy person. She stated 
several times that he knew everything about a computer and that he 
always deleted everything. Because of this statement there was a great 
discussion about wasting time with a court order for the computer. 
After the computer was investigated, many incriminating items were 
recovered. There were chat logs, emails found in the Internet cache 
files, and dozens of revealing photos of the girlfriend. When 
questioned during depositions he was shocked at the printed material 
and declared that he had used a special program in his attempt to 
overwrite all the deleted files.

Share this email by forwarding to your colleagues!

If this was forwarded to you by a colleague and you'd like to
receive your own edition as soon as it is published, subscribe
by clicking here:



* Equipment used for forensic recovery of data
* Details of Forensic Data Gathering
* Profiling a person based on the content of their computer

==== CONTACT US ====


     To suggest a topic for a future issue or to send a comment to
     the editor email: mailto:comments at


     Forensic Strategy Services, LLC.
     601B Industrial Court
     Woodstock, Georgia 30189
     ph: 770.926.5588
     fax: 770.926.7089

     mailto:scott at


For a quick UNSUBSCRIBE Click Here:
mailto:fss at
or - Send an e-mail to: fss at
with "unsubscribe" (no quotes) in the subject line.

Thank you for reading Forensic Strategy Data Recovery Newsletter.
Forensic Strategy Services, LLC. Copyright 2003

More information about the Discussion mailing list