*********************************************************************** The Forensic Strategy Data Recovery Newsletter Vol. 1, Issue 2 ***********************************************************************
-------- IN THIS ISSUE: -----------------------------------------------
COMMENTARY - COMPUTER FORENSICS 101: What evidence can be RECOVERED?
UPCOMING NEWSLETTER ISSUES - Items you can look forward to in future issues!
CONTACT US - For more information on Forensic Strategy Services.
-----------------------------------------------------------------------
* COMPUTER FORENSICS 101: What evidence can be RECOVERED? By: Scott Moulton, Computer Forensic Specialist mailto:scott@forensicstrategy.com
"What evidence can possibly be recovered that can help my client's case?"
Like other types of investigations, the answer will not be fully determined until after the data has been recovered and the findings are meticulously researched. The process involved to investigate a computer can be exceptionally time intensive. An average of seven hours is required before a basic assessment can be created. The assessment will help establish if the computer contains valuable information that would justify additional resources. Because it is initially uncertain what evidence a computer contains, it is essential to qualify a particular computer before investing additional resources.
"When is there a good possibility to recover useful data so that it is cost effective to involve a Computer Forensic Investigator?"
* Qualifying a Computer for Forensic Recovery: In practically every computer there is "deleted" data that can be recovered; however, the data recovered is not always relevant to the case. Typically, it is a judgment call which computers should be investigated when there is more than one computer involved. It helps to establish an order of priority for the computers to be recovered. Using this method, vital data would be revealed first which would eliminate wasting resources on less credible computers. It is possible to predict and prioritize the best computers for recovery based on a series of questions.
Q: Did any person involved use the computer? Note that this could include receiving email or files from the party involved.
When a file or email is deleted it is not immediately removed from the hard drive. It still exists even though it can not be easily accessed. There is a section of the hard drive that is similar to a "Table of Contents" and when a file is deleted it is just removed from this "Table of Contents". The originally deleted file or email is left as dead space on the hard drive. Since the file exists on the hard drive, special tools that bypass the "Table of Contents" can search for files and potentially recover them. A file can be divided in to several pieces and exist in various locations on a hard drive. Because of this, it is possible that only part of a file might be recovered. A vital component to a case might exist in one of those small pieces.
If the item that was deleted was an email, a different set of rules apply. An email, by its nature, exists in more than one place. There is always a From:(the sender) a To:(the recipient) and at least one server (the machines that processed the email). If there was CC:(carbon copy) or BCC:(blind carbon copy) addresses then more copies exist. An email has a greater potential to be recovered because an email is stored in a file similar to a database. Consequently, when an email is deleted it is removed from the "Table of Contents" of the database and not the hard drive itself. It is possible for the email to persist in a file or server for quite a long time after the email is "deleted" by a user. This includes Outlook Express, Outlook 2002, AOL, Exchange Server and several other types of email programs.
If email is read via a web browser (i.e. Hotmail) a copy of the email will usually exist in the Internet cache or temporary files on the hard drive of the computer it was viewed from. There is an even greater probability that this might be recovered.
Q: How long has it been since files were deleted?
Because of the way files are left behind as dead space on the hard drive, as space is needed by different programs or web pages, the file pieces are gradually overwritten. The longer time that has transpired since the files were deleted the less probability that something can be recovered. Although in some past instances data has been recovered dating back several years.
Q: How much has the computer been used since files were deleted?
Because files are overwritten gradually, the more the computer is used the more likely new files have overwritten older files erasing your valuable information. A computer writes files every time that a program is used (including internet accesses). The Windows Operating System will overwrite certain files every time the system is powered on. These standard files are not very large but they account for a significant percentage of the destruction that occurs to recoverable files. This is an excellent reason to stop using a computer as soon as it is learned that it is involved in a case until a Computer Forensic Specialist can examine it. If this computer is necessary for operations of the business the specialist can safely and effectively "clone" the hard drive to preserve the information.
If there is someone who can answer these questions there is a good chance of determining the usefulness of the computer in a case. This is not intended to be a final list of questions but is a common set to help determine the possibility that something useful might exist. In some cases the client might not be able to answer any of these questions and it is also often that the answers given are incorrect.
Even when there is no one to answer those questions, there is still a good possibility of recovering valuable evidence from the right computer, even when the files never existed on the computer.
Example #1: To the surprise of the CEO of one company, five of its members of a branch office left overnight to start their own company. No notice was given and it wasn't until someone arrived at the office after no one answered the phone for hours that it was discovered they had departed to start a new company. Initially, there was no major concern except that the employees were gone. The CEO stated that nothing was taken but they wanted to review the hard drives for company security purposes. During a data recovery several printer spooler files were recovered. Since it is sometime a pattern of employees to bring floppy disks and print documents that never existed on the server, a spooler file can be very revealing. In this case, the spooler indicated that it had printed to several high-end HP Color Laser Printers. During the recovery it was noted that the office had no HP Color Laser Printers. This was brought to the attention of the CEO and he claimed that it was not possible for the employees to purchase an asset that large as they have to have approval for purchases over $500. After investigating, it was determined that the employees had used company funds to purchase equipment by each individual pooling their purchase below $500 into one large purchase together.
Often a case will involve someone that believes they are a "computer guru." They consciously attempt to delete incriminating evidence believing they knew what they were doing. Their egos make them believe that they know how to delete a file and that it is permanently unrecoverable and that they are safe. Many times they are mistaken.
Example #2: In a divorce case, the husband was accused of having an affair. He was also chatting and emailing his girlfriend over the Internet. He also spent several hours a week on illicit adult web sites. The wife described her husband as a very computer savvy person. She stated several times that he knew everything about a computer and that he always deleted everything. Because of this statement there was a great discussion about wasting time with a court order for the computer. After the computer was investigated, many incriminating items were recovered. There were chat logs, emails found in the Internet cache files, and dozens of revealing photos of the girlfriend. When questioned during depositions he was shocked at the printed material and declared that he had used a special program in his attempt to overwrite all the deleted files.
Share this email by forwarding to your colleagues!
If this was forwarded to you by a colleague and you'd like to receive your own edition as soon as it is published, subscribe by clicking here: http://www.forensicstrategy.com/contacts.asp
-----------------------------------------------------------------------
==== UPCOMING NEWSLETTER ISSUES ====
* Equipment used for forensic recovery of data * Details of Forensic Data Gathering * Profiling a person based on the content of their computer
==== CONTACT US ====
* COMMENTS OR QUESTIONS ABOUT THIS NEWSLETTER:
To suggest a topic for a future issue or to send a comment to the editor email: mailto:comments@forensicstrategy.com
* WEBSITE: http://www.forensicstrategy.com
* MAILING ADDRESS/PHONE/FAX: Forensic Strategy Services, LLC. 601B Industrial Court Woodstock, Georgia 30189 ph: 770.926.5588 fax: 770.926.7089
* FOR PERMISSION TO REPRINT PLEASE CONTACT mailto:scott@forensicstrategy.com
-----------------------------------------------------------------------
For a quick UNSUBSCRIBE Click Here: mailto:fss@forensicstrategy.com?subject=unsubscribe or - Send an e-mail to: fss@forensicstrategy.com with "unsubscribe" (no quotes) in the subject line.
Thank you for reading Forensic Strategy Data Recovery Newsletter. __________________________________________________________ Forensic Strategy Services, LLC. Copyright 2003