What can we get from digital forensics?
This was originally posted on LinkedIn and on the Trace Digital Forensics blog on the old website. I'm reposting it here because I think the content is still valuable. If time permits, I will update this with a Part 2 focused on mobile devices.
I'm sometimes asked what we can find out through a computer forensic examination. Obviously, what is available will vary from case to case. The following list, while not exhaustive, contains many of the things we look for during a typical forensic examination.
Deleted files - In most circumstances, deleting a file means marking that file as deleted in the table of contents (or file table) for the disk or device. Neither the data or metadata are immediately overwritten. Once the file is marked as deleted, both the entry in the file table and the sections of the disk that contain the contents of the file can be reused by the operating system. The upshot of this is that we have a good chance of recovering a deleted file if we are able to access the computer/device before too much additional activity has taken place. This is a big reason why it's important to preserve evidence in a timely matter. Continuing to use a computer will permanently overwrite old files as new ones are created. Computers and other devices that may contain evidence should be secured and stored until a forensic examination can take place.
Email - For most organizations, it's probably best to archive/retain email at the mail server so that emails are retained according to the organization's interest or policies. If they are not retained, copies may be stored on employee workstations. A forensic examination will identify these and may be able to recover them even if they were deleted (see above) or if the user only used webmail (e.g. Gmail, Microsoft Live).. In a criminal investigation, it may be easier or quicker to recover the emails from a suspect's computer than from his service provider.
Internet History - Web browsers generate a lot of artifacts of interest to a forensic examiner including the browser history, temporary files stored by the browser, bookmarks, cookies, thumbnail images and site-specific settings. These can be used to prove that a user accessed a particular site or provide context to explain how the user got to that site (e.g. by identifying a relevant Google search immediately prior). These artifacts can often be recovered even if the user cleared his browser history or used Incognito/Private Browsing mode.
Keywords - Keywords searches are an important part of many forensic investigations. While more basic search tools are often limited to searching files for plain text, forensic software can search inside of more complex documents such as Microsoft Word or Excel, search unused areas of the hard drive, look inside archive files and search email boxes. This allows forensic examiners to cast a wide net in identifying relevant data. In an identity theft case, for example, the examiner might want to find evidence of particular SSN or account numbers on a computer, no matter what type of file they were stored in.
Images - Searching for JPEG or other image files is pretty straightforward for most computer savvy users. But, what if the files are deleted, stored in a ZIP or other archive file, or renamed to disguise their contents? Forensic software can search within archive files, identify files by their "signatures" even if they were renamed and recover deleted files (sorry to keep hitting that point).
Evidence of Knowledge/Access to Data - Have you noticed that some of the programs you use keep a list of your most recently opened files to make it easier for you to get back to them? Forensic software can access these most recently used (MRU) lists and other artifacts maintained by Windows or individual applications to provide evidence that a user accessed a file, folder or USB device and in some cases to provide a timeline for this access. This is often important in the workplace and in criminal investigations. And, it's another reason to use trained forensic examiners. Not only can these artifacts be missed, they can be inadvertently modified or overwritten by an untrained examiner.
Locate Particular Files/Contraband - Forensic examiners often use hash values (think of them as electronic fingerprints) to look for particular files even if they have been renamed. This is particular useful in copyright cases and in child pornography investigations. Law enforcement agencies share and maintain databases containing the hash values of known child pornography so that these files can be quickly identified without having to manually view every image on a computer.
Origination of Data - In copyright cases, an examiner can look at the artifacts associated with file sharing programs to determine whether a user originated a group or files or simply downloaded them from the network.
Databases - In cases such as embezzlement, important evidence may be contained in the databases used for the organization's ERP or other financial systems. An examiner can review activity on the database using logs and audit records to determine what has occurred and who is responsible. In complex cases, a forensic examiner can work in conjunction with with a forensic accountant or fraud examiner. In data breach cases, logs and audit records may be used to determine whether confidential data was accessed and, if so, which and how many records were affected. This can be important for limiting the scope of data breach notifications.
Originally posted to LinkedIn.