发新话题
打印

[转载]The Forensic Strategy Data Recovery Newsletter Vol

[转载]The Forensic Strategy Data Recovery Newsletter Vol

信息来源:ISTROOP

"What evidence can possibly be recovered that can help my client's case?"

Like other types of investigations, the answer will not be fully determined until after the data has been recovered and the findings are meticulously researched. The process involved to investigate a computer can be exceptionally time intensive. An average of seven hours is required before a basic assessment can be created. The assessment will help establish if the computer contains valuable information that would justify additional resources. Because it is
initially uncertain what evidence a computer contains, it is essential to qualify a particular computer before investing additional resources.

"When is there a good possibility to recover useful data so that it is cost effective to involve a Computer Forensic Investigator?"

* Qualifying a Computer for Forensic Recovery: In practically every computer there is "deleted" data that can be recovered; however, the data recovered is not always relevant to the
case. Typically, it is a judgment call which computers should be investigated when there is more than one computer involved. It helps to establish an order of priority for the computers to be recovered. Using this method, vital data would be revealed first which would eliminate wasting resources on less credible computers. It is possible to predict and prioritize the best computers for recovery based on a series of questions.

Q: Did any person involved use the computer? Note that this could include receiving email or files from the party involved.

When a file or email is deleted it is not immediately removed from the hard drive. It still exists even though it can not be easily accessed. There is a section of the hard drive that is similar to a "Table of Contents" and when a file is deleted it is just removed from this "Table of Contents". The originally deleted file or email is left as dead space on the hard drive. Since the file exists on the hard drive, special tools that bypass the "Table of Contents" can search for files and potentially recover them. A file can be divided in to several pieces and exist in various locations on a hard drive. Because of this, it is possible that only part of a file might be recovered. A
vital component to a case might exist in one of those small pieces.

If the item that was deleted was an email, a different set of rules apply. An email, by its nature, exists in more than one place. There is always a From:(the sender) a To:(the recipient) and at least one server (the machines that processed the email). If there was CC:(carbon copy) or BCC:(blind carbon copy) addresses then more copies exist. An email has a greater potential to be recovered because an email is stored in a file similar to a database. Consequently, when an
email is deleted it is removed from the "Table of Contents" of the database and not the hard drive itself. It is possible for the email to persist in a file or server for quite a long time after the email is "deleted" by a user. This includes Outlook Express, Outlook 2002, AOL, Exchange Server and several other types of email programs.

If email is read via a web browser (i.e. Hotmail) a copy of the email will usually exist in the Internet cache or temporary files on the hard drive of the computer it was viewed from. There is an even greater probability that this might be recovered.

Q: How long has it been since files were deleted?

Because of the way files are left behind as dead space on the hard drive, as space is needed by different programs or web pages, the file pieces are gradually overwritten. The longer time that has transpired since the files were deleted the less probability that something can
be recovered. Although in some past instances data has been recovered dating back several years.

Q: How much has the computer been used since files were deleted?

Because files are overwritten gradually, the more the computer is used the more likely new files have overwritten older files erasing your valuable information. A computer writes files every time that a program is used (including internet accesses). The Windows Operating System will overwrite certain files every time the system is powered on. These standard files are not very large but they account for a significant percentage of the destruction that occurs to recoverable
files. This is an excellent reason to stop using a computer as soon as it is learned that it is involved in a case until a Computer Forensic Specialist can examine it. If this computer is necessary for operations of the business the specialist can safely and effectively "clone" the hard drive to preserve the information.

If there is someone who can answer these questions there is a good chance of determining the usefulness of the computer in a case. This is not intended to be a final list of questions but is a common set to help determine the possibility that something useful might exist. In
some cases the client might not be able to answer any of these questions and it is also often that the answers given are incorrect.

Even when there is no one to answer those questions, there is still a good possibility of recovering valuable evidence from the right computer, even when the files never existed on the computer.

Example #1:
To the surprise of the CEO of one company, five of its members of a branch office left overnight to start their own company. No notice was given and it wasn't until someone arrived at the office after no one answered the phone for hours that it was discovered they had departed
to start a new company. Initially, there was no major concern except that the employees were gone. The CEO stated that nothing was taken but they wanted to review the hard drives for company security purposes. During a data recovery several printer spooler files were
recovered. Since it is sometime a pattern of employees to bring floppy disks and print documents that never existed on the server, a spooler file can be very revealing. In this case, the spooler indicated that it had printed to several high-end HP Color Laser Printers. During the
recovery it was noted that the office had no HP Color Laser Printers. This was brought to the attention of the CEO and he claimed that it was not possible for the employees to purchase an asset that large as they have to have approval for purchases over $500. After investigating, it was determined that the employees had used company funds to purchase equipment by each individual pooling their purchase below $500 into one large purchase together.

Often a case will involve someone that believes they are a "computer guru." They consciously attempt to delete incriminating evidence believing they knew what they were doing. Their egos make them believe that they know how to delete a file and that it is permanently
unrecoverable and that they are safe. Many times they are mistaken.

Example #2:
In a divorce case, the husband was accused of having an affair. He was also chatting and emailing his girlfriend over the Internet. He also spent several hours a week on illicit adult web sites. The wife described her husband as a very computer savvy person. She stated several times that he knew everything about a computer and that he always deleted everything. Because of this statement there was a great discussion about wasting time with a court order for the computer.
After the computer was investigated, many incriminating items were recovered. There were chat logs, emails found in the Internet cache files, and dozens of revealing photos of the girlfriend. When questioned during depositions he was shocked at the printed material
and declared that he had used a special program in his attempt to overwrite all the deleted files.
qq310926是我唯一用号,除此之外有其他号码号自称邪八冰血封情,则非本人。

TOP

发新话题