Nowadays, the great majority of legal cases involve a digital forensics component that, if properly uncovered and examined, has a great chance of helping your case. An examination can reveal a number of interesting things. The scope and cost of the analysis often depends on the nature of the case, so it is very important for the forensic examiner to have a clear understanding of what the case is about.
I often get asked questions like:
- What is forensics?
- How can computer forensics help my case?
- Why do we need a forensic image when we can have the IT guy create a copy of the hard drive?
Your legal team may already be asking some of these questions.
My goal with this article is to help you identify the 10 most common applications and elements of a properly executed forensic application strategy, and how it can positively impact the outcome of your legal cases.
So let’s go!
1. What is Computer Forensics or Digital Forensics?
Computer forensics/digital forensics is a science involving the recovery and investigation of items found in electronic devices, usually involved in crimes or corporate investigations. A forensic examination can be done on any of the following: computers, laptops, external hard drives, thumb drives, memory cards (such as the ones found in smart phones and digital cameras), CD’s, DVD’s, cell phones, tablets, and GPS systems. Basically, if it is digital and stores memory, it should be able to be examined.
2. Forensic Imaging
A forensic image, or bit-by-bit copy (as it’s referred to at times) of the device being examined should be the first step taken before any examination or analysis begins. It is a read-only image of the entire hard drive or device: it includes all the files and unallocated or un-used space of the hard drive. A forensic image is done by using either hardware duplicators or software.
Sometimes, when encryption is involved (discussed next), it may be necessary to do a “live forensic image.” A live image is done by making a forensic image of the computer while it is still turned on and logged into by the user.
3. Forensic Copy
A “forensic copy” is used to collect and preserve active files and is an exact, unaltered copy of the data, including original file metadata. A forensic copy may be used to preserve data from a users’ home share on the server, or now with the use of the cloud being so popular, preserving a forensic copy of the data in question.
The downside to a forensic copy is that you will not be able to capture deleted files or information; it only applies to the active files or the files you can see.
Encryption is when data is converted into a format that is not easily accessed without some sort of password or key. This is something that is often overlooked. If encryption is being used, the examiner will need the key to decrypt the image.
If the key cannot be made available, it will be necessary to do a live forensic image since the data is already decrypted. Many companies and individuals are using encryption as an added layer of protection on their devices.
While this is a great way to secure the data, it poses a layer of difficulty for forensics if the type of encryption is not known and/or the key is not made available. Some popular encryption software include McAfee’s SafeBoot Encryption, Symantec’s Endpoint Encryption, and PGP Whole Disk Encryption. Windows and Apple OS both have built-in encryption options which are not active by default but can be turned on: Bit-locker (Windows) and File Vault (Apple).
5. Deleted Files vs Deleted Overwritten Files
The device or media being examined will likely contain deleted files. A forensic examination can determine a list of deleted files and deleted overwritten files. Deleted files, for the most part, can be recovered in full.
When a file is deleted, the portion of the hard drive that the file resided on is marked for deletion and is considered “unallocated space.” Once the operating system writes to that area, the file becomes overwritten. Deleted overwritten files may not be fully recoverable.
The lack of deleted files on a device or hard drive being analyzed, can be a sign of data wiping, operating system re-installation or some other type of concealing data.
6. Unallocated Space
With every forensic image, there is an unused portion of the hard drive called “unallocated space.” Unallocated space can contain portions of data or files that have been deleted.
When the operating system reuses this space to write new data, that previous file is no longer available for recovery, however, a portion may still be available if the new data is smaller than the previous data. In other words, if a five page document is deleted, and overwritten by a 3.5 page document, you may still be able to recover the 1.5 page difference from the original document. This process is called “carving,” or “carving unallocated space.”
7. Link Files (.lnk)
Depending on the nature of the case, .lnk files may be of interest. It shows that the file was present and/or accessed at some point on that system even when it may no longer exist or was deleted. A .lnk file is a shortcut file pointing to an application or a file.
This file is created by the operating system or the user and holds valuable information, such as:
- The original path or location of the file
- File metadata (creation, accessed, and modification dates)
- File size
- File location—whether on a network share, volume name, local drive, or external device such as a thumb drive or external drive
Which brings us to the next item, external devices.
8. External Devices
A forensic examination can reveal what external devices were connected to the computer or laptop in question. Basically, they leave a bread crumb trail to other devices which may have been missed and can include potential evidence.
Some devices, such as some external hard drives, display the make and model of the device. Some will even show the serial number of the device, making it easier to request that device for further analysis.
What is metadata? Metadata is data about data. For starters, it shows creation, accessed, and modified dates and times. Using specific tools, some documents can show the author or creator of the data, the number of revisions it underwent, and the last time it was printed.
For pictures and images, it can reveal the device the picture was taken with, as well as the date, time, and the location it was taken. For example, if you have an iPhone with location services enabled on the camera, every picture you take will hold the coordinates of where that picture was taken.
This is one of the most asked questions I receive. As mentioned above, computer forensics is a science. A forensic analysis takes time. Ongoing training is a must in order to keep up with technology today. We understand this, but have found a better way for all lawyers—including small or solo firms—to utilize forensics in their cases.
We have seen rates from other Digital Forensic firms ranging from $190/hr to $365/hr. These rates can sometimes create limits, and makes it very difficult for small or solo firms to use this service. This is why my company, Detekted, has adopted a Flat Fee Forensic Analysis policy. Where, for a flat fee, we will complete your analysis. This reduces the surprise phone calls of requesting approval more time at an hourly rate.