Forensic computer examinations are unlike ordinary data recovery efforts. Forensic computer examinations use strict controls and procedures to ensure that all existing data is found, that the original data is preserved unchanged, and that any recovered data is admissible in court or other legal proceedings. The forensic examiner finds every byte of data on the hard disk, floppy disk, zip disk, or other storage medium WITHOUT MAKING ANY CHANGES OR ALTERATIONS TO THE ORIGINAL.
Deleted data, disguised data, hidden data, and password-protected data can be retrieved in many instances. The forensic examiner recovers hidden files, system files, temporary files, history files, application log files, and many other kinds of files not readily accessible to the untrained user. The recovered data is carefully documented, catalogued, analyzed, and recorded in exhibits and reports which are presented to the client or the courts in compliance with the rules of evidence, both state and federal.
Cyberlab Computer Forensics, LLC endorses the forensic examination standards established by IACIS® (International Association of Computer Investigative Specialists http://www.cops.org/forensic_examination_procedures.htm) , and subscribes to the IACIS® Code of Ethics (http://www.cops.org/ethics.htm).
Here are some of the kinds of data of forensic significance in computer examinations.
Cookies. (Which Internet sites were visited on which dates and times).
Cookies are small text files stored on a computer while the user is browsing the Internet. Cookies help provide a helpful history of Internet browsing activity, sites visited, and logged-in identity of the computer user. Cookies represent packets of data sometimes smaller than 100 bytes. Normal cookies store pieces of personal information such as e-mail username and passwords. Cookies can be encrypted but generally are in plain text. They serve as digital confirmation of past activity where a computer logged onto or accessed a particular website. Cookie information is also stored in a separate index.dat file in a coded form with date and time stamps not easily manipulated by the computer's user. Forensic computer examinations extract such data and translate it into readable language. Some websites drop tracking cookies on a computer to track one's surfing activity on the web.
Documents. (letters, memos, notes, spreadsheets, etc.).
Windows/Recent Files. ("Link Files").
When a person uses a Windows computer, every time he or she opens a file or accesses a file of any kind, whether from the Internet, or stored on the hard drive, a CD-ROM, or a floppy disk, the computer keeps a tiny record of the activity in the form of a "link" file or "shortcut" file. The computer creates a "link" containing in internal metadata (hex code) the time and date of accessing the document, and the path leading to the place where the document is (or was) stored on the computer. Pressing the Start button and "Documents" shows a list of the most recent links. Clicking one of these links takes one instantly to the linked document. Dozens, hundreds, or thousands of link files can exist on a computer, giving insight into the computer's past activity. "Windows/Recent" link files are very important to law enforcement and to forensic examiners. They generally show access dates and times to specific documents (such as contraband images).
MS (Internet Explorer) History and Netscape History.
Besides the Cookie folder, Windows also creates an MS History folder regarding Internet surfing activity. The MS History files are index.dat files with important information on which websites have been visited and which files downloaded, etc.
In Windows, the Temporary Internet Files folder, MS History folder, and Cookies folder all contain a file called index.dat. A "*.dat" file is a coded file rather than plain text. With index.dat files, Windows keeps a coded record of the files in each of these folders. Because these files are part of internal Windows record keeping, Windows will NOT let you delete index.dat files. Even if you delete the original files in these folders, the index.dat file remains, and contains a record of the data you thought was deleted. The index.dat file can be deleted by special DOS commands or with special wiping software such as Evidence Eliminator, BC Wipe, Cyberscrub, etc.
Internet Chat. (ICR, Instant Messenger, AOL, Yahoo, etc.).
Windows Temporary Internet Files.
Temporary Internet Files (C:\Windows\Temporary Internet Files) are direct downloads from the Internet, usually containing graphic pictures in Windows bitmap (bmp), jpeg (joint photographic experts group), gif, or .art (America Online's extra-compressed jpeg) format. There will also be html (hypertext markup language) and htm files for website home page components, etc. Incoming Yahoo and Hotmail e-mails may also exist as files in the Temporary Internet Files folder. Downloaded movies, mpegs, avi files, and Adobe PDF files will be found in Temporary Internet Files.
Printer "spooler" files and "shadow" files. (Past printer activity).
Windows Temp files (C:\Windows\Temp) are temporary files created by Windows as various programs are running and different processes are taking place. They are often exact copies of files stored elsewhere on the computer. At other times they are exact duplicates of files which are waiting their turn to be processed by the computer.
For example, a print job going to a laser printer will create a temporary file called an EMF (enhanced windows metafiles). EMF's (miniature pictures of the original) can often be found in the Temp directory months after laser printer was used. Many other kinds of files can be found in the Temp directory as well (e.g., automatic document recovery files).
E-mail and Attachments. (All existing e-mail files can be recovered, regardless of format except where unbreakable encryption is used. Quite often, previously deleted e-mail files can also be recovered.)
Recycle bin and INFO2 files.
Recycle Bin Files (C:\Recycled or C:\Recycler) contains files that the user has "deleted" with an ordinary Windows delete. They are not really "deleted," they are moved to a storage area where they are hidden from being viewed by Windows Explorer. They can be "undeleted" by the user up until the time that the user "empties" the Recycle Bin. When it is "emptied" the deleted files are discarded or "orphaned" to unallocated space where they will remain until overwritten by new computer activity. Often in criminal or civil cases, the suspect may try to quickly delete files not realizing they still exist in the Recycle Bin.
Windows Swap File and Paging File. (Windows swap file in Windows 95/98 and pagefile in Windows NT/2000/XP.)
Depending on the version of Windows being used, WIN386.SWP and Pagefile.sys are the files that Windows uses to move information from the hard drive to RAM memory and then back to the hard drive. Swap files contain recent computer activity, files of all kinds, and graphic images, etc. The Windows swap file allows a computer to operate as if it has more installed memory that it does in reality -- called "virtual memory." By means of this data swapping activity, the computer uses hard disk space as a place to swap information back and forth as the processor is running computer applications. A portion of the hard disk is used for memory operations. The data in the swap file can come from any application and may remain on the disk in the swap file for long periods of time. The swap file expands and contracts in size while Windows is running. The maximum size is roughly 4 gigabytes. At shutdown the size is reduced to approximately half the size of the installed RAM memory. Data may still exist in the swap file though totally expunged elsewhere on the computer. It may also exist in the form of older versions of the swap file discarded or abandoned to unallocated space. The swap file can be searched with Data Sniffing software which extracts different kinds of user files contained inside the much larger swap file.
Zip files. (Compressed files).
Picture files. (JPEG, Bitmap, .art, EMF, PNG, Tiff, EMF, etc.).
Data from unallocated space.
Unallocated space is the physical memory space which the computer regards as blank and ready for use. Since it is treated as blank, the computer is free to use unallocated space for temporary memory and temporary storage during the computing process. The space is called unallocated because because it does not contain active data still indexed by the computer's file and folder structure. Unallocated space is the dumping ground of old data no longer required by the operating system. Unallocated space can contain a great deal of old data that has been discarded or orphaned by the operating system.
Metadata. (Dates, times, and other information stored inside individual documents by such programs as MS Word, Excel, Lotus Notes, etc.).
Metadata provides a mini-history of the life of a particular document. There are literally as many types of metadata as there are documents and programs for computers. Where system metadata is concerned, the dates and times of MS History / index.dat files are important for establishing details and facts about computer activity. Windows system metadata is important because of how it treats dates, times, and stored transactional information in code (metadata) and not as plain text. Often this metadata can be extracted and turned into a history presentation that can be viewed with an Internet Explorer Browser. Various forms of metadata also occur in computers running Linux.
The settings and files within Windows/Desktop are of particular interest since they show (1) indications of user activity, and (2) whether the user's conduct has caused or allowed his computer to be "trojaned." In some instances, for example, trojan horse "porndialer" icons have been added to the suspect's computer by aggressive, predatory hacking. At first glance it may appear that the icons are the result of the computer user's willful choice. In some instances it has been determined that they have been added by a hacker or a trojan/virus contrary to the user's choice.
The above examples, though important, deal only with stand alone computers running Windows operating systems. Where Linux or Macintosh computers are involved, there are just as many unique data types to be considered as those mentioned above. And the above examples do not mention all the types of live system state and activity data that is recovered from live networks in networked computer forensics using Linux and other utilities or programs. And even where Windows computers are concerned, the above examples do not deal with the Computer Registry. The Windows Registry (the master database which starts and runs Windows computers causing the hardward and software to work together correctly) often contains crucial information that may require as much time for extraction and analysis as the topics above combined. Nor have we mentioned how different network configurations (such as using terminals with dummy hard drives) can impact the kinds of data that can be found on an individual computer as opposed to server storage and backup media, etc.