When it comes to finding computer evidence, it’s hard to find a better source than a disk drive. Whether it’s a hard drive (HDD) in a desktop, or solid state drive (SSD) found in a laptop, iPad or tablet, the hard drive holds a wealth of information on the people using the computer and/or device, most of the time without them even realizing it.
Browsing the internet, communicating with friends, colleagues or even someone more nefarious, shopping online, doing research, connecting with the network at the office, or looking at pornographic websites, they are creating digital fingerprints that can be recovered, analyzed and combined to reveal a wealth of information.
It is easy to see why the hard drive tells the secrets of a user’s travels, interests, deeds and interactions, and unless the user takes extraordinary steps to cover their digital tracks (which almost never works), MPGonline can recover information even if they delete it.
The reason hard disk drive forensics can uncover so many secrets has to do mainly with how operating systems work and how they use resources, like the disk drive, to keep users connected, create files and documents, and surf the Internet.
Below are the types of computer/disk forensics we can preform:
Deleted Files and Data, an eDiscovery Goldmine
When a user creates a file on a computer, usually even if they don’t save it, the information contained in the file is copied to the hard disk drive in a physical location. The location and the file name are then recorded in what is basically a table of contents on the hard disk drive that tells the operating system (the user and applications) where that file is located on the disk drive, how large it is and what its name is.
Simply put, when the user deletes a file from the disk drive, the “table of contents” (in Windows this could be FAT or NTFS, or on a MAC it could be HFS or HFS+) is updated to reflect the space where the contents of the file exist as being available and ready for use. At this point, the file is no longer displayed to the user or applications, and the system is freed to reuse the space as necessary. However, even though the file is no longer seen by the typical user, the contents of the file still exists on the disk drive and can be recovered by a hard disk drive forensics expert.
But there is a caveat. The longer you wait to get MPGonline involved, the better the chance the critical evidence you seek may eventually be overwritten by regular system usage, and that could cost you plenty, like a successful resolution to your case.
Internet History and Cache
Web browsers, like Internet Explorer, Firefox and Chrome, among others, create a temporary storage area in memory and on disk that holds the most recently downloaded Web pages. This storage is called the browsers cache. As you jump from webpage to webpage, caching those pages in memory lets you quickly go back to a page without the system having to download it from the Web again, thereby speeding up how fast webpages load and making the browsing experience more enjoyable.
A skilled disk drive forensic expert can extract those pages cached by the web browser and reconstruct the content. If a user went to Yahoo Mail or Gmail, it may be possible to reconstruct messages that were composed on the system, messages received, and in the case of cached messages, for example using Google Gears, entire inboxes, sent messages and other Webmail messages.
Internet history or browser Internet history, also called Web history and browser history, is a list of the webpages visited. Your web browser stores this list on your hard drive, which a skilled disk drive forensic expert, using specialized tools and training, can extract and build a timeline of sites visited. Even when a user deletes their Internet history, or uses extreme methods like a file wiper, it is still often possible for MPGonline’s experts to reconstruct a detailed timeline of websites visited using the subject computer.
Metadata Embedded in Documents
Metadata is often defined as data about data. For the digital forensic analyst, this is a virtual (pun intended) gold mine of information. Many applications create metadata in files they create. Good examples of this are Microsoft Office applications, like Microsoft Word, Excel and PowerPoint. These applications embed information (metadata) into the documents they create so users can identify documents, authors or systems that created these documents, as well as how large they are and when they were last printed. Microsoft Office also tracks things like last 10 authors, last accessed, last modified and date created, among other things. This information can be used to reconstruct document histories, provide evidence of printing, or even tampering with the document. Microsoft also tracks changes and comments that are embedded directly into the document, spreadsheet and slide show files.
When a skilled forensic analyst extracts metadata from files, it may be possible to find amazing amounts of information on the history, validity and use of the documents. Microsoft office is not the only source of metadata embedded in files, many software packages include this feature. For example, Open Office, Word Perfect, Adobe Acrobat and many others. MPGonline can work wonders with metadata to help connect all the dots of your case.
Computers, in the most basic sense, have two types of storage, RAM ,or volatile memory, and non-volatile memory like the hard disk drive, SSD Drive, USB drives and sticks, and for our purposes Network Attached Storage (NAS), like file shares, application servers (email, accounting systems, SharePoint, SkyDrive’s and the like), cloud storage and many, many more types of storage. When a computer is used to access this available storage, the user only sees a small part of what is happening in the background.
Many applications also create cache files and temporary files which are more potential treasure troves of digital evidence with MPGonline’s forensics experts on the case. Microsoft Office (and other Office-like products, such as Open Office, Word Perfect, Works and even Google Apps) creates temporary files when a document is created. These hidden files are intended for the auto save feature and for crash recovery if the application or computer locks up, and can often be recovered by a knowledgeable disk drive forensics expert. These files can contain the entire contents of a document that was created or edited on the computer system.
Even if a user deletes a file and tries to wipe the file, copies of the documents, spreadsheets, and other potentially valuable information may still exist. And not just the finished copy of the file may be retrievable, even edits to a document, file or email that were auto saved by the system may be yielded with the right touch. These are just a few examples of the many, many temporary files created by Office type applications and just as small a part of what MPGonline’s forensics experts can find, reveal and acquire when put to the test.
Log Files and System data
Microsoft Windows logs and tracks many user actions, as well as system actions, that a skilled digital forensic analyst can use to rebuild the usage of a system. Some examples of these logs include software that was/is installed, external storage that was attached to a system and network connections to other systems. Additionally, users that logged onto the system and the files they created are tracked.
Using this information, digital forensic analysts may be able to ascertain when devices were plugged into a system, if files were copied, if a user has other storage that is being used, or connects to a device on the Internet were files are stored, not to mention web-mail accounts and other locations and applications where even more important evidence may be stored. MPGonline analysts have the tools and skills to leverage system information that is often overlooked as sources of evidence.
Give us a call at (678) 605-6640 or (256) 515-4055 or "Contact Us" today for more information.