What is the Scope of Computer Forensics?

Jety asks: "I do general-purpose tech support for a variety of individuals and small businesses. Today, one of my clients presented me with an interesting situation, which made me recommend that he get his own attorneys and computer forensics experts on the job. Above and beyond that, to satisfy my own curiosity and to have some insight to offer him in the meantime - I have some question about the scope of what computer forensics can accomplish, for this I turn to the experts of Slashdot, which can be boiled down to one issue: What exactly can a good computer forensics guy pull off of a hard drive - particularly once it's gone on to be used for a full week after the incident in question?" "The sanitized details of my client's situation:

- Person A (my client) and Person B are business partners. Person A leaves the business, and before doing so copies a series of files to 5 CDs using Roxio under Windows XP.
- The computer continues to be used under normal circumstances for about a week.
- Person B confronts Person A, and Person A hands over the CDs to Person B.
- Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
- Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.

How detailed a record of file use does NTFS or WinXP keep? Can you really show what files were accessed during a one-hour time span seven days ago? Above and beyond the 'last modified' date? On a read/write/execute basis? Accessed by the system or by a user? Do commercial burning programs keep a record of burn jobs they've performed? Does the CD drive itself have any appreciable nonvolatile cache? Is there any other general insight applicable to this situation?"

Complicated Issue

[morcego]

You want a simple answer to a complicated question.

And short answer is, unfortunatelly: "It is impossible to know".

There data might be there. Then again, it might not be. Yes, it is possible to track many records and cross many small pieces of information. One could, for instance, detect that he burnt 6 CDs, not only 5. Or maybe he burnt 10. Maybe some filed he access where not accessed since then. Maybe the machine clock changed, or some space space with critical data was reused by the system.

Your best bet is to hire the professional, and see what he can pull out. But remember that the forensics process might compromise the machine, so make certain you are hiring a good and respectable lab to do the job, and make sure they follow all the current standards.

Re:Complicated Issue

[j0nb0y]

If the forensic expert is competent, it won't compromise the machine. I took a cool computer forensics class a few years ago. There's a physical device forensics experts connect to a hard drive through. I forget what it's called, but it physically blocks the write bits from the connector, so that it's impossible for the computer to write to the drive. I can't imagine any competent forensics expert would not use such a device.

Re:Complicated Issue

[morcego]

Unfortunately, it is not that simple. Just using those write-block devices might not be enough. The handling of the HD itself can not be done lightly (more than one HD has failed due to poor handling). The evidence collecting process has to be done right, with the right tools, otherwise it has no value.

Just by using a write-blocker will not give you enough assurance he is a competent professional. I don't think that is what you said, but one can understand that this way.

Make sure you do a good background check on the forensic lab you are hiring.

Re:Complicated Issue

[abulafia]

Exactly. There is no single answer without looking at the specifics and performing an investigation.

Some data points:

• Properly configured, Windows >= NT will store file access times. Note that "access" will include things other than "opening a word document".
• Law in this area is still evolving. The fact that the machine wasn't taken off line and left unused until an investigator dd'ed the disk and started poking doesn't necessarily mean "reasonable doubt", or if this is civil, "preponderance". OTOH, if someone wanted to dummy up evidence, technically it is entirely possible to have done so. I'm just pointing out that law doesn't work the way you think, unless you're trained to think like a lawyer, and also that IT law/"computer crime"/white collar crime are areas of substantial activity and change at the moment, particularly with regard to rules of evidence.
• I have no idea if Roxio stores a log of activity. It wouldn't surprise me.
• Never underestimate the power of correlation. For instance, does Roxio phone home to check for updates? The firewall log can establish a time of contact. If the machine contacts an ntp server, that's golden. Now, posit a time of an email being sent, or some meat-space contact that can be verified (or at least testified about). See how this works?

Don't underestimate a determined researcher, unless you feel very lucky.

NTFS Access Time

[FreshMeat-BWG]

NTFS has a "last access time" attibute on each file and directory. It has limitations, is configurable, and isn't perfect, but this document outlines a number of issues about it. That, however, would not be the only way to determine if a file was accessed. Third party software could be involved such as a file system filter driver that logs activity, MRU lists could record access to the files, the CD burning software could generate a log of activity, temporary files could have been generated by opening the files which were stamped when the file was opened. There are a seemingly unlimited number of indirect ways to determine what a user has done during a certain period of time.

The only sure way to delete a hard drive

[ndansmith]

is to cast it into the heart of Mt. Doom.

When a file is "deleted" in NTFS, that space is marked as free and the record of that file is still there. After that, it is sort up to chance whether that space will be reused (or parts of that space - more likely). So odds are, after one week, assuming it is just Joe User's machine, a file will most likely still be at least partially accesible.

The only way to be sure that a drive has no data is to "zero" it out (that is, assign a 0 to each and every bit on the drive). Still, I have heard that some forensic techs can detect the inetria of a bit's previous value - they can tell what was there before. I read a Slashdot comment somewhere today that mentioned that it takes multiple cycles of randomizing and zeroing out the bits on a hard drive to get the job done. Or you can just strap it into a cement chasis and drop it in the Hudson (is it OK to make two lame jokes about eliminating a hard drive in one post?).

Re:The only sure way to delete a hard drive

[gremlin_591002]

In 1985, the military standard for a hard drive wipe was 5 full writes. Why? Because that is the point where their experts could no longer pull data off the drive. I have no reason to believe that number has gone down.

Re:The only sure way to delete a hard drive

[morcego]

Actually, 5-pass wipes are considered obsolete for high classified data destruction. There are labs and equipments these days that can read the data as it was before the last 6 rewrites.

===WARNING, VERY INCOMPLETE AND SIMPLISTIC ANALYSIS===
The point is that, magneticaly speaking, we don't have 0's and 1's. Lets day that for a given data system, 0 is marked by -5 Magnetic Field Unities, while 1 is marked by 5 Magnetic Field Unities. Now, of course, the hardware itself is not digital (given number of isolated discrete states), but analogic (infinite number of states). So, when we have a bit set to +5 MFUs, and we write 0 on that place, we won't have -5 MFUs but, lets say, -4.83 MFUs. Then, if I write 0 again, it will go to -4.87 MFUs. Then I write 1, and it goes to +3.7 MFUs, and another 0 takes it to -4.84 MFUs. As you can see, it is possible to extrapolate the old values.

Of course MFU is not a real unity, and those values are not real. But the concept still applies. It is just simpler to explain this way, considering that many of the readers don't possess deep knowledge of the subject (no offense intended).

Re:The only sure way to delete a hard drive

[np_bernstein]

that's /mostly/ true, but since hard drives are magnetic, each time you flip a bit (1->0 or 0->1) you loose a *tiiiiny* bit of magnatism. If you have the proper equiptment you can still recover data from a "zeroed" hard drive. It used to be the US government agencies would require a disk be randomly zero'd 5 times before it could be discarded. Now they probably melt them.

Re:The only sure way to delete a hard drive

[j0nb0y]

While true you can still get the data, you need an electron microscope, and it is a very expensive process. In the vast majority of cases, it is simply not worth it. If data has been zeroed out, it is safe from most forensic technicians, most of whom don't have the equipment and probably wouldn't bother even if they did.

Re:The only sure way to delete a hard drive

[deranged+unix+nut]

Going from memory (which is occasionally faulty):

Current DoD standards call for 7 writes - several random with at least one of all zeros and at least one of all ones.

Some research in the last year using electron microscopes suggests that to really make the data unreadable, 14 writes should be done.

Despite both of these, modern (in excess of 20 GB) drives are using increasing levels of abstraction where without intimate knowledge of the drive firmware logic AND the full contents of the drive ROM AND the electron microscope/spin stand data, once it is wiped even one time you are relatively safe.

Beyond the first wipe, if it is wiped with random data, I would hazzard a guess that 99% of the forensics experts wouldn't be able to recover much beyond knowledge of the program that wiped the drive.

Re:The only sure way to delete a hard drive

[TheSHAD0W]

Do you really need an electron microscope? I thought this recovery was performed by reading the analog data produced by the drive head and then analyzing the signal looking for the tiny shifts that are the palimpsests from prior writes. I suppose an electron microscope would give more data, and perhaps read back through more write cycles, but I don't think it'd be necessary if you only wanted to read back through one or perhaps two cycles.

Re:The only sure way to delete a hard drive

Utilities like PGP Disk will do the randomized overwrites you mentioned.

Though naturally, Mt. Doom would work too :-)

Re:The only sure way to delete a hard drive

[The+Warlock]

Just the same, I think the default for PGP is 24 passes, with a maximum of 32. And why not, if you've got the time on your hands? It never hurts to be on the safe side.

Copied files

[IceHead2]

A side note, even if you can verify that the cd's he gave back contain all the data he took from the company computer. There is nothing to stop him from having made copies of those cd's when he got home.

Re:Copied files

[Red+Flayer]

"There is nothing to stop him from having made copies of those cd's when he got home."

Sure, but you can assume those files are compromised, and try to figure out how to minimize the affect. Not knowing what other files might have been compromised means that you have to treat the entire system as compromised.

Plenty

[linuxwrangler]

Way back in the day (early/mid 1980s) I did a job like this.

Person A left company AA and started company BB then started taking customers. Attorney for AA got a court order allowing inspection of all magnetic media. Of course, by the time I was allowed access to the drive, several months had passed during which time "something had gone wrong with the computer" and "I think the repair shop had to format one of the drives". Yeah, right.

In any case, they thought that a basic reformat of a DOS hard-disk removed all the data. As I started pulling off and saving directory-fragments and disk sectors which showed that they had illegally installed specialized and unusual software belonging to the former employer as well as lists of names of clients they made fundamental mistake #2 - they started blabbing "explanations" for the data I was recovering. As a former law-enforcement employee I simply listened attentively to their stories...and included the additional incriminating evidence in my report.

Never even had to go to court and testify.

Things are more complicated, today. You are right to get a computer forensic expert involved. Many of the disk-recovery services like Drivesavers provide forensic services in addition to data-recovery.

Forensics Training

Where does one learn to recover data forensically? Is there some kind of certification that one receives? How do you know whether you're dealing with a forensics "expert," or the common nerd trying to make a quick buck?

Re:Forensics Training

[CsiDano]

I learned all I know about computer forensics in college. It was a three year intense course that covered the actual forensics, note taking (important for presenting evidence later on), securing a crime scene and items ie. computers etc from a crime scene, gather forensically sound evidence, protocols in court(not everyone knows proper court etiquette or protocol), criminology, law, and networking, intrusion prevention and detection, risk management and disaster planning and recovery, operating systems and systems architecture. I attended the first college in Canada to offer such a course, and the college did a lot of field consulting with industry and continually add and refine the program. If you happen to be Canadian (or not but interested in studying in Canada) check out http://www.flemingc.on.ca/Full-time/ProgramDisplay .cfm?ProgramCode=CSI for more information. This program really leads to some good jobs that pay well and this sort of work is never going to disappear.

Re:Forensics Training

[deranged+unix+nut]

Several universities and community colleges have programs. I took a certificate program http://www.extension.washington.edu/ext/certificat es/cpf/cpf_gen.asp/ I highly recommend.

Law Enforcement in some states will allow civilians to volunteer time assisting with some types of cases. You might be able to help a police officer and get training.

Many of the forensics software vendors offer training. This is tool-specific and wouldn't emphasise the legal context as much.

SANS also has a training program. I have reviewed a few of the materials and it gets very technically detailed, but it might be slightly lacking in the areas of working with lawyers and the legal process.

Mostly none by dafault.

Windows (I assume this is a Windows box with the NTFS filesystem) has auditing turned OFF by default. You need to A) turn on auditing and then B) set the "auditing bits" on the object(s) you want to modify. [and C) - read the security logs religiously).] Most of this is too complicated for the average user to setup (and interpret from the logs), so it almost never happens).

You need a good NTFS tutorial...

[stienman]

How detailed a record of file use does NTFS or WinXP keep?

Pretty detailed. User account, time at a minimum.

Can you really show what files were accessed during a one-hour time span seven days ago?

Yes.

Above and beyond the 'last modified' date?

Yes.

On a read/write/execute basis?

In a roundabout fashion. I'm not as familiar with NTFS as I would need to be to give a good yes or no or yes with limitations. It keeps records of modification (write) and access (read) so the only unknown is whether one could tell if a file was merely read or executed. It is a journalling file system, so depending on how exactly it performs journalling, it may even be possible to find out which parts of a file were modified in the case of writes. This is less likely as journal records are, presumably, overwritten with new records over a short period of time.

Accessed by the system or by a user?

If I remember correctly, NTFS does record the date of creation, modification, and access with the user performing each action. Many "system" actions are performed in the user's name since, technically, the user is running the system program.

Do commercial burning programs keep a record of burn jobs they've performed?

Many programs do keep a short log of actions. They won't necessarily detail files involved, though. You'll be lucky if such a log tells you how much data was written to the disk in MB. This might actually be just as useful.

Does the CD drive itself have any appreciable nonvolatile cache?

No.

Is there any other general insight applicable to this situation?

Yes:

Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.

This points to a very simple search of all files modified, accessed, or created during that time period. Please note that this could indicate a virus scanner or system backup utility running in the backup as much as it indicates a cd writing program. Viruses can also exhibit this behavior. Try to find out how many files were accessed in the previous 24 hours before this particular hour, and the following 24 hours. It could be that every hour during that time had several thousand files uniquely accessed.

Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.

Quite frankly, if he needed 6 CDs to burn 50 word/excel files... well, let's just say that you should explain to him that you try to assume nothing so that you can have the best view of the facts.

Also note that if data backups are made of the computer on a daily/weekly/regular basis, it may be that one can use those to show useful data about your client's use of the computer. An interesting tactic would be for your client's attornies to request a detailed log of computer use for the week previous and the week following the incident to establish a pattern of use. Request all possible backups. Request... well, everything. The attorney will know what you mean.

Lastly, keep in mind that your client has already 'confessed' - the only thing left to determine is not whether he is guilty, but how guilty. Chances are good that even if he didn't do more than he says he will have a hard time proving that he has fully complied.

Lastly: Don't become personally involved, or emotionally invested. Your client will be, and he may even be pulling you into it without knowing it. Understand that anything you say to him may be used in any forthcoming legal case, and you may find yourself more involved than you desire to be.

-Adam

Pants on Fire

[xactuary]

If your client copied 50 'approximately 50 word/excel type files' then somebody should ask him why it took 5 CDs (and an hour) to do so.

Re:Pants on Fire

[wed128]

Excel files can get pretty big when you have obscenely large tables of, say, customer data on them.

Roxio logging?

[NewmanBlur]

You mentioned Person A copied the files using Roxio... I'm not terribly familiar with that program specifically, but if I were doing this the first thing I'd do is dig around Roxio, and see if it stores some record of the jobs it ran, and what files were included. That could save a lot of trouble.

I don't do this primarily, but...

[abulafia]

I learned it from years as a sysadmin, and having an interest in law, and a devious mind. As a sysadmin, you know how to preserve evidence (or a crash on a production system that you wnat to figure out). If you read law, you learn rule of evidence, evolving case law, and get a feel for what future cases require. Thinking about what people might do helps you find, well, what people might have done.

As said, I'm not a pro - I do something else for a living. I have done forensics professionally, and we won (as plaintiffs). The most important thing I learned was to charge more. I'm not hiring myself out as an expert witness, nor advertising this, but client who need it already trust me, and if you pay attention and know what you're doing, it is more process than 1337 sk111z.

Note that knowing what you're doing involves legal knowledge, not just being a great sysadmin (not that I am one). As I said previously, unless you think like a laywer, don't think that you understand how the legal system will work. (I don't, in either case, but have had instruction, and pay attention. And I discount that 'pay attention' part for anything other than discussion.)

Depends

[dark404]

It depends a lot on the network setup. Was it part of a domain? Were the files on a file server? If the answer to these questions is yes, then the answer would be yes, with the right audit settings he can tell what files were accessed when. I do it all the time at work, we have serious problems with CAD drafters accidently deleting folders and files from the server thinking it's their local drive. To solve that problem I log all file access on the file server, and have a program that runs at the end of the day and produces a list of files that were deleted and emails it to me to check the next morning.

If it's a standalone XP machine, I doubt the file logging would be set up (it isn't on by default) to log successful file access events. As far as computer forensics, it's amazing what kind of information can be recovered, but that deals mostly with deleted files, obfuscated files, things hidden in graphics files, etc. A good computer forensics analysis is going to follow three steps: 1) make an image of the drive, 2) work only from the image, 3) record all steps used to find evidence so it can be reproduced along with why you chose to look at that specific file/sector/whatever (often important for law enforcement.) Check if Person B's expert did this.

If these were important files...

[Vorondil28]

If these were important files on an NTFS partition, the admin should have set a security audit object on them. Then all you have to do is hit the event log to see what was accessed an by whom. But from what I can tell, no such luck there.

In that case, a reputable data recovery lab should be hired for this one. They can do some pretty extensive stuff, but don't be surprised if they come back to you with nothing. Nonetheless, I would think that's your best bet on this one.

Chain of Custody and Preservation of evidence

[deranged+unix+nut]

This is a mess. If at all possible, turn the computer off now, don't let anyone else touch it, and call a forensics expert before you contaminate this evidence any further.

You mention that the drive has been used for a period of time since the original forensics expert examined it. That could be a problem.

Ideally, the orignal forensics expert would have used a write blocking device (hardware) and carefully made a bit for bit (dd, encase, etc.) image of the drive.

That image is evidence and should be made available to opposing council and their experts for examination.

If an image was not obtained, you might have reason to question the completeness of the original investigation.

In either case, I would make your own image as soon as possible. If you can't get a forensics person (please try to get a professional first), then boot from a knoppix or forenisic linux boot disk and use DD to make a drive image and burn a copy of that image to CD. (This isn't perfect, but in this case the data has already been altered by a period of normal use and knoppix + dd are known quantities.)

Just make detailed notes about everything that you do and everything that happened to the drive since it was last touched by the suspect. Include a list of everyone who is known to have accessed the system and everyone who could have accessed the system.

Depending on the software used and the methods that the suspect used, there might be a lot of data and there might be just a few bits of data that could prove either case.

If it really matters, hire someone who has been trained in computer forensics to examine your DD image. If you would like to provide a throwaway email address where we can reach you, I am sure that a few dozen slashdotters would be willing to send you our CVs and we can either discuss the case further or send you to a reputable expert in your area.

On the other hand, if you are just curious, visit and load up the image in FTK. If you don't know what you are looking for, you could spend months searching for evidence. If you do know what you are looking for, you could easily spend a week just collecting all of the relevant evidence.

Better yet, find a professional and leave the job to them. Ask a professional group like http://www.ctin.org/ for a reference. (Full Disclosure: I am a member of CTIN and I have studied computer forensics, but I am not a yet a practitioner in the field so please call a professional before following the advice that you read on slashdot.)

If you find a good person, they will tell you what they can and can't do and they will verify that they are qualified to do the examination before they take the case.

Re:Chain of Custody and Preservation of evidence

[deranged+unix+nut]

Whoops, I forgot a link.
FTK (Forensic Tool Kit) is made by Access Data.
http://www.accessdata.com/

Atomic Force Microscopes

[cl_everett]

can pull even deleted files off with the greatest of ease. Hook one up to computer control, and you can recover data that's been overwritten multiple times. The hard drive electronics could be fried, and the heads gone, but if the platters are in shape, you're in business. That's why we have secure file shredder utilities: to overwrite the data so many times that the data is definitely gone.

hypothetical indeed

[way2trivial]

lets say I search for
"investment potential" as the TITLE of and WITHIN all .doc files on a PC

if XP opens every file (all 3000 of them) then NTFS records me as opening all those files.

guess what-- even if I only copy 50 of them, I've opened all of them.

"Something" accessed 3000 files in one hour

[dtfinch]

I suspect most antivirus programs are mature enough to not update the last access time on all the files they read, and Windows probably won't falsely update them either, but there are a lot of other programs that will. A homebrew backup script might do it. Technically, it's up to the app to decide to update the access date, but many library functions will do it without the programmer specifying that they should. It seemed to always happen automatically with the programs I've written.

If there's a pattern to the files that were accessed, like only folders containing important documents, then it'll look bad for him. They won't have better than an hour resolution on NTFS though, so there's no way for them to establish a timeline for when the files were accessed.

They might not be able to prove if he was at his computer when the files were accessed.

On a Windows network, any admin could have read the files during that time. They may have decided to back stuff up from that system because they knew it was the person's last day and bad things could happen to the data (disgruntled deletions and such) but they didn't have permission to simply lock them out of anything. This is a long shot though.

Technically, it's possible that he didn't copy any more than he admitted to. So far the evidence against him is weak, and the chain of evidence has been broken by a week of use. The evidence (that 3000 files were accessed by something during that hour) is probably all correct unless someone had the desire and expertise to frame him, but the judge may still deem it inadmissable if you're lucky. Proper steps weren't taken to preserve evidence. I doubt my boss has taken any forensics courses, but when someone is fired, they'll occasionally have the ex-employee's computer unplugged and locked in a safe until they're satisfied that it won't be needed as evidence.

Evidence they might look for against him:

If Roxio keeps logs. They can get a partial list of files burned if Roxio creates the CD image on the hard disk before burning, which most burners support, but not many by default.

They can check the dates on the CDs if they are all on or before the expected burning date. I sometimes see programs preserve the file times, but not the folder times, so that the folders show the date they were recreated, rather than the original date. If the CD's he returned are fabrications, and the folder dates prove it, it's not going to look very good for him in court.

They can look for any files modified around the same time. If he dragged 3000 files into a giant zip file, possibly to fit them more easily onto CD, that'd be a dead giveaway that he was up to something.

If they're lucky they can get a search warrant, and seize and examine the hard disk on his home computer or laptop. If files are there that aren't supposed to be, with creation dates after the CD's were burned, then he'd be in a bit of trouble.

He's already in a bit of trouble for having copied anything at all. Proving he took a lot more is icing on the cake. You can't prove what he didn't copy (you're not expected to prove a negative anyways), and they probably can't prove with much certainty that he copied everything that they think he copied, but there is some amount of copying that they'll be able to prove. He copied at least the CD's he returned, unless he flip flops and argues he never burned or returned anything, but you've already told slashdot that he did.

You think you might be a forensic professional?

[dascandy]

Lesson 1 in forensics: Secure the data carriers as read-only devices so you don't mess it up more than you already did. Common advice is to pull the plug (don't shut down properly) to make sure the shutdown process doesn't wreck anything.

Lesson 2: Making sure the computer doesn't know what you did anymore requires using a method to destroy the physical harddisk. There is almost no software method secure enough to make it actually impossible. Try Mt Doom, a forge or a sledgehammer.

Practical advice for your particular case: Make a full copy of the disk, making sure it isn't mounted by the OS as a coincidence (IE: don't use windows, use linux or a unix only after making sure it doesn't mount it etc). Get a license of actual forensic software that can rip apart the system restore files (if pre-sp2 it's better since they store all link files to documents you use as well, if after that's sorry, but you can still get a lot of information from it) and the IE logs. You also want the system logs plus a capable viewer and if possible, the registry. Also, get a full searchable and indexed list of all files on the disk plus the information stored with them in the form of access dates etc. Using NTFS is a small plus, since it keeps time in 100-nanosecond intervals (so, it's more like dependant on the accuracy of your system clock) as opposed to FAT(12/16/32) which uses 2-second intervals.

If you need more help, please do ask.

Ad hoc forensics

[stew1]

A number of the comments here are more like a bar conversation regarding computer forensics than actual informed advice. Additionally, a number of the comments are wrong wrt/ technical facts concerning NTFS.

The first question is this: do the parties need to retain legal counsel? If A and B are shaking hands and good to go, great. If not, they need to retain counsel.

If counsel is retained, then they need to work with their clients to find a reputable computer forensics expert. And that's all there is to it, really.

But to answer your general question of, does computer forensics apply to this?, well, yes, definitely.

cheers,

Jon

Above and Beyond

[Curmudgeonlyoldbloke]

I've mentioned this before here in this context, but it does sound like a near perfect-fit (only "near" because it is cheap rather than free and is Windows-only). Basically, keep all the things that you work on as items in a list (which can be imported from a text file). Each item has various attributes (such as project) and you can "focus in" on a particular set (e.g. project) to just work on that.

Some things can be fixed to start at a certain time but the way that you work it's easier just to have everythign floating and scheduled by priority. A log file is written describing when something was started and how long was spent. To work out how much time is spent on a project or subproject, just total it up.

It's available from http://www.1soft.com/ - and other than being a customer many years ago, I'm in no way affiliated.

Oops - wrong place - please mod down

[Curmudgeonlyoldbloke]

And yes, I did preview it first. Obvious while not awake, though

Other programs can access files, too.

[dangerweasel]

Virus scanners, for instance, access files as they scan them. This could account for the large number of files accessed in such a short period of time. Also, Windows can "index" files "for faster searching." Could this also cause an access time or flag to be set?

Re:Other programs can access files, too.

[arkanes]

The virus scanner and indexing service will normally be running under another account (SYSTEM, usually) so if this 3000 files number is from an audit log, it should be possible to screen out that activity. If it's from some indirect measure, maybe by analyzing the journals or something, it may not.

Riiiight..

[sudog]

There is no way to prove anything here, and therefore forensics will be a waste of time. The guy could've easily made another copy of the CDs during the time he had them in his possession. Therefore, there's no point in wasting time doing forensics on the drives in question.

It's there but seldom enabled...

[man_ls]

Windows NT platforms support some amazingly granular access permissions, and permission-use auditing. Anything from changing the permissions of the audited object, to auditing mere access to it, stored in the audit's log in the Event Viewer.

Trouble is, unless this was specifically enabled, it didn't record anything -- auditing is typically not done, since it's a performance hit (think double the number of system calls every time an audited object is hit) and it makes logfiles fill up very quickly.

Re:You need a good NTFS/Law tutorial...

[ramsj900]

lastly, keep in mind that your client has already 'confessed' - the only thing left to determine is not whether he is guilty, but how guilty.

We haven't even ascertained who the files legally belonged to? If A & B are 'partners' I doubt that they had service agreements or non-compete/non-disclosure agreements executed, which would address the terms in the case of a termination or breach of such agreements. Even if they had No-Compete clauses executed, most are not enforceable unless specific compensation is exchanged as inducement to sign. Always best to give the signer of the NDA a $1000 bonus for doing so...sticks to him like mud after that.

ENCASE - what is is, how it works, & more

"What exactly can a good computer forensics guy pull off of a hard drive - particularly once it's gone on to be used for a full week after the incident in question?" - by topic starter

Ever heard of "Encase"?

First of all a WARNING - It's not a 'program for the masses' & from what I also heard tell of it?

IF you are caught with it, & are NOT a legitimate user??

Well, guess what -> You're going down/to jail, no questions asked, throw away the key.

Side-Note -> Anyone who cares to correct me on THAT statement is free to comment & do so - it was what was told to me during a contract in which I ran & wiped over 800 computers (leased & being returned to the OEM, names will NOT be mentioned here for security's sake) using the tools I mention above!

There, it was told to me that there was 1 tool that can bypass even Acronis DriveCleanser - the one I mention, Encase.

(AND, I was warned about possessing it, period... a definite "no-no" that you will get fried on if you're not legit. Yes, they put the "fear of God" into me with that one!)

So, anyhow....Well, if you havent heard of ENCASE?

Supposedly, it can nail back just about ANYTHING, after amazing time periods, even if the diskdrive in question has been passed thru a program for secure datawipes such as "Acronis DriveCleanser", (which I used on said job for a forensics job title, even though to me, it felt like "antiforensics" really) even after it's 4 pass method & used by someone afterwards!

(E.G. -> Say the drive gets sent out again by the OEM after it was leased by a company for 1-2 years & then 'secure data wiped' by progs like the one I mention, which IS very good, @ least under a hex-editor (which it has one built-into it anyhow))..

I have heard tell that 8 passes thru Acronis DriveCleanser, i.e.-> Running thru it 2x on that setting DOD (insert spec # here), makes even Encase have a hard time pulling back data...

Thing is, the 4 pass run on a 40gb disk takes around 1 hour to run, & it's pretty much "linear" (2 hours for 80gb etc.) as you go upwards/larger in diskdrive capacity/size.

Anyhow... that's what I've heard tell about it, from having collided with jobs of the nature of which you speak & I outlined above.

For what it's worth? That's THE BEST TOOL for hauling back data there is, afaik, period... look into it!

APK

P.S.=> Maybe melting the disk is the best answer (& no, putting it between a phonebook & dropping it to crash the disk head is NOT enough), because time-constraints on using tools like Acronis Drive Cleanser go WAY up, the larger disks become, & to overcome/bypass tools like ENCASE working on it? You HAVE to run it 2x, @ its STRONGEST SETTING, to stymie encase... something to think about! Time constraints & tools used could set a project WAY over budget on secure datawipes, so is it worth literally melting the disk, or paying someone to come in & do a double-pass secure (high end) DOD wipe 2x to be able to say "this disk is TRULY securely wiped, even against ENCASE?"... apk

Yes. Lots of NTFS Artifacts can be found

[frank999_999]

Yes, it is "possible" for a computer forensics examiner to recover some of that information. The one thing to keep in mind about NTFS, is that there are lots of NTFS artifacts all over the computer that tracks everything you do. Sometimes, this information isn't recorded for the purpose of tracking, but it's just there. For example, I've found some screen shots of what was on the screen at one time thanks to memory being swapped to disk. Another good example: Windows XP has built-in spyware by default: http://www.itlabsonline.com/windowsxpspywarelab.ht ml/ Another good example: Windows XP records all thumbdrives ever plugged into your computer: http://www.itlabsonline.com/computerforensics-usb- lab1.html The one thing that's always possible is whether or not screen information made it to swapspace on disk.