Slashdot Mirror
What is the Scope of Computer Forensics?
Jety asks: "I do general-purpose tech support for a variety of individuals and small businesses. Today, one of my clients presented me with an interesting situation, which made me recommend that he get his own attorneys and computer forensics experts on the job. Above and beyond that, to satisfy my own curiosity and to have some insight to offer him in the meantime - I have some question about the scope of what computer forensics can accomplish, for this I turn to the experts of Slashdot, which can be boiled down to one issue: What exactly can a good computer forensics guy pull off of a hard drive - particularly once it's gone on to be used for a full week after the incident in question?"
"The sanitized details of my client's situation:
- Person A (my client) and Person B are business partners. Person A leaves the business, and before doing so copies a series of files to 5 CDs using Roxio under Windows XP.
- The computer continues to be used under normal circumstances for about a week.
- Person B confronts Person A, and Person A hands over the CDs to Person B.
- Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
- Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.
How detailed a record of file use does NTFS or WinXP keep? Can you really show what files were accessed during a one-hour time span seven days ago? Above and beyond the 'last modified' date? On a read/write/execute basis? Accessed by the system or by a user? Do commercial burning programs keep a record of burn jobs they've performed? Does the CD drive itself have any appreciable nonvolatile cache? Is there any other general insight applicable to this situation?"
- Person A (my client) and Person B are business partners. Person A leaves the business, and before doing so copies a series of files to 5 CDs using Roxio under Windows XP.
- The computer continues to be used under normal circumstances for about a week.
- Person B confronts Person A, and Person A hands over the CDs to Person B.
- Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
- Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.
How detailed a record of file use does NTFS or WinXP keep? Can you really show what files were accessed during a one-hour time span seven days ago? Above and beyond the 'last modified' date? On a read/write/execute basis? Accessed by the system or by a user? Do commercial burning programs keep a record of burn jobs they've performed? Does the CD drive itself have any appreciable nonvolatile cache? Is there any other general insight applicable to this situation?"
NTFS has a "last access time" attibute on each file and directory. It has limitations, is configurable, and isn't perfect, but this document outlines a number of issues about it. That, however, would not be the only way to determine if a file was accessed. Third party software could be involved such as a file system filter driver that logs activity, MRU lists could record access to the files, the CD burning software could generate a log of activity, temporary files could have been generated by opening the files which were stamped when the file was opened. There are a seemingly unlimited number of indirect ways to determine what a user has done during a certain period of time.
Actually, 5-pass wipes are considered obsolete for high classified data destruction. There are labs and equipments these days that can read the data as it was before the last 6 rewrites.
===WARNING, VERY INCOMPLETE AND SIMPLISTIC ANALYSIS===
The point is that, magneticaly speaking, we don't have 0's and 1's. Lets day that for a given data system, 0 is marked by -5 Magnetic Field Unities, while 1 is marked by 5 Magnetic Field Unities. Now, of course, the hardware itself is not digital (given number of isolated discrete states), but analogic (infinite number of states). So, when we have a bit set to +5 MFUs, and we write 0 on that place, we won't have -5 MFUs but, lets say, -4.83 MFUs. Then, if I write 0 again, it will go to -4.87 MFUs. Then I write 1, and it goes to +3.7 MFUs, and another 0 takes it to -4.84 MFUs. As you can see, it is possible to extrapolate the old values.
Of course MFU is not a real unity, and those values are not real. But the concept still applies. It is just simpler to explain this way, considering that many of the readers don't possess deep knowledge of the subject (no offense intended).
morcego
Windows (I assume this is a Windows box with the NTFS filesystem) has auditing turned OFF by default. You need to A) turn on auditing and then B) set the "auditing bits" on the object(s) you want to modify. [and C) - read the security logs religiously).] Most of this is too complicated for the average user to setup (and interpret from the logs), so it almost never happens).
While true you can still get the data, you need an electron microscope, and it is a very expensive process. In the vast majority of cases, it is simply not worth it. If data has been zeroed out, it is safe from most forensic technicians, most of whom don't have the equipment and probably wouldn't bother even if they did.
If you had super powers, would you use them for good, or for awesome?