Slashdot Mirror
What is the Scope of Computer Forensics?
Jety asks: "I do general-purpose tech support for a variety of individuals and small businesses. Today, one of my clients presented me with an interesting situation, which made me recommend that he get his own attorneys and computer forensics experts on the job. Above and beyond that, to satisfy my own curiosity and to have some insight to offer him in the meantime - I have some question about the scope of what computer forensics can accomplish, for this I turn to the experts of Slashdot, which can be boiled down to one issue: What exactly can a good computer forensics guy pull off of a hard drive - particularly once it's gone on to be used for a full week after the incident in question?"
"The sanitized details of my client's situation:
- Person A (my client) and Person B are business partners. Person A leaves the business, and before doing so copies a series of files to 5 CDs using Roxio under Windows XP.
- The computer continues to be used under normal circumstances for about a week.
- Person B confronts Person A, and Person A hands over the CDs to Person B.
- Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
- Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.
How detailed a record of file use does NTFS or WinXP keep? Can you really show what files were accessed during a one-hour time span seven days ago? Above and beyond the 'last modified' date? On a read/write/execute basis? Accessed by the system or by a user? Do commercial burning programs keep a record of burn jobs they've performed? Does the CD drive itself have any appreciable nonvolatile cache? Is there any other general insight applicable to this situation?"
- Person A (my client) and Person B are business partners. Person A leaves the business, and before doing so copies a series of files to 5 CDs using Roxio under Windows XP.
- The computer continues to be used under normal circumstances for about a week.
- Person B confronts Person A, and Person A hands over the CDs to Person B.
- Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
- Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.
How detailed a record of file use does NTFS or WinXP keep? Can you really show what files were accessed during a one-hour time span seven days ago? Above and beyond the 'last modified' date? On a read/write/execute basis? Accessed by the system or by a user? Do commercial burning programs keep a record of burn jobs they've performed? Does the CD drive itself have any appreciable nonvolatile cache? Is there any other general insight applicable to this situation?"
A side note, even if you can verify that the cd's he gave back contain all the data he took from the company computer. There is nothing to stop him from having made copies of those cd's when he got home.
How detailed a record of file use does NTFS or WinXP keep?
Pretty detailed. User account, time at a minimum.
Can you really show what files were accessed during a one-hour time span seven days ago?
Yes.
Above and beyond the 'last modified' date?
Yes.
On a read/write/execute basis?
In a roundabout fashion. I'm not as familiar with NTFS as I would need to be to give a good yes or no or yes with limitations. It keeps records of modification (write) and access (read) so the only unknown is whether one could tell if a file was merely read or executed. It is a journalling file system, so depending on how exactly it performs journalling, it may even be possible to find out which parts of a file were modified in the case of writes. This is less likely as journal records are, presumably, overwritten with new records over a short period of time.
Accessed by the system or by a user?
If I remember correctly, NTFS does record the date of creation, modification, and access with the user performing each action. Many "system" actions are performed in the user's name since, technically, the user is running the system program.
Do commercial burning programs keep a record of burn jobs they've performed?
Many programs do keep a short log of actions. They won't necessarily detail files involved, though. You'll be lucky if such a log tells you how much data was written to the disk in MB. This might actually be just as useful.
Does the CD drive itself have any appreciable nonvolatile cache?
No.
Is there any other general insight applicable to this situation?
Yes:
Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
This points to a very simple search of all files modified, accessed, or created during that time period. Please note that this could indicate a virus scanner or system backup utility running in the backup as much as it indicates a cd writing program. Viruses can also exhibit this behavior. Try to find out how many files were accessed in the previous 24 hours before this particular hour, and the following 24 hours. It could be that every hour during that time had several thousand files uniquely accessed.
Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.
Quite frankly, if he needed 6 CDs to burn 50 word/excel files... well, let's just say that you should explain to him that you try to assume nothing so that you can have the best view of the facts.
Also note that if data backups are made of the computer on a daily/weekly/regular basis, it may be that one can use those to show useful data about your client's use of the computer. An interesting tactic would be for your client's attornies to request a detailed log of computer use for the week previous and the week following the incident to establish a pattern of use. Request all possible backups. Request... well, everything. The attorney will know what you mean.
Lastly, keep in mind that your client has already 'confessed' - the only thing left to determine is not whether he is guilty, but how guilty. Chances are good that even if he didn't do more than he says he will have a hard time proving that he has fully complied.
Lastly: Don't become personally involved, or emotionally invested. Your client will be, and he may even be pulling you into it without knowing it. Understand that anything you say to him may be used in any forthcoming legal case, and you may find yourself more involved than you desire to be.
-Adam
This is a mess. If at all possible, turn the computer off now, don't let anyone else touch it, and call a forensics expert before you contaminate this evidence any further.
You mention that the drive has been used for a period of time since the original forensics expert examined it. That could be a problem.
Ideally, the orignal forensics expert would have used a write blocking device (hardware) and carefully made a bit for bit (dd, encase, etc.) image of the drive.
That image is evidence and should be made available to opposing council and their experts for examination.
If an image was not obtained, you might have reason to question the completeness of the original investigation.
In either case, I would make your own image as soon as possible. If you can't get a forensics person (please try to get a professional first), then boot from a knoppix or forenisic linux boot disk and use DD to make a drive image and burn a copy of that image to CD. (This isn't perfect, but in this case the data has already been altered by a period of normal use and knoppix + dd are known quantities.)
Just make detailed notes about everything that you do and everything that happened to the drive since it was last touched by the suspect. Include a list of everyone who is known to have accessed the system and everyone who could have accessed the system.
Depending on the software used and the methods that the suspect used, there might be a lot of data and there might be just a few bits of data that could prove either case.
If it really matters, hire someone who has been trained in computer forensics to examine your DD image. If you would like to provide a throwaway email address where we can reach you, I am sure that a few dozen slashdotters would be willing to send you our CVs and we can either discuss the case further or send you to a reputable expert in your area.
On the other hand, if you are just curious, visit and load up the image in FTK. If you don't know what you are looking for, you could spend months searching for evidence. If you do know what you are looking for, you could easily spend a week just collecting all of the relevant evidence.
Better yet, find a professional and leave the job to them. Ask a professional group like http://www.ctin.org/ for a reference. (Full Disclosure: I am a member of CTIN and I have studied computer forensics, but I am not a yet a practitioner in the field so please call a professional before following the advice that you read on slashdot.)
If you find a good person, they will tell you what they can and can't do and they will verify that they are qualified to do the examination before they take the case.