Slashdot Mirror
What is the Scope of Computer Forensics?
Jety asks: "I do general-purpose tech support for a variety of individuals and small businesses. Today, one of my clients presented me with an interesting situation, which made me recommend that he get his own attorneys and computer forensics experts on the job. Above and beyond that, to satisfy my own curiosity and to have some insight to offer him in the meantime - I have some question about the scope of what computer forensics can accomplish, for this I turn to the experts of Slashdot, which can be boiled down to one issue: What exactly can a good computer forensics guy pull off of a hard drive - particularly once it's gone on to be used for a full week after the incident in question?"
"The sanitized details of my client's situation:
- Person A (my client) and Person B are business partners. Person A leaves the business, and before doing so copies a series of files to 5 CDs using Roxio under Windows XP.
- The computer continues to be used under normal circumstances for about a week.
- Person B confronts Person A, and Person A hands over the CDs to Person B.
- Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
- Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.
How detailed a record of file use does NTFS or WinXP keep? Can you really show what files were accessed during a one-hour time span seven days ago? Above and beyond the 'last modified' date? On a read/write/execute basis? Accessed by the system or by a user? Do commercial burning programs keep a record of burn jobs they've performed? Does the CD drive itself have any appreciable nonvolatile cache? Is there any other general insight applicable to this situation?"
- Person A (my client) and Person B are business partners. Person A leaves the business, and before doing so copies a series of files to 5 CDs using Roxio under Windows XP.
- The computer continues to be used under normal circumstances for about a week.
- Person B confronts Person A, and Person A hands over the CDs to Person B.
- Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
- Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.
How detailed a record of file use does NTFS or WinXP keep? Can you really show what files were accessed during a one-hour time span seven days ago? Above and beyond the 'last modified' date? On a read/write/execute basis? Accessed by the system or by a user? Do commercial burning programs keep a record of burn jobs they've performed? Does the CD drive itself have any appreciable nonvolatile cache? Is there any other general insight applicable to this situation?"
You want a simple answer to a complicated question.
And short answer is, unfortunatelly: "It is impossible to know".
There data might be there. Then again, it might not be. Yes, it is possible to track many records and cross many small pieces of information. One could, for instance, detect that he burnt 6 CDs, not only 5. Or maybe he burnt 10. Maybe some filed he access where not accessed since then. Maybe the machine clock changed, or some space space with critical data was reused by the system.
Your best bet is to hire the professional, and see what he can pull out. But remember that the forensics process might compromise the machine, so make certain you are hiring a good and respectable lab to do the job, and make sure they follow all the current standards.
morcego
When a file is "deleted" in NTFS, that space is marked as free and the record of that file is still there. After that, it is sort up to chance whether that space will be reused (or parts of that space - more likely). So odds are, after one week, assuming it is just Joe User's machine, a file will most likely still be at least partially accesible.
The only way to be sure that a drive has no data is to "zero" it out (that is, assign a 0 to each and every bit on the drive). Still, I have heard that some forensic techs can detect the inetria of a bit's previous value - they can tell what was there before. I read a Slashdot comment somewhere today that mentioned that it takes multiple cycles of randomizing and zeroing out the bits on a hard drive to get the job done. Or you can just strap it into a cement chasis and drop it in the Hudson (is it OK to make two lame jokes about eliminating a hard drive in one post?).
Way back in the day (early/mid 1980s) I did a job like this.
Person A left company AA and started company BB then started taking customers. Attorney for AA got a court order allowing inspection of all magnetic media. Of course, by the time I was allowed access to the drive, several months had passed during which time "something had gone wrong with the computer" and "I think the repair shop had to format one of the drives". Yeah, right.
In any case, they thought that a basic reformat of a DOS hard-disk removed all the data. As I started pulling off and saving directory-fragments and disk sectors which showed that they had illegally installed specialized and unusual software belonging to the former employer as well as lists of names of clients they made fundamental mistake #2 - they started blabbing "explanations" for the data I was recovering. As a former law-enforcement employee I simply listened attentively to their stories...and included the additional incriminating evidence in my report.
Never even had to go to court and testify.
Things are more complicated, today. You are right to get a computer forensic expert involved. Many of the disk-recovery services like Drivesavers provide forensic services in addition to data-recovery.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
I learned all I know about computer forensics in college. It was a three year intense course that covered the actual forensics, note taking (important for presenting evidence later on), securing a crime scene and items ie. computers etc from a crime scene, gather forensically sound evidence, protocols in court(not everyone knows proper court etiquette or protocol), criminology, law, and networking, intrusion prevention and detection, risk management and disaster planning and recovery, operating systems and systems architecture. I attended the first college in Canada to offer such a course, and the college did a lot of field consulting with industry and continually add and refine the program. If you happen to be Canadian (or not but interested in studying in Canada) check out http://www.flemingc.on.ca/Full-time/ProgramDisplay .cfm?ProgramCode=CSI for more information. This program really leads to some good jobs that pay well and this sort of work is never going to disappear.
piss off
Several universities and community colleges have programs. I took a certificate program http://www.extension.washington.edu/ext/certificat es/cpf/cpf_gen.asp/ I highly recommend.
Law Enforcement in some states will allow civilians to volunteer time assisting with some types of cases. You might be able to help a police officer and get training.
Many of the forensics software vendors offer training. This is tool-specific and wouldn't emphasise the legal context as much.
SANS also has a training program. I have reviewed a few of the materials and it gets very technically detailed, but it might be slightly lacking in the areas of working with lawyers and the legal process.