Vestige Views

Not a week goes by that I am not talking with a client about some computer forensic matter when the conversation drifts into discussions of how data is deleted. A few minutes later and the client says "well, I guess deleted isn't deleted".

Although your mother always told you to learn from others' mistakes, that is a tall order when having to make choices between which activities you're going to commit your scarce resources to. Like many things, when it comes to IT security, once the cat is out of the bag the costs of not having adequate security is always astronomically higher than you originally imagined.

All operating systems and file systems are not equal!This especially is true when you compare a Mac system to a Windows system.[Insert Apple commercial here]I commonly come across examiners who try to apply Windows forensics facts when examining a Mac computer.They get in trouble pretty fast!

We oftentimes use the old Library card catalog system with our clients to explain how the deletion of files works on both Macintosh and Windows based computers. The card catalog in a typical library system contains the book name, author, publisher and most importantly the location of the book in the library.The Master File Table, or “MFT”, is the card catalog equivalent in the Windows computer world.The “MFT” contains the location of a file, when it was created, modified, accessed, etc.The “book” in the card catalog system is a file.When a file is deleted within a Windows computer, a special designation is made in the “MFT” keeping track of the deletion.No, the “librarian” does not take the “book” off the shelf and throw it away, burn it or even rip out pages.Once you hit the delete key, the file is still fully recoverable until a new file is put in the space where the old file existed.There is no way to predict when this will occur.If that special designation is removed from the file, the file is fully recoverable!

At one of our recent Tech Meetings (some background, we have bi-weekly 30-60 minute Tech Meetings at Vestige where we have some training on a topic, it is part of our continuing education program) I presented on LogParser (http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx). It is a free tool from Microsoft and is very handy for parsing event logs, web server logs and traversing file systems to get directory listings.