Digital Forensics is similar to many other occupations in that specialized knowledge is required to attain accurate findings. Many pitfalls exist that only those with the required training and experience can navigate, which will result in an expert’s opinion and insight.
The inadvertent trampling of evidence
Throughout our years of digital forensic investigations, this is an all-too-common scenario. An attorney powers on a client’s laptop that contains evidence, just to “poke around” and see if the client can be exonerated of alleged wrongdoing. While a noble thought, improper handling of such evidence can (and typically is) detrimental to a forensic investigation. Even the simple act of powering on a laptop has a number of unintended consequences.
For example, current Windows computers have a built-in feature called “Plug and Play Cleanup.” What this feature will do is review the history of connected USB devices. If a device has not been connected for 30 days, the feature will “delete” the device. This deletion removes key pieces of information, such as connection dates. This 30-day limit is only triggered if the computer is on. Other examples include modifying the scope of the Windows deletion artifacts, deleting event information on Macintosh computers, and even overwriting deleted data that may have been recoverable, all from a simple booting of the computer.
Misunderstanding the information from artifacts
Assuming this faux forensic examiner has made peace with the aforementioned implications of booting the evidence, there are more pitfalls ahead. When providing results to clients at the conclusion of investigations, we make it a priority to anticipate and dispel any misconception about what the results may mean. Someone without prior training or expertise over these misconceptions will end up with inaccurate findings.
This is particularly the case when the artifacts could be considered convoluted. This is the case with the Windows file timestamp “Last Accessed.” Typically, when referring to a file or folder on a Windows computer, last accessed means the most recent instance a user opened a file or folder. However, the file timestamp “Last Accessed” does not accurately convey that data point. Instead, the Last Accessed timestamp is updated by a multitude of actions by a user, including right-clicking a file and clicking Properties. The forensic examiners at Vestige know this Last Accessed timestamp to mean “something happened to this file or folder, but it doesn’t necessarily mean it was opened.” In order to truly ascertain when a file or folder was accessed by a user, separate artifacts that record that specific access information need to be analyzed.
Missing how artifacts can correlate
While gaining experience from a variety of different case types and sizes, forensic examiners begin to understand how multiple artifacts interplay with each other to tell the full story. While such artifacts may provide some useful information individually, there could be a game changer for a court case if the extra steps are taken. Oftentimes, such details are relatively subtle and can be easily overlooked.
On a Windows computer, if a user “deletes” a file to the Recycle Bin, that file is split in two, a “$I” file and a “$R” file. These files are then named in such a way that the $I will correspond to the $R, e.g. $IABC1234.pdf and $RABC1234.pdf. The $I file contains information about the file in the Recycle Bin, such as date it was moved, where on the computer it was moved from, and the original file name. The $R file is the content of the same file. While these two separate files provide good information on their own, together they provide the entirety of intelligence for a file that was moved to the Recycle Bin. The review of the corresponding $I and $R files is required for a complete and accurate forensic analysis of files within the Recycle Bin.[IF1]
Failing to review multiple locations that contain the same type of evidence
For various forms of user activity on a computer, examiners rely upon multiple forensic artifacts that track the same activity. For example, there are between 3 and 4 different artifacts that record a user’s file and folder access activity. It is a common phenomenon that, during a forensic investigation, a valuable piece of information resides within a single, potentially obscure artifact, but is absent from other well-known artifacts. Therefore, it is critical to know, understand, and review every relevant artifact on a particular computer in order to execute a “cover-all-bases” analysis. Otherwise, evidence could be left on the table.
Similar to the file and folder access example, a user’s activity involving program execution or opening an application is recorded in multiple artifact. However, these artifacts are in radically different locations on a computer. On top of that, some of the artifacts that contain the execution information are not user-friendly and require interpretation by a specialized program.
Choose an Expert
When a house has a plumbing issue, a plumber is not only called for a solution, but for a proper, complete, and efficient solution. The same rule holds true for many professions, and digital forensics is no exception. An experienced digital forensics examiner will have the necessary tools, experience, and mindset to facilitate a successful investigation while navigating the aforementioned dangers.
Before turning on a suspected evidence-filled device or turning it over to your internal IT department, CONTACT VESTIGE for Expert Digital Forensic Services.
By Ian Finch, BS, GCFA,
Senior Forensic Analyst
Vestige Digital Investigations