Hard Drive/Solid State Drive Forensics and Evidence Recovery
The main drive of a computer system, whether it’s a Hard Disk Drive (HDD) in a desktop, or Solid State Drive (SSD) found in a laptop, iPad or tablet, is the focal point of nearly everything that occurs on a computer or digital device. Virtually any activity performed accesses the main drive, and in doing so, leaves digital information which can be recovered and forensically examined.
Drive forensics can include both electronic and physical examination. Often drives damaged accidentally, or intentionally, can be repaired such that data can be recovered. GDF experts are also adept at finding and recovering data that has been intentionally erased in an attempt to hide illicit activity.
Types of Recoverable Data
Deleted Files and Data, an eDiscovery GoldmineWhen a user creates a file on a computer, usually even if they don’t save it, the information contained in the file is copied to the hard disk drive in a physical location. The location and the file name are then recorded in what is basically a table of contents on the hard disk drive that tells the operating system (the user and applications) where that file is located on the disk drive, how large it is and what its name is. Simply put, when the user deletes a file from the disk drive, the “table of contents” is updated to free the file’s space for reuse by the system. Even though the file can no longer be seen by the user or applications, its content still exists on the disk drive and can be recovered by a hard disk drive forensics expert. But there is a caveat. The longer you wait to get GDF involved, the better the chance the critical evidence you seek may eventually be overwritten by regular system usage, and that could cost you plenty, like a successful resolution to your case.
Internet History and CacheWeb browsers, like Internet Explorer, Firefox and Chrome, among others, create a temporary storage area in memory and on disk that holds the most recently downloaded Web pages, known as the browsers cache. If you navigate back to a previously visited webpage, the browser will load the page from this cache instead of downloading the contents again, thereby speeding up the process and making the browsing experience more enjoyable. A skilled disk drive forensic expert can extract those pages cached by the web browser and reconstruct the content. If a user went to Yahoo Mail or Gmail, it may be possible to reconstruct messages that were composed on the system, messages received, and in the case of cached messages, for example using Google Gears, entire inboxes, sent messages and other Webmail messages. The Internet/Web history, or browser Internet history, keeps a list of visited webpages and stores this list on your hard drive. GDF’s skilled disk drive forensic experts, using specialized tools and training, can extract this information and build a detailed timeline of sites visited, often even when a user deletes their Internet history, or uses extreme methods like a file wiper. Knowing what sites were visited, when, by whom and how often, can be instrumental in unlocking the truth, and can lend crucial perspective to other elements of your case. The fact is, your case is only as good as your evidence. And when evidence goes digital, Global Digital Forensics is the first and last call you’ll ever need to make.
Metadata Embedded in DocumentsMetadata is often defined as data about data. For the digital forensic analyst, this is a virtual gold mine of information. Many applications create metadata in files they create. Good examples are Microsoft Office applications, like Microsoft Word, Excel and PowerPoint. They embed metadata so users can identify documents, authors or systems that created these documents, how big they are and when they were last printed. Microsoft Office also tracks things like last 10 authors, last accessed, last modified and date created, among other things, which can all be used to reconstruct document histories, provide evidence of printing, or even reveal tampering. Microsoft also tracks changes and comments that are embedded directly into documents, spreadsheets and slide show files. When a skilled forensic analyst extracts metadata from files, it may be possible to find amazing amounts of information on the history, validity and use of the documents. And it’s not just Microsoft Office that embeds metadata embedded in files. Programs like Open Office, Word Perfect, Adobe Acrobat, among many others, do so as well. GDF can work wonders with metadata to help connect all the dots of your case.
Temporary FilesComputers basically have two types of storage, RAM ,or volatile memory, and non-volatile memory like Hard Disk Drives (HDDs), Solid State Drives (SSDs), USB drives and sticks, Network Attached Storage (NAS), like file shares, application servers (email, accounting systems, SharePoint, SkyDrive and the like), cloud storage and many more. When a computer is used to access this available storage, only a small part of what's happening in the background can be seen. Many applications also create cache files and temporary files which are treasure troves of digital evidence with GDF’s forensics experts on the case. Microsoft Office (and other Office-like products, such as Open Office, Word Perfect, Works and even Google Apps) creates temporary files when a document is created. These hidden files are intended for the autosave feature and for crash recovery, and can often be recovered by GDF experts, yielding the entire contents of a document that was created or edited on the system. Even if a user deletes a file and tries to wipe the file, copies of the documents, spreadsheets, and other potentially valuable information may still exist. Even edits to a document, file or email autosaved by the system may be yielded with the right touch. These are just a few examples of what GDF’s forensics experts can find, reveal and acquire when put to the test.
Log Files and System DataMicrosoft Windows logs and tracks many user actions and system actions that a skilled digital forensic analyst can use to reveal the usage details of a system. Some examples of these logs include software that was/is installed, external storage that was attached to a system and network connections to other systems. Additionally, users that logged onto the system and the files they created are tracked. Using this information, digital forensic analysts may be able to ascertain when devices were plugged into a system, if files were copied, if a user has other storage that is being used, or connects to a device on the Internet where files are stored, not to mention webmail accounts and other locations and applications where even more important evidence may be stored. GDF analysts have the tools and skills to leverage system information that is often overlooked as a source of evidence.
Forensic disk drive analysis almost inevitably leads to a human computer user, and often that person is a trusted employee. In the past year, employing a user activity monitor has become a viable option in the prevention and prosecution of insider computer crime. In addition to forensics analysis, GDF offers C-All, our world class solution to maintaining a watchful presence on any computer network.