1 Data Recovery | Forensic Data Recovery

Calgary Alberta Canada USA Computer Forensics Data Recovery Investigation

Computer Forensics Investigation Overview

Brief overview of the computer forensic investigation process

Before actually working with the computer, the investigator must consult with you, the client, and make certain that you understand the nature of the investigation before you begin the forensic investigation! What many computer forensic experts fail to do is to understand what they are up against. They often assume that your case is just another case where they mirror a hard drive and let the software do the work. This can prove dangerous when the investigation involves a computer utilized by a highly knowledgeable user who may have installed countermeasures against forensic techniques that can damage or destroy the evidence. Often these types of countermeasures are activated when the user fails to perform some function on the computer. Accordingly, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal user until you have shut it down completely, either in a manner which provably prohibits the machine modifying the drives, or in exactly the same way the user would.

One of the key elements in every data forensics procedure is time. Users may unintentionally or inadvertently overwrite evidence simply by continuing to complete their daily tasks. Our specialists will quickly and cost-effectively collect and preserve data or evidence that may have been deleted or become inaccessible through normal computing methods. Our specialists can determine if certain information exists and, if so, where it might be located.

When the data storage media is recovered either on location or at our lab facility, an accurate audit trail commences. The media is immediately logged into a tracking system and a log is produced. This log, suitable for all legal proceedings, accompanies the media throughout the recovery process. Computer Evidence Recovery, Inc. employees who handle the media ensure the continuity of evidence by adding their name, signature, date and a detailed description of what was done.

Countermeasures aside, knowing about the user, what they used the computer for and the bigger picture is vital to formulating the search and conducting an intelligent and relevant investigation. This will save time for the investigator and money for the client.

Like any other piece of evidence obtained in an investigation, the information generated as the result of a computer forensic investigation must follow the standards of admissible evidence. Just as a crime scene can be contaminated, so can digital evidence. A knowledgeable computer forensics investigator will know to follow strict evidence handling protocols, to document each step and to always preserve the chain of custody of the evidence. If such steps are not followed, the original data may be changed or destroyed and may not hold up in court.

Once the investigator is ready to begin the investigation and is at the location where the computer in question is, the investigator should always examine the machine and the surrounding work area for evidence. Items like notes that may contain passwords, file names and locations or security instructions are obviously of great value. The investigator should also look for and document any recordable media or removable storage devices such as thumb drives or MP3 players. These may contain data germane to the investigation.

In cases where the assessment would indicate that there is a high likelihood of the user booby trapping the computer itself, for example in a criminal investigation of a computer owned by a hacker, the machine itself should be examined before the case is opened. Many of these devices are wired from the computers internal battery for activation and cannot be seen from the exterior of the computer.

Once the area has been searched and documented, the computer forensic investigator must record all open applications if the machine is still active. If the case may require collecting data from the RAM module, significant additional steps are required at this point. This is due to the fact that current RAM chips cannot be analyzed for prior content after erasure and power loss with any real probability of success. Fortunately, investigating the contents of RAM is not normally required as part of an investigation being conducted for general civil disputes.

Once the applications have been documented, the system should be powered down in a way that is least damaging to data currently in memory and that data which is stored on the hard disk. The method that should be used is dependent on the operating system that the computer is running. Shutting off the computer by the correct method is critical to preserve certain data that is normally stored only in memory so it is committed back to disk during power down. Shutting down computers which do not normally store data in memory by the usual method will result in possible changes to the data on the hard drive. This is to be avoided whenever possible.

The system should now be completely documented including photographing the configuration, documenting the order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array.

The hard drives can now be duplicated or mirrored. Use some kind of hardware write protection to ensure no writes will be made to the original drive is vital. Even if operating systems like Linux can be configured to prevent this, a hardware write blocker is the best practice. The image is made to another hard drive or other storage media.

The actual investigation aimed at identifying the information on the image is done with specialized software review tools to search through documents, images, emails and other files to find instances of incriminating evidence using keyword searches. Some of the forensic search applications have advanced to the point that they can recognize general threads in e-mails by looking at word groupings on either side of the search word in question. This process is then combined with analysis by the investigator who can then repeat the process over and over again, constantly refining and modifying the search. No matter how helpful the software, the investigator must still think and work like and investigator and spend many hours reviewing the data he or she finds.

One of the areas of greatest concern to the computer forensic investigator is the presence of encrypted files on a computer. Encrypted material cannot normally be accessed by a computer forensic investigator without the encryption key. Having said this, we pride ourselves in being one of the few computer forensic investigation agencies in the world that can defeat most platter locking and biometric security provisions, as well as Encrypted File System (EFS) found on most computers today.