Forensic Analysis: The Basics

What You Can Do With a Forensic Image

For Minimal Expense

1. Extract and Review the Master File Table

• The MFT can be extracted easily in Excel format

• You can review the name of every file and folder listed in the MFT, active and deleted

• You can sort by any of the fields of data

• You can run full-text searches on the file and folder names

• Tremendous bang for the buck

1. Extract and Review the Master File Table

• Sort by full path – user accounts:

• This shows the contents of every user account

• C:\Documents and Settings\[user]

• See the name of every user account

• See the names of all files and icons on the Desktop for each user

• See the names of all files and icons in the My Documents folder for each user

Forensic Analysis: The Basics

1. Extract and Review the Master File Table

• Sort by full path – Recent folders:

• See the contents of the “Recent” folders

• These contain links to user-accessed files (how the “Recent Documents” list is populated)

• Even if the files are now deleted or missing

• C:\Documents and Settings\user\Recent

• C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\

Forensic Analysis: The Basics

1. Extract and Review the Master File Table

• Sort by full path – application folders:

• See a list of all installed applications

• C:\Program Files\[application folders]

• See the date of each installation (the “create”

date of the application folder)

Forensic Analysis: The Basics

1. Extract and Review the Master File Table

• Sort by full path – browser caches:

• See a list of all files contained in the user’s browser caches

• C:\Documents and Settings\[user]\Local Settings\Temporary Internet Files

• This can reveal names of sites visited, names of cookies, even preserved search terms

Forensic Analysis: The Basics

1. Extract and Review the Master File Table

• Sort by file extension:

• See names of all files of particular user types

• Word, Excel, PowerPoint, etc.

• Looks at datestamps and timestamps

• Look for the absence of expected file types

Forensic Analysis: The Basics

1. Extract and Review the Master File Table

• Sort by date (last accessed or created):

• See the names of the very last files touched prior to preservation

• See file activity on any specific date of interest

• See when the drive was formatted (the

“create” date of the MFT and system folders)

• See when the operating system was installed (the “create” date of the system folders)

Forensic Analysis: The Basics

1. Extract and Review the Master File Table

• Sort by date (last accessed or created):

• Look for evidence of "batch" file operations (large collections of files with near-identical

"created" or "accessed" dates)

• If someone dragged and dropped an entire folder of files, they will all cluster together when sorted by create date

Forensic Analysis: The Basics

2. Extract Active User Files

• Remember: A forensic image ALSO contains all active user files

• Have them extracted so you can review them just like normal active-file ediscovery

• You do not need a forensic expert to assess active user files

Forensic Analysis: The Basics

3. Extract Recoverable Deleted User Files

• A forensic image also contains all recoverable deleted files (i.e., not yet overwritten)

• Have them restored and extracted so you can review them just like normal active-file ediscovery

Forensic Analysis: The Basics

4. Request a “Link Analysis”

• The “Recent” links store information regarding full path and access date for each accessed file

• A “Link Analysis” can extract that information and provide you with a report

• It shows which user files the user launched even if the files themselves are now deleted or are stored elsewhere (network, external storage)

Forensic Analysis: The Basics

5. Request a “USBSTOR Analysis”

• The Windows Registry keeps track of every USB device ever attached to the computer

• Type of device, manufacturer, model number, serial number, date of installation

• You can see what USB devices the user attached

Forensic Analysis: The Basics

6. Request a “Print Spooler Analysis”

• When documents are sent to the printer, they are stored in a temporary system cache

• This is called the Print Spooler

• It is possible to extracted stored files from the Print Spooler

• This allows you to recover files that were printed even if later deleted or never saved on the drive

Forensic Analysis: The Basics

7. Run keyword searches in unallocated space

• Even if a file is partially overwritten (and therefore not recoverable as a “file”) it is possible that the surviving fragments contain searchable text

• Most embedded text in user files is in standard ASCII or Unicode format

• Text remains human readable even if the surrounding formatting is lost

Forensic Analysis: The Basics

7. Run keyword searches in unallocated space

• Hits in unallocated space are extracted in the form of an Excel spreadsheet

• Each hit is extracted with surrounding text on either side of the hit

• This allows the fragment to be assessed in context

Forensic Analysis: The Basics

8. Advanced Analysis

• There are many other things that a forensic expert can do depending on circumstances and objectives

Forensic Analysis: The Basics

Question & Answers

Evidox Corporation

• CEO & Co-Founder, 2006 to present

• Ediscovery, forensics, and technology consulting and expert services Boston University School of Law

• Lecturer in Law, appointed 2011

• Teaches Ediscovery & Advanced Civil Procedure Goodwin Procter LLP

• Senior Counsel & Director of Litigation Technology, 1999 to 2006

• Founder of Litigation Technology Group

• Litigation Attorney, 1990 to 1999 Education

• JD, cum laude, Boston University School of Law, 1990

• BA, summa cum laude, State University of New York, Potsdam College, 1980

In document 2013 Boston Ediscovery Summit. Computer Forensics for the Legal Issue-Spotter (Page 28-37)