Data: The Basics of Computer Forensics

First published June 2005

by Edward Pscheidt

Everything is created on a computer. To be more precise, almost everything that is the subject of litigation was created on a computer. Be they letters, blueprints or company books, the vast majority of subpoenaed information resides on computers. Because of this, the hard-nosed private eye from films of the 40’s has been replaced with the Computer Forensic Investigator (CFI). While the title in not as catchy nor the reputation as romantic, these nerdy inhabitants of cyberspace are changing the practice of litigation more than their fedora-wearing counterparts could have ever imagined.

Computer forensics can be divided into three broad specialties. The most basic of these is obtaining and documenting digital information. This includes data recovery and verification. The second is expert testimony concerning things computerized. More often than not this involves networks and the Internet. The third, and the most fun, is real sleuthing. Because it is so infrequent, the best stories come from figuring out how information was compromised, searching for deleted files, or ferreting out identities on the Internet. This article will deal with the basics of the first specialty. Publishers willing, future articles will discuss the rest.

A Few Definitions

Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Federal statutes imply that a computer is any device that stores, manipulates or transmits electronic data. Certain State codes do more than imply. They overtly define computers as such. While this is overly broad for technical use, it is good for the practice of law. When issuing a subpoena, the lawyer does not have to guess what the local IT department calls a device. By using this sort of definition, the lawyer can expect to get everything pertinent without having to worry about the difference between a server and a router nor does the subpoena need to overtly call out esoteric items such as USB drives and digital MP3 players.

In a similar manner, the term “data” has been legally defined to broadly encompass anything that a computer can store. The California Penal Code, section 502, says that, “Data means a representation of information, knowledge, facts, concepts, computer software, computer programs, or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device.” Again, this is of benefit to the legal community since this eliminates any “wiggle room” when complying with a subpoena.

Interestingly, the terms “Damage” and “Injury” also have a wonderfully large range. They apply when computers or data are physically damaged, merely altered, or when legitimate access to either is denied. This allows prosecution and litigation over such varied threats as virus creation, conversion of resources or data destruction.

What do Computer Forensic Investigators look for?

The good news for computer forensics is that once something is saved on a computer, it is difficult to dispose of it. Indeed, if an amateur tried to burn their computer in a fireplace, there is a very good chance the data could still be recovered. In fact, the most telling evidence in many cases is proof that there was an attempt to destroy data. The data discovery methods are well beyond the scope of this article. But here is a list of things that can be discovered:

Saved Files – These are data files that exist in a form that can be readily used. Usually they are well organized in proper directories. A good investigator will also look for files that are hidden in strange directories or even marked to be hidden from the operating system.

Deleted Files – When a file is deleted from a computer, it is not altered in the least. The operating system is just told to ignore that it exists. Unless the operating system writes new data over the old, it is easily recovered.

Temporary Files – Operating systems and programs temporarily store a copy of working data in various places. Sometimes it is in the same location as the original. More frequently it is in a specially designated folder specifically for temporary files. The operating system also uses something called a swap file for its working files. While these are intended to be temporary, they can linger for the life of the computer.

Metadata – This is a term that refers to corollary information that is stored along with data. It includes such things as the date the file was created, modified and last accessed. It can tell us the original owner as well as everyone who has ever used it. Sometimes it contains previous versions of the document.

Disk Slack – This is the most technically challenging. Sometimes when data is stored, it accidentally captures data from previous documents. With the right software, this can be searched and the old data resurrected.

Best Practices

As soon as you know that electronic data is part of your discovery, you should consult with your friendly, neighborhood CFI. He can tell you what to ask for and how to handle it when you receive it. It is better to include him prior to requesting the data rather than after it arrives.

If you get a large number of electronic documents, the CFI can use programs to cull them for your review. This is usually done by providing him with key words or phrases that will be found in the documents of interest. Once he has found the target documents, he can also report on their metadata. The most common report of this type is a time line of document creation, editing and reading.

Sometimes the data is of a form that is not readily used. Examples are documents created by CAD systems, graphics programs and esoteric e-mail systems. The CFI can set up a computer system that allows you to read them, recommend a professional that can review them for you, or copy the information they contain into a useable format.

A CFI should not interpret the data. Resurrecting accounting data is quite different from understanding it. Likewise, while the CFI can print a blueprint, it is likely that he cannot read it. Even if the CFI has some experience in the field, you do not want him to render a legal opinion unless he is truly an expert. Of journalism’s five W’s, a CFI should stick to “Who, What, Where and When.” While he might be able to deduce “How”, he should never be asked (officially), “Why?” For that you should find an expert witness, or indeed, have hired one in the first place.

Copyright 2004 Edward Pscheidt. All rights reserved. Reproduced with kind permission of the author.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...