Hi guys,
I have been stomped by this one for a couple days now. I have been examining this computer that was recently seized from someone that we can confirm was using the pc, however, when we examine it, all the metadata and registry files show that the device has not been used for over a year. Even the deleted information was over a year before seizure.
I am sure the time zone on my forensic software is set properly and also my workstation's dates and times, just in case that would be the problem.
I suspected that the user may have changed the hard drive but when we checked with the manufacturer, they confirmed that the hard drive in our possession is among the capacity and model of those used for the model of the pc we're examining.
Any other suggestions on what could have happened?
I am sure the time zone on my forensic software is set properly and also my workstation's dates and times, just in case that would be the problem.
Well at the most you can be a few hours off, not more than 24 in any case.
I suspected that the user may have changed the hard drive but when we checked with the manufacturer, they confirmed that the hard drive in our possession is among the capacity and model of those used for the model of the pc we're examining.
Exactly like all same model ones, produced in several million pieces, the most you can get from this is that the suspect IF and WHEN he changed the hard disk, was smart enough to change it with a similar one.
Any other suggestions on what could have happened?
The first possibility that comes to mind would be that a "whole disk" image taken one year before was re-deployed just before the PC was seized.
But it is well possible that the suspect used the PC in the last year through some alternate OS hosted on other media (IMHO less probable, but still among the possibilities)
jaclaz
How did you confirm that he has used it in the last year?
Have you accounted for all of the space on the drive? i.e. could there be another partition?
Did you check the date/time on the target computer? Was it a year off?
Is it possible you missed a drive/device? e.g. could you have missed an m.2 sata stick?
-tracedf
Yes, I agree with tracedf.
Maybe the user did an upgrade from a traditional HDD to a new (small) SSD a year ago.
So when the HDD was seized someone opened up the box and grabbed the big obvious HDD, but missed the small SSD tucked away elsewhere in the box.
Do you still have access to the box or do you only have the HDD?
Could also have been booting from a removable device. e.g. Live Linux Distro on USB.
Thanks for all the replies guys,
I forgot to mention that this is a laptop
Is there a way to connect an m2.sata stick to a laptop (It is an older model dell)?
Is there a way to detect traces of usb devices or CD\DVDs used to boot live operating systems?
How did you confirm that he has used it in the last year?
Well the person who seized it confirmed that they saw him using it up to a few months before seizure….
Did you check the date/time on the target computer? Was it a year off?
I didn't check that, I think that is a splendid suggestion, I will check it out and let you know….
Have you accounted for all of the space on the drive? i.e. could there be another partition?
There was an additional partition but it has similar access dates and times….(Over one year old)
The first possibility that comes to mind would be that a "whole disk" image taken one year before was re-deployed just before the PC was seized
Jaclaz - if this is the case, do you think there is software that could root up data that existed before the restoration??
Thanks for all the replies guys,
Is there a way to connect an m2.sata stick to a laptop (It is an older model dell)?
M.2 is fairly new so your target device may not support it. There are a few compatibility lists available online, although they are probably incomplete
Is there a way to detect traces of usb devices or CD\DVDs used to boot live operating systems?
Probably not. If you attach a device while running Windows, it keeps track. But if you boot a live system, you're not using the OS on the hard drive so it would not be running to record this.
The first possibility that comes to mind would be that a "whole disk" image taken one year before was re-deployed just before the PC was seized
Jaclaz - if this is the case, do you think there is software that could root up data that existed before the restoration??
I think the MFT would be blown away. You should still be able to carve files out of free space. So, if you're looking for something easy to identify, like contraband images, load the image into your favorite forensics/carving tool and give it a go.
I have been stomped by this one for a couple days now. I have been examining this computer that was recently seized from someone that we can confirm was using the pc, however, when we examine it, all the metadata and registry files show that the device has not been used for over a year. Even the deleted information was over a year before seizure.
In addition to what has already been said
Do you know that system time was locked to local time? I've examined a system that was something like 130 days out of sync, because the user wanted to keep using a piece of software past its last license day. (This would leave traces, however – such as no automatic syncing with time servers.)
Thanks again for the speedy response guys,
i'll check the bios times tomorrow and let you know what I come up with and if that time is correct, then I will have to try carving and see if there is any data in unallocated space. If none of those steps work then I guess the final analysis is that the Hard Drive was changed or a Live OS was used and none of the files on the HDD were touched…..
(This would leave traces, however – such as no automatic syncing with time servers.)
How can I find out if the time servers were not synced?
Thinking about the BIOS Time now, if he updated the time to the correct one shortly before the machine was seized and didn't use the machine after, could there be any records bearing updated timestamps?
The first possibility that comes to mind would be that a "whole disk" image taken one year before was re-deployed just before the PC was seized
Jaclaz - if this is the case, do you think there is software that could root up data that existed before the restoration??
I think the MFT would be blown away. You should still be able to carve files out of free space. So, if you're looking for something easy to identify, like contraband images, load the image into your favorite forensics/carving tool and give it a go.
OW, come on guys, if a whole disk image has been re-deployed to the disk, whatever was there before would have been overwritten, no way back.
Besides, consider how this
Well the person who seized it confirmed that they saw him using it up to a few months before seizure..
Actually means that there are witnesses having seen "him using a computer up to a few months before …", unless the laptop at hand has some easily distinguishable characteristics (let's say a big red cross painted on the cover) it would be hard to rely on that computer you have being the same that the suspect has been seen using.
jaclaz
Besides, consider how this
Well the person who seized it confirmed that they saw him using it up to a few months before seizure..
Actually means that there are witnesses having seen "him using a computer up to a few months before …", unless the laptop at hand has some easily distinguishable characteristics (let's say a big red cross painted on the cover) it would be hard to rely on that computer you have being the same that the suspect has been seen using.
jaclaz
This.
Been a few times where devices have been submitted, then turns out they've not been used for quite some time.