LITIGATION SUPPORT TIP OF THE NIGHT

WinRecovery makes available a free version of its WinUndelete program which helps recover deleted files. This is apparently a widely used program (I saw it referenced in a recent judicial decision, and the site touts it as, "the leading undelete software for deleted files recovery".

It allows specific file types to be targeted.

The recovered files are saved in a folder selected by the user, but it should be one located on a different drive. Obviously only the files which have not been overwritten can be recovered, but I can't say that based on how the trial version performed the software seems very effective. When I tried searching for .pdf and .xlsx files (I've certainly deleted many of both on my laptop) it came up with zero results. WinUndelete was able to find thousands of system files. The trial version does not actually allow you recover the deleted files it detects.

The Tokiwa software that was the subject of the Tip of the Night for May 30, 2015, functions much slower than WinUndelete.

A decision by the Court of Appeals of Michigan on January 9, 2018, People v. Vancallis, 2018 Mich. App. LEXIS 35, gives insight into the forensics capabilities of the FBI, and also establishes a precedent by an intermediate appelate court on the use of app data as evidence. The defendant, James Vancallis, was charged with the murder of a young girl who was killed while walking her dog. A man on a motorcycle was seen in the area of a trail where the victim was found murdered. A FBI special agent was able to determine that the victim's phone was moving at around 4 miles per hour, and then suddenly accelerated to 22 miles per hour. Vancallis owned a motorcycle. A jury found Vancalls guilty of murder and kidnapping.

The special agent was a member of CART - the bureau's computer analysis response team. He found a screenshot on the phone of global position satellite that was generated by a fitness app. While the data from the app was in a proprietary format, the agent was able to get the developer to provide, "3,000 data points for latitude, longitude,date, time and speed". This data allowed the agent to create a Google Earth animation tracking the phone's location around the time of the murder. The data provided by the developer was loaded into a test iPhone with the fitness app installed in order to confirm that the data files were accurate.

The appeal argued that the defendant had ineffective assistance of counsel because there was no objection to the Google Earth animation was hearsay. The Court of Appeals rejected this argument because defense counsel had its own expert review the data, and because it determined the data was not inadmissible hearsay, but instead demonstrative evidence. It also found that even if the animation could not be considered demonstrative evidence it would be covered by the records exception to hearsay . The data compiled by the developer of the app constituted 'records of regularly conducted business activity' . "The data that was provided was made by a person with knowledge of the matter, made at or near the time of the occurrence. Sports Tracking Technologies, Inc. made, kept and maintained the data in the ordinary course of regularly conducted business activity. We reject defendant's claim that the animation was testimonial in nature when Zentz, who created the animation from the underlying data, testified at trial." [Id. at 15].

The computer forensics software designer, X-Ways, has a hex editor available for download here (there's a trial version available). It's called WinHex. WinHex functions like any other hex editor - it allows you to view the digital content of a file. It will show control codes (e.g., return and line break codes), and executable code in addition to the text visible in a text editor. Hexadecimal uses the digits 0 to 9, and the letters A, B, C, D, E, F to represent with two characters the eight bits in a byte.

WinHex has a tool which lets you search for particular file types based on file headers. These files are stored in the virtual directory of a volume. To access the tool go to Tools . . . Disk Tools . . . File Recovery by Type. Select a particular file type, and then an output directory, and WinHex will export any file of the selected type that it finds.