LITIGATION SUPPORT TIP OF THE NIGHT

A process model published by Kenneth Zatkyo in Forensics Magazine in 2007 has become a widely used way of providing an outline of what is involved in the practice of digital forensics. It is referenced in the NIST Guide to Cloud Forensic Science Computing Challenges. (See page 2). Zatkyo proposed an eight step model:

1. Search authority - one must have the legal right to conduct a forensic search.

2. Chain of custody - possession of digital evidence over a time period must be documented.

3. Imaging/Hashing function - data should be correctly copied and its hash value recorded.

4. Validated tools -one must be able to proof the forensic tools employed are effective.

5. Analysis - forensics analysis examines digital evidence.

6. Repeatability and reproducibility - other forensics analysts must be able to repeat the steps performed in the analysis.

7. Reporting - the procedure and conclusions reached by the forensic analyst must be documented.

8. Possible presentation - the forensic analyst must be prepared to present his or her findings in court.

See also, John Simmons, The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics (2014), at 7-9; Bill Nelson, Guide to Computer Forensics and Investigations (2016), at 2; and Ralph Losey, Introduction to E-discovery: New Cases, Ideas, and Techniques (2009), at 102. Losey calls Zatkyo's model, "the best definition I have seen."

Perhaps one could use the anagram VAPR CHAR to help remember the 8 steps?

An affidavit filed by an FBI agent with a Government response to a court order on computer and email evidence in the case against the '20th hijacker', Zacarias Moussaoui, in the 9/11 attacks provides insight into the limitations of collecting email forensic evidence. Moussaoui was arrested in August 2001 as a result of his suspicious behavior at a flight training school in Oklahoma. The government's response notes that Hotmail account names cannot be found from a forensically examined computer if the user did not download data from the account to the hard drive.

The affidavit of Bridget A. Lawler, a special agent with the FBI, states that, "nearly all of the useful information about account activity of a Hotmail account is maintained at Hotmail and not on individual computers used by someone with access to the Hotmail account." While a computer's HTTP log will show the addresses of Hotmail pages, Hotmail cannot search for an account name from an IP address, and while it's theoretically possible for Microsoft to do so, it will not be able to do it if too much time has passed since an account from accessed from a particular computer. When an email account was inactive for more than 30 days, Hotmail deleted the IP connection log. After 90 days of inactivity a registered account would be disabled and the name would be made available to other users.

Lawler acknowledges in the affidavit that a Hotmail account name might be included in file slack, but concludes that, "such a find is very,very rare."

The affidavit recounts how Moussaoui accessed his Hotmail account from Kinko's stores in several locations in the United States. They could not recover data from these computers because they learned from, "various contacts it appears that Kinko’s stores erase data from, or re-image, the computers they rent to the public at varying times, from every 24 hours to every 30 days"

16 years later, this information about tracing Hotmail accounts and the hardware security practices of Kinko's may only be of historical interest, but it still provides a basis for which to ask questions about whether or not a third party company can assist investigators beyond the limitations of Microsoft and Kinko's in 2001.

Windows assigns a unique signature to each drive so that the Master Boot Record can keep of the drives. The MBR holds the code that loads the installed operating system.

These disk signatures can be viewed in Registry Editor. At Start type in rededit.exe, and Registry Editor will open. Then browse to HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices.

The disk signature is only the first eight characters listed from the left in the 'Data' column, which is always comprised of digits 0-9 and letters A-F only. The characters which follow show the byte offset . This can be used to show the sector address of the drive - where on a partitioned optical disk the drive begins.