LITIGATION SUPPORT TIP OF THE NIGHT

As discussed in Craig Ball's Electronic Discovery Workbook, FTK Imager can be downloaded here for free. FTK Imager is part of the Forensic Toolkit developed by AccessData. FTK Imager allows you to create an image of a hard drive in different segments that can later be reconstructed. It uses MD5 hash values to confirm that the data has been copied correctly.

FTK Imager has many functions, but one of its more helpful ones it the ability to generate a list of hash value. Just go to File . . . Add Evidence Item. Select the type as the 'Contents of a folder' and the files in the folder will be loaded up.

. . . then simply go to File . . . Export File Hash List and an Excel .csv file will be created showing the SHA1 and MD5 hash values of each file in the selected folder.

In Windows 8, you can find prefetch files at C:\Windows\Prefetch . These files have the extension .pf. The files are used by Windows to help applications start up faster. Metadata in the files tracks how often applications are used, when they are used, and which files the applications utilize.

Nirsoft has another great utility which allows you to view the content for these files. It's available for download here. WinPrefetchView will automatically find your prefetch files and automatically index their metadata.

As you can see this utility gives you a list of how many times an application has been used, and when it was last used in the columns to the right.

Photos taken with smartphones and other devices can contain data on the specific location where the photo was taken.

If you right click on image files and select Properties . . . Details, and look in to the GPS section, you may see very precise longitude and latitude coordinates.

If you enter these coordinates in Google Maps, it will show the precise location the photo was taken.