Here's a continuation of my outline of the 2016 edition of Craig Ball's Electronic Discovery Workbook which I last posted about December 3, 2016.
VII. Digital Forensics
A. What is Digital Forensics
1. Operating Systems retain metadata (e.g., such as when a contact is created) - data about data.
2. Log files and other encoded data about user behavior that cannot be accessed by ordinary users.
3. Unallocated clusters and slack space contain what user discards.
B. How does Computer Forensics Differ From Electronic Discovery?
1. Electronic Discovery accessible data; Forensics - Inaccessible data.
2. Electronic Discovery - discrete ESI; Forensics how ESI items relate to one another, what a user did with the ESI.
3. Electronic Discovery - existing ESI; Forensics - what is gone, and how it can be restored.
C. When to Turn to Computer Forensics
1. Does case demand forensics analysis? E.g. allegation of data theft, destruction, alteration or forgery of ESI.
D. What Can Computer Forensics Do>
1. Timing and extent of data wiping.
2. Was thumb drive connected to machine.
3. Recovery of deleted ESI.
4. Internet usage.
5. Unauthorized access to networks.
6. Minute by minute system usage.
E. What Can't Computer Forensic Do?
1. Recover overwritten data.
2. Conduct investigation without access to the hard drive.
3. Rely upon software tool to complete forensics examination.
F. Sectors, Clusters, and Tracks
1. Each platter has concentric circles called tracks. Each track is broken down into sectors - 4096 bytes.
2. A cluster is the smallest amount of disk space that can be allocated to hold a file. The smaller the cluster size, the more efficiently a disk stores information. The fewer the number of clusters the less space need to track their content and locations.
G. Operating Systems and File Systems
1. File systems - FAT, FAT32, ext2, NFTS (Windows with Master File Table - if less than 1500 bytes will store in MFT) and HFS+.
H. Formatting and Partitioning
1. Low level formatting is obsolete, and cannot be done at the user level.
2. Inactive partitions may be invisible.
i. Cluster Size and Slack Space
1. Cluster Size - 1 to 128 sectors. Windows clusters usually 8 sectors in size.
2. Solid state drives don't retain deleted data because of wear leveling and TRIM maintenance routines.
3. Portion of unfilled storage cluster will be slack space. Fragments of deleted files. 10-25% of drive may be lost to slack.
j. Forensic Implications of Slack Space
1. Requires tedious digging and specialized tools.
2. Must secure forensic image because data is continuously overwritten.
K How Windows Deletes a File
1. When file is deleted, Master File Table lists file as being available for storage of new data, but old data remains for the time being.
L. Examples of Other Forensic Artifacts
1. Windows extends its RAM capacity by swapping data to and from a swap file - in Windows this is the page file. Page file can be over 2.5 GB in size. Contents include information that used to exist on a computer. Swap file will disappear each time the computer is rebooted.
2. Hiberfile.sys - all data from running application when PC went into hibernation mode.
M. Windows NTFS Log File
1. Log of system activity. $LogFile - can't be viewed in Windows Explorer.
N. TMP Files
1. Save work in the event of a system failure.
2. Operating system often does not delete .tmp files.
3. .bak file may save earlier versions of documents.
O. Volume Shadow Copies
1. Volume Snapshot Service - Windows can keep up to 64 volume snapshot copies, over 2 weeks or 2 years. Aren't restore point, hold work product as well.
P. LNK Files, Prefetch, and the Windows Registry
1. LNK files - shortcuts to other files. Stored in user's RECENT folder. Information endures even when the target file is deleted.
2. Records of the last 128 programs are stored in the prefetch files.
3. USBSTOR and DeviceClasses records - info about device and pairing driver.
4. Windows Registry stores list of recent websites and documents created.
1. Shellbags are keys in Registry which retain size and shape of Windows Explorer folder.
R. Framing the Forensic Examination Protocol
1. Court order protocol is preferable.
S. Balancing Need, Privilege and Privacy
1. In re: Weekly Holmes (Tex. 2009) standard for seeking to compel an opponent to to recover and produce deleted email:
a. specific request with form of production.
b. must produce reasonably available information.
c. try to resolve disputes without court intervention.
d. court can order production even if not reasonably accessible.
e. direct access to other party's electronic media is discouraged, only expert can access.
f. requesting party pays reasonable expenses.
2. Rule 53 Special Masters can be appointed to perform forensic examination in camera.
T. Selecting a Neutral Examiner
1. Each side should submit a list of qualified experts.
2. Recommendations from other judges.
U. Forensic Acquisition and Preservation
1. Courts should allow on bare showing of need.
2. Forensically Sound Acquisition
a. Nothing altered by acquisition.
b. Everything faithfully acquired.
c. Processes employed to confirm success.
V. Recovery of Deleted File
1. File Carving by Binary Signature - search for unique digital signature identifying file type.
2. File Carving by Remnant Directory Data - may contain information showing location of deleted file.
3. Search by Keyword -
W. Exemplar Forensic Protocol
1. Examine file structures for anomalies
2. BIOS date manipulation?
3. Check registry keys to investigate drive swapping.
4. Devices used to alter metadata?
5. Refine volume snapshot.
6. Carve unallocated clusters
7. Look at LNK files, shellbags, prefetch area, etc.
8, Keyword search of clusters.
9. Run network activity trace report against index.dat files.
1. MD5 and SHA-1 hash values are the most common.
2. Hash values cannot be reversed engineered.
3. Used to demonstrate data was properly preserved
4. de-NISTing of hash values of system files.
1. Ghost images are not forensically sound images.
2. Generally forensically sound images of servers is unwarranted.
3. Web mail accounts, smart phones, external hard drives, cloud storage areas, can be subject to forensic examination.
4. If less than 4-5 TB can be imaged over night.
5. Forensic Examiners usually charge between $200 - $600 per hour.