http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php Computer Forensics Forum and Computer Forensics Information and Computer Forensics Resources from www.computer-forensics.co.uk en Fri, 18 May 2012 00:44:44 GMT vBulletin 60 http://www.computer-forensics.co.uk/computer-forensics-forums/images/misc/rss.jpg http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=11 Tue, 10 May 2011 14:25:51 GMT As you are probably well aware Osama Bin Laden was killed last week and, during the operation, a significant amount of computer media was recovered.... As you are probably well aware Osama Bin Laden was killed last week and, during the operation, a significant amount of computer media was recovered.
Last week a gentleman from Radio 4 interview both Simon Steggles and myself to identify the problems that investigators may encounter. Sadly the interview wasn't used but the BBC have been kind enough to furnish us with a copy for your listening pleasure.
You can listen to the interview below.

BBC Radio 4 Interview ]]> LeeWhitfield http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=11 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=10 Wed, 04 May 2011 10:42:54 GMT ;)I am sure a lot of you people know that I spend a lot of my on-line time on Twitter. (www.twitter.com/disklabsltd for my work account and... ;)I am sure a lot of you people know that I spend a lot of my on-line time on Twitter. (www.twitter.com/disklabsltd for my work account and www.twitter.com/disklabs for my personal account).

One of my 'followers', a great guy called Phil Stewart, (www.twitter.com/i15minutes) knows about our work here at Disklabs and posted the following Tweet:

Thanks to @disklabs for sending a device to ensure the data from my old hard drive is cleaned. http://yfrog.com/h0cyhygj

Here is his picture...



Thanks for that Phil. Most amusing!

For those a little more serious about data erasure or data destruction, I suggest a quick visit to www.dataerasure.co.uk my point you in the right direction.

Regards,

Simon ]]> Disklabs http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=10 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=9 Fri, 01 Apr 2011 13:51:07 GMT Ok then, for those of you that follow me on Twitter, you will probably of noticed some of my posts about the fake iPhone 4's we have just got in for analysis. I asked the kink forensic analysts in the lab to provide me with some photo's and here they are:

Just so you know, its a Chinese manufactured 'SciPhone', (clever that, isn' it?). It has a DUAL SIM slot, a memory card and removable battery. Some say that Apple could learn from this....

Any how, here are the photo's:


This Is The Front Of The Fake iPhone4

Overall, its a lot lighter, but looks a little odd. The screen isnt the same size and just wait until you see the display quality!




This Is One Of The Sides On The Fake iPhone4

I like this. They have even gone to the effort of adding the little black like which on the original iPhone4 is an aerial. The volume buttons we believe do work.




This Is The Other Side On The Fake iPhone4

I like this because once again, to make it look authentic, then have added a micro-SIM slot - except it isn't, its just made to look like one.




This Is The Back Of The Fake iPhone4

This is the removable back - it allows access to the dual SIM slots, the memory card and the battery.




This Is The Top Of The Fake iPhone4

Nothing much to add here.




This Is The Bottom Of The Fake iPhone4

Again, nothing much to add here.




This Is How Software Looks On The Fake iPhone4

Its not quite the standard of the retina display. Even the font looks awful, in a sort of couldn't be bothered type of way.




This Is How Software Looks On The Fake iPhone4 (Exit Screen)

Again, the biggest thing here for me is the awful display and fonts. I don't think anyone could every consider it a real iPhone4.




Inside The Fake iPhone4 (Exit Screen)

As previously mentioned, here is the fake iPhone 4 with its back off: Note the battery, DUAL SIM slot, Memory card slot - Apple could learn from some of this...





I hope that the above photos cause some sort of response and comment, so no pressure.....

Best regards, as ever,

Simon ]]> Disklabs http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=9 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=8 Wed, 23 Feb 2011 11:41:51 GMT Its been an age since I last blogged, so apologies for that, but here we go again with a tale of how Disklabs ended up forensically examining a... Its been an age since I last blogged, so apologies for that, but here we go again with a tale of how Disklabs ended up forensically examining a laptop for a company that had already 'forensically investigated' the said laptop:


Computer Forensics Investigation
DIGITAL INVESTIGATIVE REPORT

COMMISSIONED BY THE FOLLOWING PARTY:

COMPANY: ANON Ltd
FULL NAME: ANON
AUTHORISED BY: ANON
ADDRESS: ANON
DATE OF COMMISSION: 27/01/11
TEL: ANON
TYPE OF INVESTIGATION: Off-site
OBJECT/USER UNDER INVESTIGATION: Hard disk image taken from the laptop shared by user “ANONPool”.
CASE REF NUMBER: ANON
CUSTOMER REF: ANON
WRITE-BLOCKED EQUIPMENT UNIQE IDENTIFYING NUMBER OR S/N: ANON
INVESTIGATING PARTY: ANON
INVESTIGATING AGENT: ANON – Though I was tempted to leave this ‘Computer Forensics Analyst’s’ details visible to deter others from making such mistakes!
DATE OF THE INVESTIGATION WAS COMPLETED: ANON
DATE INVESTIGATIVE REPORT SUBMITTED: ANON

INTRODUCTION:
Computer forensics investigation of laptop hard disk image to find digital evidence for any reference to the key subject of the investigation. No time window for the computer forensics investigation has been set by the client. The client has commissioned ANON to investigate the computer hard disk used by user “ANONPool”, for any website visited, software installed or removed, any links deleted producing a report detailing all user activities including times and dates of such activities and system logins.

PHYSICAL DESCRIPTION OF THE MEDIA INVESTIGATED:
The laptop under investigation contained a hard disk with a capacity of 120GB. The laptop hard disk was cloned by ANON on 27/01/11 for the purpose of this digital forensic investigation. ANON acknowledges and confirms that the disk used for the purpose of this investigation is a true bit by bit clone of the original. It furthermore affirms that in the course of the cloning the original disk, the integrity of the original disk has been preserved and no changes whatsoever have been made to the original disk in the course of cloning.

KEY SUBJECT OF THE INVESTIGATION:
The client, ANON on behalf of ANON Ltd has asked ANON to carry out a full investigations of the laptop hard disk used by one of their employees under user name of “ANONPool”. The client wants to find out about all websites visited, software installed and removed, links created or removed and times and dates of logging into the PC during an unspecified period of time.
KEY OBJECTS INVESTIGATED:
Key objects investigated in the context of the client brief and relevant to the purpose of the investigation using the acquired evidence contained in the obtained write-blocked hard disk image:

1. MSN Messenger, Yahoo!, Google Talk and Other Popular Chat Logs
2. Hotmail, Yahoo! Gmail and Other Key Webmail Accounts
3. Outlook .OST Exchange Emails
4. Outlook .PST Email Data File
5. Outlook Express .DBX Data File
6. Facebook, MySpace, Bebo and Other Major Social Networking Profiles, Communications and Chat Logs
7. Google/Yahoo!/Bing! Search History
8. Key Search Terms Used in Google, Yahoo!, Bing! and Other Major Search Engines
9. Internet Browser Cookies
10. Internet Browser Histories
11. Visited Internet Sites
12. Downloaded/Uploaded Files, Images, Documents and Other Items
13. Excel, Word, PowerPoint Documents
14. Meta Files and Simple Text Files
15. Hidden Files and Folders
16. Encrypted Files and Folders
17. Deleted Files and Folders
18. Temp Internet Files
19. .JPG, .GIF, .TIFF and Other Key Image Formats
20. Slack Files and Empty Spaces
21. Formatted Disk Partitions

Digital Forensics Method:
The laptop shared by user “ANONPool” was imaged and cloned on a separate 320GB LG hard disk for the purpose of the investigation. All the key search terms provided by the client were thoroughly investigated. The client did not provided different sets of keywords and search terms on. This meant that the investigator had to use standard practices and usage patterns to find as much information as possible to cover the subject of the client brief.

KEY FINDINGS:
The key user is “ANONpool”on the ANON laptop with a hard disk of 120GB. The hard disk partition is NTFS with a total size 111G. Used space in the hard disk is 19.5GB. The user profile size is 342 MB (359,225,250 bytes) contains 1,031 Files, 575 Folders and was created ‎04 ‎April ‎2008, ‏‎11:02:0. Internet Explorer was not used for browsing the internet. The user “ANONpool” has mainly used Mozilla Firefox. There are 2 email addresses which have been used to create MSN chat accounts. The emails associated with MSN account are ANON @ANON.com, ANON @ANON.com. There isn’t very much user activity and the MSN chatlogs or email conversations were non-exitent or could not be recovered.

Emails found with date and first used:
\ANONPool\Contacts\ANON@ANON.com 08/07/2008 15:27:56
\ANONPool\Contacts\ANON@ANON.com 22/04/2008 10:16:37
\ANONPool\Local Settings\Application Data\Microsoft\Messenger\ANON@ANON.com 08/07/2008 15:28:03
\ANONPool\Local Settings\Application Data\Microsoft\Messenger\ANON@ANON.com 22/04/2008 10:16:37
\ANONPool\Local Settings\Application Data\Microsoft\Windows Live Contacts\ANON@ANON.com 08/07/2008 15:27:43
\ANONPool\Local Settings\Application Data\Microsoft\Windows Live Contacts\ANON@ANON.com 22/04/2008 10:16:27

• In order to ensure that no digital evidence is missed, full recovery of the NTFS partition of laptop hard disk was conducted. However the recovery of the NTFS partition did not add very much to the information already researched and found.
• All the websites visited by the user with dates and times were compiled and listed in the list of attached evidence attached.
• No deleted links were found.
• A full list of installed application has been compiled and attached.
• A full list of all applications uninstalled has been compiled and attached.




List of Digital Evidence Files Related to the Investigation:
List of key evidence investigated and their occurrence in the context of the brief provided by the client and/or relevant to the subject of the investigation summarized in the table below: ( NOTE: Use Notepad to open text files.)

EVIDENCE ITEM KEY EVIDENCE TYPE DESCRIPTION LOCATION
ProgramInstallUinstalLog2 Text file Uninstalled Programs Log See file
ANON Dell laptop full web access history PDF ANON Dell laptop full web access history See file using Adobe Acrobat reader
ANONAppData Text ANONPool Installed Applications Use NotePad to view file
ANONMozillaFirefoxAppInstallLog Mozilla Firefox AppInstall Log
ANONAppInstallCache Application Application Cache
ANONPoolProfile-1 to 12 .jpg images User Profile Snapshot with dates and times Use image viewer to inspect
ANONPoolUserProfile Text User Profile Snapshot with dates and times in text format Use notepad to view and inspect.

Investigation conducted and completed by
ANON

DATE: ANON

Computer Forensics Investigation
Supplement

COMMISSIONED BY THE FOLLOWING PARTY:

COMPANY: ANON Ltd
FULL NAME: ANON
AUTHORISED BY: Mr ANON
ADDRESS: ANON
DATE OF COMMISSION: ANON
TEL: ANON
TYPE OF INVESTIGATION: Off-site
OBJECT/USER UNDER INVESTIGATION: Hard disk image taken from the laptop shared by user “ANONPool”.
CASE REF NUMBER: ANON
CUSTOMER REF: ANON
WRITE-BLOCKED EQUIPMENT UNIQE IDENTIFYING NUMBER OR S/N: ANON
INVESTIGATING PARTY: ANON
INVESTIGATING AGENT: ANON
DATE OF THE INVESTIGATION WAS COMPLETED: ANON
DATE SUPPLIMENTARY INVESTIGATIVE REPORT SUBMITTED: ANON

Description: As requested by Mr ANON, the “Recycle Bin” of user “ANONPool” was fully investigated.

Findings:

a) According to the evidence contained in file “websites visited using IExplorer.pdf” Internet Explorer has not been used for any kind of habitual internet browsing. Internet Explorer has only been used by Windows and a few times by the user to request Windows updates from Microsoft Windows Update site. Therefore the IE browsing history does not contain any significant entries.
b) According to the evidence contained in “ANONpool-recycle-bin-full.pdf”, Mozilla Firefox has been primarily used to browse the internet. The contents of the Recycle Bin indicate deletion of web browsing history which is believed to have been done by the system for the purpose of cleaning up and optimisation of the performance of Windows. No habitual, regular web browsing of porn sites was found in the Recycle Bin. The number of Mozilla Firefox web browsing history items referring to porn sites is pretty insignificant and does not indicate habitual and regular browsing of websites with adult content within a long period of time compared to the very large number of other ordinary websites listed in the Recycle Bin. In fact the number of Mozilla Firefox deleted history items pointing to the use of porn sites, are only limited to 2 out of 465 items. One of the links points to “myfreewebcams.com” which actually is not porn site. This is just a free webcam service where the user can chat live with girls and the online encounters are not necessarily pornographic. Furthermore the deleted date for these 2 items is 21/01/2011, only 6 days after the laptop was submitted to us for imaging. It must be noted that they cannot be explicitly linked to the user and it is possible that it may have been generated by pop-ups when the user has been visiting non-adult websites.

Files associated with this report:

1. websites visited using IExplorer.pdf
2. ANONpool-recycle-bin-full.pdf
Supplementary Investigation conducted and completed by
ANON
DATE: ANON

Thoughts Please...

Simon ]]> Disklabs http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=8 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=7 Tue, 07 Dec 2010 09:12:47 GMT A survey by the American Academy of Matrimonial Lawyers has recently shown that the social networking site Facebook is now one of the major causes of... A survey by the American Academy of Matrimonial Lawyers has recently shown that the social networking site Facebook is now one of the major causes of divorce in the USA. Results from the survey show that 1 in 5 American divorces stem from a spouse seeking out, and reconnecting with, an old flame.
With over 500 million active users the chances are that, if you're in a long term relationship, your significant other is 'friends' with an old school crush or ex. Bearing in mind that Facebook can be accessed at work, at home, or using mobile devices, affairs could be starting or happening right under your nose.
The good news is that accessing Facebook leaves digital evidence behind. Every conversation, every wall post, every picture shared all leave a trail on a computer or mobile device. These pieces of evidence can be found by the digital forensic professionals at Disklabs.
If you're concerned about your partner's Facebook habits and you're looking for either evidence of wrong-doing or piece of mind please call us for a consultation. ]]> LeeWhitfield http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=7 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=6 Wed, 17 Nov 2010 15:26:10 GMT I am happy to be working at a place where both computer forensics and data recovery are practised under the same roof. This has great benefits to... I am happy to be working at a place where both computer forensics and data recovery are practised under the same roof. This has great benefits to everyone involved and we often help each other where we can. This article is about one of these occasions.
In March 2009 I wrote an article on Forensic 4cast about how to dismantle a Macbook Air and acquire the hard drive drive contained therein. Since writing the article I have received thanks from many digital forensic investigators about how to do this but, in more recent times, people have been reporting that this method no longer works. The reason for this? Apple loves to make things difficult.
A few months after I wrote my original article Apple, in its infinite wisdom, chose to change the Macbook Air by replacing the ZIF (Zero Insertion Force) hard drives with LIF (Low Insertion Force) hard drives. This may not seem like a big deal but it has caused frustration for many forensic investigators looking to acquire drives for investigation. I've lost count of the number of times I've seen pleas for help on forums or mailing lists asking how to acquire such drives.
Thankfully we now have the answer. One of my colleagues in the data recovery department had a job where the data was stored on such a drive. In order to gain access to the contents he cut and spliced a ZIF ribbon cable and attached it to an IDE interface. It was messy but it worked very well and he obtained all data from the drive at (nearly) full speed. Sadly, due to the build quality, the hacked cable didn't last for very long, however he was able to provide pictures of a similar set-up. These pictures are attached below. In this example the ZIF ribbon is cut and spliced and attached to a SATA interface. This will work just as well, and possibly better.
So, next time you have a Macbook Air (not the latest iteration, we'll get to that soon enough) and you're feeling a little daring, look at the pictures below and try to do it yourself.
Sorry about the size of the pictures, its the best we could do.
]]> LeeWhitfield http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=6 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=5 Mon, 01 Nov 2010 11:15:52 GMT *Data Recovery* may seem an easy practice to earn money by someone who knows their way around the inside of a computer, but it is much more than... Data Recovery may seem an easy practice to earn money by someone who knows their way around the inside of a computer, but it is much more than that. The consequences of using software that simply “plugs and plays” may cause unforeseen, catastrophic consequences for clients. Simon Steggles, of specialist forensic data recovery company, Disklabs, explains:
“I see lots of people making data recovery statements and increasingly, 'Forensic Data Recovery' claims. Because the subject is so easily misunderstood and abused, I feel that someone should explain what is, and isn’t, Forensic Data Recovery.
Firstly, is what you are practising true data recovery? Retrieving deleted software with 'Recovery My Files' or one of a myriad of data recovery software titles isn’t necessarily true data recovery. It ‘is’ in that it recovers some data; however, it ‘isn’t’, because it doesn’t allow the software user to recover data that may be on either physically damaged or firmware corrupted disks. There is also the possible danger that using this kind of software may lead to overwriting data on the original source too, (depending on how the recovery is attempted).
When I consider data recovery, I imagine someone, or an organisation, who is a member of the IPDRA, (International Professional Data Recovery Association). This is a not-for-profit association, and therefore free to join, and was set up to encourage a specific technical standard from its members. If you have the right equipment, secure premises and can demonstrate through references and photographic evidence that you meet the criterion, you will achieve membership. There is also a complaint procedure to allow clients of members that are not satisfied to lodge official objections or protests.
It’s like lots of things in life - there is a right way and a wrong way, at least, when practicing Data Recovery. Software fixes are marginally effective, but can mislead the client that true data recovery has been carried out. If there is a firmware issue, this can still be considered data recovery; however, this is rapidly becoming the next stage of technical ability within data recovery. Further still is hardware recovery. Exchanging heads is relatively simple, (to the experienced practioner), but are the heads being exchanged with the correct heads from a donor drive? Are they going to be changed in the correct environment? This, of course, is either a clean room or a clean bench. Either of these should achieve at least ISO14644 standard to level 5, to be considered acceptable by manufacturers.
From this, it is apparent that although data recovery may be something you offer, you may be misleading your client, depending on your knowledge and working practices.
There’s even more issues with the validation of Forensic Data Recovery - a process which has to follow the principles of ACPO Guidelines. A lot of people offering Forensic Data Recovery don’t even know who or what ACPO is, let alone follow their guidelines. I personally believe that it’s unethical to state that you provide forensic data recovery if you are not fully familiar with ACPO’s guidelines or don’t have experience in delivering them to law enforcement clients. It’s only from this experience that you will gain the knowledge of write-blocking, report writing or evidence continuity. Over and above this, it’s imperative that your clients’ exhibit, (evidence), is kept securely and only handled by appropriately security-cleared staff.

To me, Forensic Data Recovery is the recovery of information whilst ensuring the original data on the media source, (hard drive, memory stick, etc.)is not damaged in any way. If something has to be written, or chips have to be extracted, then a report should be provided, explaining why this was done and the procedures used. It goes without saying that continuity is vital at all times.
Think of the reasons why clients approach you to recover data from their exhibit or other item. Fraud, criminal activity, personal issues, personal safety; if the practitioner is not fully adept and data is not recovered correctly, the effects to the client could be very adverse indeed. It wouldn’t be melodramatic to state that you could have someone’s life in your hands. Although there can be negative connotations associated with your company should your inexperience come to light, the consequences to your client could be far more serious.”
Disklabs are members of the IPDRA and also diligently follow ACPO guidelines. Our experience in data recovery and forensic data recovery is highly commended by our clients and professional bodies. ]]> Disklabs http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=5 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=4 Thu, 02 Sep 2010 13:10:04 GMT Edmond Locard (1877-1966) surmised that any time someone came into contact with an object there is a transfer of evidence. This has widely become... Edmond Locard (1877-1966) surmised that any time someone came into contact with an object there is a transfer of evidence. This has widely become known as Locard's exchange principle. We hear of legal matters where an offence has been committed and a case won by finding a piece of trace evidence on the suspect's clothing. This trace evidence links the suspect to the relevant location and he is found guilty. This works the other way too. A person's hair, blood, or other tell-tale sign can show that a person was at a certain location.

Locard's exchange principle also applies to the digital world.

Did you know that almost everything done on a computer leaves some trace evidence of those activities and that a good forensic investigator can find this evidence?

Imagine visiting your favourite website. You visit the site, view the content, and then turn off your computer. A simple process but what has been recorded and by whom? First of all your computer has most likely recorded your visit to that web page. This information will include such items as the date, time and web address of the visit. Secondly the entire page and all included content may also be stored on your computer. Thirdly the web site may also have recorded your visit. It might not know you personally but it has likely recorded information that can identify your computer as the visitor. Finally the web site may also have recorded which web page you visited before accessing that site, and even which web site you visited once you left.

As you can see the trace evidence left from such a simple task is quite remarkable but also not widely known by many computer users.

A recent survey stated that over half of UK workers would take company property on leaving a job. This is an incredible statistic, especially when one considers the potential impact on the employer. What kind of data might these employees take? This could be anything from client contact information to confidential designs and strategies. The question is can you afford to let this happen?

There are methods and procedures that can be employed to protect your company against such theft but these can usually be thwarted with a little research.

Data can be transported in a large number of ways, email, CD, USB thumb drive, etc.

Thankfully Locard's exchange principle can be applied in these situations. If an employee leaves your company under suspicious circumstances take their work computer and, if issued, mobile phone. Once these have been retained contact Disklabs or another qualified digital forensics organisation and explain the situation. If the employee has copied confidential company data we can usually find evidence confirming that this has happened. This may even be possible when employees have taken steps to cover their tracks. The chances of an employee eradicating all evidence of their activities is extremely small.

Armed with a complete forensic report an employer can now consult legal counsel in order to determine how best to proceed. ]]> LeeWhitfield http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=4 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=3 Thu, 05 Aug 2010 07:49:25 GMT Thought I would let you know what we are doing here at Disklabs, in our Computer Forensics ... Thought I would let you know what we are doing here at Disklabs, in our Computer Forensics Department.

We seem to be spending more and more time conducting investigations for HR departments. This is what we call IP Theft, (Intellectual Property Theft). In essence, its when a member of staff leaves their company and uses data taken from the original company: stealing their Intellectual Property.

Our experience has shown that its generally Senior Managers, Directors or Sales People that are the people in question, however, its shocking how big some cases end up being as the investigation moves along. What starts with the investigation into a single computer can often end up being an investigation into several members of staff.

Some of these cases will end up in a 'Springboard Order', a legal term for the process that enables the company to stop the competitor that has used its data from operating.

If you do suspect a member of staff is taking your company data, follow these simple rules:

1. Secure their Computer (take it away from their desk. Lock it up or put it securely in a lockable office.
2. DO NOT 'HAVE A LOOK' - you will be overwriting evidence - which can end up in you getting your evidence thrown out and you losing the case.
3. Contact experts in this field - Obviously, Disklabs should be your first choice!


From this point, its a straight forward investigation for the forensic analysts. We will work with your HR team or Lawyers to ensure that the matter is dealt with within legal regulation boundries.

Hopefully, after allt he due process has been followed, you will be able to get the competitor shut down, or file for a computer misuse criminal charge. ]]> Disklabs http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=3 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=2 Thu, 06 May 2010 19:00:21 GMT I've been working at Disklabs for a few weeks now. I've mostly been confined to the digital forensics lab but I've been able to poke my head out from time to time and see what the data recovery department are up to. I'm happy for this opportunity as it has taught me some interesting things that are useful for computer forensics, and some things that are potentially dangerous.

Over the next few weeks I'll be posting articles about how data recovery has the potential to impact computer forensics in ways that few have thought possible.

A scenario occurred recently in which an employee left a company on less than gracious terms. The next day the employee's former colleagues showed up for work and realised that the file server was inoperable. Upon closer inspection they found that all of the server's drives were blank. Forensic analysis was conducted and nothing was found. If the drive had been wiped it had been done so with undetectable software. The forensic investigator, and the tools at his disposal, had failed to provide an adequate answer.

What would you do in a situation like this? I imagine that my report would be very sparse and contain very little information at all. You could look at wiping software artefacts, such as the sequence of bytes used, in order to determine if this individual had maliciously wiped the data from the drive but, failing this, what other avenues of investigation could be followed?

One of the first things I learned after starting at Disklabs was that each hard drive contains certain information that is not stored on the platters, but on the system area of the drive. The two items that I found to be of most interest are the number of times the drive has been powered on and the number of hours that the drive has been active. This may not seem like a huge finding but the implications are awesome.

Going back to our scenario the hard disk drives were turned over to a data recovery expert who was able to unequivocally state that the drive had only been powered on a handful of times and only had only been in operation for a few hours. What does this means in terms of this investigation? We can draw one of two conclusions either the drives had been replaced as a result of drive failure or they were replaced as a deliberate act intended to deceive. As it turns out the IT department of this company stated that the original drives should still be in operation inside the file server and that the information provided by the data recovery expert contradicted their own opinions.

The original drives were recovered from the former employee's home a few days later.

My short time at Disklabs has proven to me that we need to educate ourselves on these matters. How can we offer opinion or facts in our reports if we haven't covered every possibility? ]]> LeeWhitfield http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=2 http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=1 Thu, 06 May 2010 15:42:34 GMT You will have noticed that we have upgraded our forum. The upgrade has been made for both security and usability reasons. As you can see we have a... You will have noticed that we have upgraded our forum. The upgrade has been made for both security and usability reasons.

As you can see we have a blogs section on the site now. We hope to be posting items here on a regular basis.

If you have any ideas for possible articles please post them in the 'Site Suggestions' thread. We'll talk about almost anything so please don't be shy.

We can now also include videos, and many other items. We hope to be able to build up this content over time to assist everyone in learning more about forensics, and expanding their knowledge. ]]> LeeWhitfield http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?b=1