‚ < ‚ Free Open Study ‚ > ‚ |
The acquisition of the media, although tedious , is generally clear-cut . A trained investigator , following a set of rules, can be reasonably certain that the data was acquired properly and is not tainted. Examining the evidence to find proof of wrong-doing, however, can be anything but straightforward. Planning the SearchThe most important step in the examination is to plan what items to search for. A poorly designed search will result in either no results at all or so many results that they are unusable. A well-designed search consists of unique items that are unlikely to occur outside the scope of the investigation but that are also likely to be present in any incriminating evidence. This might be a simple task, but it is often anything but. The examples in the sidebar are useful to illustrate this.
File RecoveryAs part of the examination, data might be found in file fragments or file slack. To examine this data in context, it is often necessary to recover the deleted files. Most of the forensics suites described in this chapter provide a recovery capability. File recovery is often a hit or miss proposition, however. File header information might be missing and contain vital information. For example, the text of a word processing document could be recovered in its entirety, but the header information that contains data (such as the name of the creator and "Undo" information) might be unavailable. Image files are especially difficult to reconstruct because they are often highly compressed. Fragments missing from image files might make it impossible to decode the compression and view the file. In any case, viewing the recovered file can provide a clearer picture of the evidence, along with surrounding data. Some of the forensics tools can provide date and time information for deleted files, including a created, modified, and deleted date (which might be useful in establishing a pattern during the investigation). Operating System FilesCertain operating system files might contain crucial evidence. The Windows Registry, for example, might contain information such as recently accessed files, system usernames and passwords, and network connections. Some files can be viewed or examined on other systems. For example,Windows NT stores some logging information in event log files with an .evt extension.Any NT machine can open and examine those files. Other information, however, is not so readily accessible. The Registry is the best example of this. Much of the information in the Windows Registry cannot be accessed unless the operating system is running. In this case, it is necessary to restore the entire evidence drive to a backup copy and then use this copy to boot up a machine for examination. This copy will be irreversibly altered by the boot process. However, the investigator should be able to demonstrate empirically that the copy produces the same Registry information every time and that the specific data recovered is not modified by the boot and examination process. |
‚ < ‚ Free Open Study ‚ > ‚ |