Advanced Searches

Even if the search does not require covert access, there might be cases in which the basic techniques described in the preceding chapter might not be feasible . For example, the machine in question might have had a hardware failure, or it might have some nonstandard storage configuration that prevents a direct disk-to-disk copy.

Hardware Recovery

Occasionally, an investigator might be asked to recover data from damaged media. The media might be physically damaged (either intentionally or unintentionally) or might have suffered some logical damage such as the deletion of files or a reformat . Most of the forensics tools discussed in the preceding chapter offer the capability to recover deleted files and data from file slack . If a drive was repartitioned, it might be possible to recover some or most of the data using forensics techniques.

Recovering physically damaged media is beyond the scope of both this book and most forensics investigators . There are stories about investigators , for example, taking a damaged floppy disk and gluing it to a blank disk for recovery. However, the chances of further damaging the data on the drive are extremely high. Hard disks are extremely sensitive to damage from dust, and a well-intentioned but poorly equipped recovery that does not have the proper environment will certainly damage the disk further.

If an investigator is tasked with data recovery from a damaged disk, it is recommended that qualified data-recovery specialists be consulted. The recovery rate of these services is extremely high, and some of them offer a forensics option in which they will handle the media and recovery process according to the federal rules of evidence. The incident response team, if it anticipates a requirement for data recovery, should coordinate with a service in advance. The IT operations or business continuity planning organizations might already have an arrangement with such a service.

Laptops

Until recently, portable computers were uncommon in the corporate environment. However, with a mobile workforce and a tendency toward telecommuting , more companies are issuing notebook computers as the corporate standard configuration. These computers might include docking stations , external keyboards and monitors , and even external storage such as additional hard drives. Although desktop computers have a generally standard hardware configuration, notebooks tend toward proprietary components . A desktop hard drive will almost certainly use a standard IDE or SCSI interface and can be imaged on the suspect machine or placed into the forensics computer for copying and examination. Notebook computer drives are much smaller and have nonstandard pin configurations. Most notebook drives use a single connector for both the IDE controller and the power supply, whereas standard IDE has a 40-pin cable for the controller and a separate 5-pin power cable.

In some situations, it is possible to adapt a notebook drive to a standard IDE cable. Cables N Mor (www.cablesnmor.com) offers an adaptor for 44-pin, 2.5-inch notebook drives that will allow the investigator to connect a standard IDE drive cable. Figure 9.1 shows a picture of this device in use.

^[2] Picture courtesy of Cables N Mor, http://cablesnmor.com/f26500.html.

The IBM ThinkPad series also has a 44-pin connector, but the pin-out is different. However, IBM offers a docking station that includes spare IDE bays. The notebook can simply be placed in the docking station with the target disk in one of the spare drive bays for imaging.

Another alternative is to copy the data to an alternate source using a parallel or serial port. SafeBack and EnCase (discussed in the preceding chapter) both allow the investigator to connect peripherals such as ZIP drives to the computer and copy the data to the external peripheral. EnCase also supports what it calls a "client-server mode," in which the source computer is connected with a parallel or serial null modem cable to the forensics machine and the data is copied over the cable. As previously discussed, however, both of these techniques take an extremely long time to run because of the limited data transfer speed through the ports. A direct connection using an adapter is preferable from a speed standpoint. It also might be more defendable if the accuracy of the copy becomes an issue. Again, if this is perceived to be an issue, the incident response team might want to consult the software vendor for assistance, including expert testimony if required.

Another issue with laptops might be the problem of a power supply. If the laptop drive cannot be mounted to another system using one of the aforementioned adapters, the data must be copied using the laptop itself. If the power supply is unavailable, however, the investigator must be able to provide an alternate. If the team perceives that it might be called on to perform laptop forensics, it can provide power supplies to the forensics lab. An adjustable power supply with multiple adapters is one alternative. Care must be taken, however, to ensure that the output power has the correct voltage and polarity to avoid damaging the laptop (and evidence). Another alternative is to procure a universal power supply designed for multiple systems. Computer supply vendors often carry such systems for business travelers, and a universal system with multiple adapter plugs can be obtained for less than $150.

Older Systems

It is possible that an investigator might be called on to perform forensics on older legacy systems. For example, a company might be using older systems as thin clients , or it might have legacy applications that only run on certain platforms. Specific requirements for imaging and searching legacy systems will vary widely. It might be as simple as finding a drive capable of reading the disks, or it might be as complex as a file system incompatible with the forensics machine.

If the data is stored on a media that can be recognized by an x86-based system, imaging the data is simply a matter of mounting the media onto a forensics box and using imaging software. If, however, the medium is in some proprietary format, imaging might be difficult or impossible . The vendor, if still in business, might be able to help with conversion or connection software or hardware. Some data-recovery services also have the capability to extract data from legacy hardware.

If the data can be successfully imaged but uses a file system not recognized by the forensics software, an investigation is still possible using a disk editor. By accessing the disk structure directly, the investigator can search for ASCII text fragments . A more detailed search is probably not possible without building a custom machine running the same operating system as the target.

Personal Digital Assistants

Personal digital assistants (PDAs) are becoming more popular in the corporate environment. If the corporation provides the device, it should have the authority to search it (with, of course, the usual disclaimers). If, however, the user has provided the device and has connected it to his or her work computer, the issue is much less clear. As always, competent legal counsel should be consulted. Arguably, the data (or some of it) might belong to the company if, for example, the PDA is downloading corporate email for offline reading. The admissibility of a forensics search of a PDA has not, as of the time of this writing, been challenged, so the legal precedents as to issues such as bit-by-bit copies are still unclear.

PDAs can be standalone devices without the capability to connect to a computer. More often, however, they share and synchronize data with a desktop machine. Some might include removable storage or networking capabilities. Most store data in flash memory as opposed to conventional disks (although IBM makes a hard drive capable of fitting in a Compact Flash slot).

The investigator has two alternatives when searching a PDA.The device can be synchronized or backed up to the forensics computer and the data examined there, or the device can be examined on its own. In practice, both alternatives are recommended. Any removable data store should be removed and imaged separately. For example, a Compact Flash card can be removed and mounted using either a PCMCIA card or an external adaptor. It can then be imaged using forensics software and examined like any other disk image.

The device should then be connected and a full backup made. This backup can be examined using a hex editor. Depending on the format, ASCII text might be visible within the backup file. If not, it can be restored to a clean PDA for examination offline. There are shareware programs available that directly access various PDA database files. Although this might yield valuable evidence, it should be confirmed by other sources (such as a search of the user's computer or an interview with the subject) because the admissibility of this evidence might be suspect.

Finally, the PDA itself should be searched. Some models (for example, models running versions of Microsoft Windows) can be mounted to the forensics machine as a virtual device and examined using the forensics software. Others must be searched manually by using the email, text editor, and other programs supplied on the device.