K&F Consulting Inc.

E-DISCOVERY 101: Where Can You Find Computer Related Evidence?
 By Todd L. Dietrich and Gregory Fordham
(Page 2)

Link files which may contain relevant information can be found in the following two locations:

        • Recent Folder

          Each user account on a Windows 2000, XP or 2003 system contains its own sub-folder in the Documents and Settings folder.  Within each user account's sub-folder is a Recent Folder, which is hidden by default.  Within the Recent folder are link files for recently accessed files, wherever they may be located.  For instance, if a user has accessed a file on a mapped network share, another on the local hard drive, and yet another on a USB storage device, all three actions will create separate link files in the Recent Folder.
        • Restore Points

          A feature included in Windows ME and Windows XP is called System Restore.  The purpose is to allow a user to quickly recover the system if a program installation goes awry.  The way that Windows does this is by creating partial backups of the system, called a restore point, and storing them in a folder on the hard drive that is inaccessible to the user.  The Recent Folder is one of the areas on the hard drive that is included in these restore points.  For instance, let's say that a suspect custodian accesses the Coke_Secret_Formula.doc file on a mapped network drive today, and then next week decides to delete the link files in the Recent Folder in an effort to cover his/her tracks.  If his/her hard drive is pulled and imaged the following week, a link file showing the access of the Coke_Secret_Formula.doc file will likely turn up in the System Restore directory.  The number of restore points kept in the System Restore directory is usually limited to thirty.  So, as new restore points are created either by set time interval or by installing new software, older restore points are replaced. 
      • Event Logs

        During the course of normal system operation Windows tracks numerous events.  They are sorted and recorded in one of three categories:
        • Application Event Log

          The Application Event Log contains events logged by installed programs.  The events that get written to the application log, and whether to write any events to the application log at all, are decisions made by the developers of the program itself and not the operating system.  So some programs do not log any events whatsoever, and others will log numerous events related to the normal functioning of the program.  For instance, virus scanning programs often log several events including updates, system scans and found virii.  
        • Security Event Log

          The Security Event Log records events such as user logon attempts, network connections, and other events  that may be related to the use of system resources.  These can include the creating, opening, or deleting files.  However, such security auditing is not enabled by default and must be enabled to record any such events.
        • System Event Log

          The System Event Log contains events logged by the operating system's various components.  The loading of many drivers is recorded by this log.  Drivers are files which contain instructions on how an application manages and/or accesses related hardware devices.  Certain events recorded in this log will indicate proper system start and shutdown.  Other events indicate activity in the CD/DVD drive of the computer, and in some rare cases it may even indicate the actual burning of a CD/DVD.
      • Registry

        The Windows Registry is a collection of numerous files which in their totality function as a database to store settings, options and a listing of all hardware used on the system.  In addition, the Registry also contains a listing of most software installed on the system.  Some of the important fields in the Registry include:
        • Current Version

          The Windows Registry records the current version of the Windows operating system installed on the computer including any service packs.  Also, included with this information is the date that the operating system was first installed on the computer.  You may face a situation where testimony from one or more of the parties makes the installation date of the operating system an issue.  For instance, an examination of the hard drive reveals user created files which pre-date the recorded installation date.  In such a case, the suspect custodian may have to explain their presence.
        • TimeZoneInformation

          It is important to check the time zone settings as recorded in the Windows Registry.  Failure to account for a variation in time zones between the suspect system and the examination machine can lead to faulty conclusions about dates and times.
        • Mounted Devices

          All of the drive letters which have ever been assigned by the operating system are recorded in the Mounted Devices key in the Windows Registry.  The type of device is also recorded.  This is usually very important information as it will reveal if the user has connected any external media to the computer.  This obviously can indicate an attempt to move or hide data.
        • USBSTOR
           
          The Windows Registry records the first and last date that any USB device is connected to the system.  Also recorded is the device's serial number.  This information is usually quite helpful in cases involving the potential movement of data from one system to another (trade secrets, sexual harassment, discrimination, etc.)
        • USERASSIST

          This key in the Windows Registry tracks the programs accessed via the Windows start menu.  The stated purpose is to allow the system to sort frequently accessed programs for easy retrieval.  The impact here is obvious, if someone claims to have “never seen, loaded or run Wiping Program XYZ”, but the USERASSIST key logged that Wiping Program XYZ was run a week after the suit was filed, well then someone has some explaining to do.
      • Active Memory

        A relatively new area of examination is that of active memory.  It requires that the system be examined while still running and immediately after an incident has occurred.  By so doing, the active memory can be captured and examined.  Given that some software tools, including some hacker tools and some file wiping utilities, can be loaded entirely into memory and not even touch hard drive or the Windows Registry, it may be important to examine active memory since there may be no other evidence of these tools being used on the system.
         
      • Swap File (or Swap Partition)

        Often the amount of data needed to be loaded into memory exceeds the physical memory of the machine, so the operating system will “swap” data onto the hard drive.  Thus, the swapped data will contain information that was at one time in the active memory of the computer.  The Windows operating system creates a file that it uses to swap this information in and out of memory.  In Unix based environments, such as Linux, BSD or Macintosh, the swapping is usually done to a very small separate partition.  The swap file/partition may contain information that may not have been saved as a file on the system, but traces of its being viewed on the suspect system could show up in an analysis of the swap file.  
      • Slack Space/File Slack 

        A hard drive contains a series of concentric rings called tracks.  These tracks are then sliced into smaller chunks called sectors.  Data is written to a hard drive one sector at a time.  However, a minimum number of sectors must be allocated for each file.  This minimum number of sectors is called a cluster.  When a file is written to a cluster, an entire cluster is allocated, or booked by the file system as being used, even if the file does not completely fill the entire cluster.

        Slack space, or file slack, is the data that resides from the end of the file to the end of a cluster.  File slack can range in size from one byte to a full cluster minus one byte.  Often fragments from prior files will occupy this space.  Slack space can not be viewed without a hex editor or other forensic tools. 

A good analogy is video tape.  A VHS tape may have a two, four or six hour recording time, depending on the settings used during the recording.  Say you wanted to tape the Super Bowl, and you did so at the highest possible resolution.  This would mean each tape would last two hours.  If you start taping at the coin toss, you are likely to end up needing three tapes to complete the recording.  The first two would be completely full and the last tape would only have a small portion of the game on it.  However, the entire tape would be “allocated” to the Super Bowl recording. 

Now imagine that the last tape you used to record the Super Bowl, had previously held the two hour finale of American Idol.  So, after recording the Super Bowl, the first 30 minutes are the last section of the Super Bowl, but the remainder of the tape is a fragment of the American Idol finale.  Much of it is still there, and much of it can be viewed and discerned.  The American Idol portion of the tape would be the slack space, and it may be relevant to your case.

Defragmenting a hard drive can, and will overwrite data in slack space.  However, given how hard drives are laid out, and how data is stored on them, defragmenting a hard drive will create new instances of slack space. 

< Previous  Next >

Print Article
Printable Version

When Every Move Matters

2550 Northwinds Parkway, Suite 275, Alpharetta, Georgia 30004
Copyright 2008 K&F Consulting Inc. This site is for informational purposes only. For technical advice please contact a representative.