E-DISCOVERY 101: Where Can You Find Computer Related Evidence?
By Todd L. Dietrich and Gregory Fordham
(Page 3)
- Overwrite with new active data
The continued use of the hard drive after deleting a file will cause new data to be written to unallocated space and overwrite the previous data. This is often done incidentally with simple continued use of the system. A simple way to pile up “new data” in a hurry is to just surf the internet for any length of time. Visit new sites you've never been to before and this will cause new data to be stored on the hard drive in the cache, or Temporary Internet Files folder. This new data will be written to the drive over previously deleted data.
- Overwrite with false data
Deleted files can be overwritten with false data. This requires direct user interaction, and as such, it can only be considered intentional. Some methods for overwriting with false data include:
- Wiping
There are programs in existence which will overwrite all of unallocated space, or even active files, with either a set pattern of data, all zeros for instance, or random data. Obviously, there can be legitimate uses for eliminating data through this method. In fact, some corporate data retention/destruction policies call for the employment of such tools. However, if no such policy exists, and files have been wiped, then the suspect custodian may be guilty of intentional spoliation.
- File churning
File churning is accomplished by deleting any incriminating data from the media, then copying large amounts of benign data onto the drive. After copying the benign data onto the drive, the data is often deleted, or the drive is defragmented and then the data is deleted. The process can be repeated numerous times. File churning is far less precise, and much more time consuming than running a wiping program, but it is something that even many experienced examiners often overlook.
- Destroy the media
The only way to truly ensure that data is deleted is to physically destroy the media. It is drastic, but it is permanent.
- Deleted partitions
Perhaps a user has deleted an entire partition on a hard drive. This area may be inaccessible to the operating and/or file system, but it may still contain viable data.
- Free space
Free space includes area on the hard drive which no longer has any references in the file system. Files or fragments in this area must be carved as a result. Often deleted files as described above can become part of Free Space when the drive is defragmented. In order to view free space a hex editor or specialized forensic tools are necessary, and in order to recover files or fragments from this area, data carving tools are required.
- Data Carving
By using data carving a forensic examiner can recover files that would otherwise not be recoverable. However, to understand what data carving is, we must first realize that almost every type of file contains a “header”, or unique sequence of characters to identify the files type. Like human a signature, every file format's header is unique. Most forensic programs can recognize file headers and sort the files quickly based on the header and not the extension. Thus, if your suspect custodian has changed the name of the Smoking_Gun.doc file to Nothing_to_see_here.exe, it would still be identifiable as a Microsoft Word file by its header.
File headers are used to data carve files from unallocated space. This can be done manually by looking at unallocated space with a hex editor and searching for a specific file header. However, data carving is done much more efficiently by programs or utilities specifically designed to rapidly search through unallocated space looking for specific file headers. When it finds them, it will look for an end of file marker, and “carve out” the file. Or if it can not find an end of file marker, the tool will assume the file is a certain size and carve out a file based on the size.
A side note while discussing file headers, it is important to ask an e-discovery vendor how they will identify files. The first and perhaps most important question to ask is: Does their extraction tool identify files based on header, or extension? If it is file extension only, then after listening to their rationale/excuse, you should pass and move to another vendor. There is no excuse to limit your ability to identify files to only doing so by extension.
2.Mining File Servers and E-Mail Servers
Servers are typically designed for one of two main purposes: 1) either they are designed to carry much of the processing load; or 2) they are designed provide a central storage location so users can access and/or share data. In most cases, servers will fall under the second category. As you begin to define the scope of your case with regard to ESI, you need to understand what types of servers are in use in the environment, and what type of information may be resident on these servers. Some of the more common are:
- User Shares
Often on file servers, the users will be given a section of the storage space as a personal storage location. These are called “user shares” and access to them can be restricted, or it may be open. When approaching a case in which ESI will be a main component, you should determine if the suspect custodian had access to any user shares or not. If so, then you’ll want to ensure that in addition to any hard drives or other media to which he/she may have had access, you also preserve all shares to which he/she may have had access.
- Mail Servers
Typically businesses have their email handled by an in-house server. This is true whether they are using a Microsoft Exchange server to feed the email to Outlook, or if they are using Lotus Domino to pass the email to Lotus Notes. In either case, you need to be aware of the infrastructure and how email is handled. Is it kept on the server? Is it downloaded to the local client? What are the purge and/or archive settings? Having this information can help you determine if it is necessary to preserve an email server or not.
- Collaboration Servers
In recent years advanced user collaboration has become an important part of the daily routine of many companies. Several programs have been developed which allow users to share documents, spreadsheets, emails, calendars, contacts and appointments. For some companies, collaboration servers have replaced file servers and user shares. It is important to understand the network infrastructure and determine what must be preserved. If a collaboration server, such as Microsoft SharePoint is used, and the suspect custodian had access to numerous projects, shares or whatever the collaboration server calls them, then those things, or even the entire server should be preserved, and eventually analyzed.
3.Company Firewall, Router, Phone System and Security System Logs
All of these may very well contain important ESI. However, the scope of your case will determine the need for analysis of these devices and/or logs. If your case involves hacking into a network or single computer system to gain access to proprietary data, then all of these things, except the phone system, are going to be relevant to your case. You’ll want to take measures to preserve these things, and doing so will require someone with network forensics experience.
To help understand what a router is, and what it does, consider the U.S. Postal Service. For the purposes of this analogy let’s say your law firm has an office in Atlanta and one in Miami. You have to mail some documents to an attorney in the Miami office. You place the sealed envelope into the drop box. From there it is collected and taken to the post office of the zip code in which the drop box is located. From there it will go to the Atlanta sorting facility, where it will be sorted into a truck headed to Miami. It will proceed to the Miami sorting facility, where it will be sent to the local post office for your Miami office. Once there it will be sent out on with the correct mail carrier who hopefully will deliver it to the correct office.
< Previous Next >
Printable Version
|
