K&F Consulting Inc.

E-DISCOVERY 101: Where Can You Find Computer Related Evidence?
 By Todd L. Dietrich and Gregory Fordham
(Page 4)

Fortunately, data transmission is much more accurate than the postal service.  In the above analogy, the drop box and mail room at your Miami office both represent the originating workstation and the receiving workstation of the data, respectively.  The local post offices represent devices called switches.  They may physically resemble routers, and do actually perform some very basic routing of data.  Like a local post office though, they either do one of two things with data, either send it to a machine that is connected to it, or on to the router.  The sorting facilities represent routers.  A router will read the “address” on a data transmission and it will send the data toward its destination.  As in the example above, a transmission of data, especially over the internet, will pass through at least two routers along the way.

A router may either be a small highly specialized computer, or it may be an actual computer running an operating system capable of functioning as a router.  In either case, routers are capable of creating and retaining logs of the data traffic that they “route” and storing it internally.  These logs can be analyzed and can prove to be quite helpful if your case involves the transmission or remote access of data over the internet. 

A simple explanation of a firewall is that it is a data filter.  It will only allow data to pass through in either direction if it has been previously cleared.  A firewall may be a physical hardware device, or it may be a software application running on a router or computer.  As with a router, a firewall will create and maintain logs of the data that it either blocks or allows.  And as with a router, these logs could prove to be helpful in certain instances.

More and more phone systems are actually part of the computer network and not stand alone systems.  This means that voicemails and inbound/outbound call lists are ESI and are stored on a hard drive on a server somewhere.  In some instances, depending on the format, even deleted voicemails may be recoverable using data carving tools.  Once again, the overall scope of your case will determine if this type of ESI is relevant or useful to you.

4. What You Can Use From PDAs and Mobile Phones

As technology has improved the last several years, the power and capabilities of mobile devices has dramatically improved.  Now, mobile devices are not only phones or handheld organizers, but they are not far from being complete handheld computers.  The one main difference is that mobile devices to not have a hard drive, but usually contain some form of flash memory.  As the capabilities of these devices have improved, the types of data they contain, and the amount of data they contain, has changed drastically as well.  Some of the types of information available include:

    • Contacts

      Depending on the device, this may simply be a phone list, or it may be all the contacts in the suspect custodian’s Outlook.  Just as the contacts in Outlook may be relevant or even vitally important, those contained on the suspect custodian’s mobile device would be of equal relevance and importance. 
    • Files

      Many devices are capable of viewing and editing Microsoft Office files.  Thus the mobile device may contain versions not available on a suspect custodian’s hard drive.  In addition to Office files, there may be music or video files that could prove to be relevant.  Also realize that many devices are also cameras, thus there may be picture files resident on the device that may of interest.
    • Text messages

      One of the most popular features of mobile devices is the ability to send text messages.  These messages may be sent to other mobile devices, or to a computer.  Not only is the location that these messages are being sent of interest, what they contain is also a potentially important piece of evidence.  Depending on the device and the service being used, logs of text messages, including sender and recipient information, may be available either on the device or from the service provider.
    • Emails

      Many mobile devices are capable of receiving and sending email messages.  Obviously, your interest in these messages should match your interest in emails sent to or from a suspect custodian’s hard drive.
    • Internet browsing history

      In addition to email capability, many mobile devices are also capable of accessing the internet.  The browsers used on these devices are scaled down versions of the regular web browsers.  As such, their history can be examined in the same fashion as the regular versions.
    • Synchronization Logs

      These logs may exist on the computer, or on the device, or on both.  If they are on the mobile device, then they can be examined to determine when synchronizations have taken place, and to which machines the device was synchronized.  This could be extremely helpful if the device is being synchronized to a previously unaccounted for computer.

5.Locating Good Evidence on Backup Tapes and Removable Media (USB Storage Devices, Etc.)

Beyond local hard drives and network shares, potentially relevant ESI can, and often does, exist on other forms of media.  Two of the more common are backup tapes and removable media.

  • Backup Tapes

    Backup tapes are quite useful as they provide a picture of what is present in active space at the point in time the backup occurred.  An example of how this is useful is when a suspect custodian copies the Smoking_Gun.doc file from its proper location to his user share on the company network.  The file stays there long enough to get backed up.  After the back up the file is either moved, or copied and deleted.  Since they only capture active data, subsequent backups won’t capture the deleted Smoking_Gun.doc file.  Likewise, when the user share is examined by your expert, it doesn’t show anything suspicious.  The only place the evidence may exist is on that one backup tape. 

    Bear in mind that backup polices vary greatly from company to company.  One company may have every single backup they’ve ever run.  Another company may only have a week, or month’s worth of backups.  It is important to determine the type of backup regime in use, and decide how many of the tapes are potentially relevant.  In the case of the company with every single backup, a sampling of their tapes may be the most efficient way to review what is there.  For a much smaller collection of backups, it may be better to analyze all the tapes. 

    One thing to remember no matter the overall size of the backup catalog, is that all of the tapes in the catalog can be preserved for litigation by simply taking them out of rotation and having them placed in a secure location.  

    Backup tapes can present a bit of a challenge when it comes to analyzing them.  There are numerous tape types, sizes and formats, all of which must be accounted for before restoring and/or analyzing the tapes.  Tools have been developed which make these less of a challenge than they had been, but restoring and analyzing backup tapes in a forensic manner remains a specialized field.
  • Removable Media

    In the past, this topic would simply mean floppy disks.  Given, their small storage capacity, the amount of data on them was limited.  Today very few computers are even sold with floppy drives anymore.  Over time the term removable media has grown to include re-writable CD’s and DVD’s.  And now it also includes USB storage devices of various types sizes and capacities.  Obviously each of these types of removable media can store potentially relevant ESI.
    • CD’s and DVD’s

      With the advancement of cheap technology comes greater risk for companies attempting to protect their data.  Realize that with the price of writable DVD drives now as low as $20.00, the number of computers with the ability to write to a CD or DVD has mushroomed in recent years.  Given, that a CD will hold up to 700MB worth of data and DVD’s can hold over 8GB of data, a potential trade secret thief now has the ability to move a large amount of data.

      One of the unique things about CD’s and/or DVD’s is that they can contain multiple sessions.  For instance, the suspect custodian can burn several files, or even an entire folder, to a CD.  However, the CD is not closed, and in a second session the suspect custodian burns several music files to the disk.  If the disk is examined without some specialized tools, the only session that will be visible will be the music.  The Smoking_Gun.doc file will remain hidden.

      Like backup tapes, CD’s and DVD’s are extremely easy to preserve.  Simply placing them into a safe location is all that is needed.  Analyzing them is relatively easy as well, so long as the proper tools are used.  While there are some non-forensic tools available to analyze CD’s and DVD’s, it is best to use forensic tools which will protect against the potential that the disks are re-writable.  In fact, a forensic image of the disk is highly recommended.  The forensic imaging tools are designed to read multiple sessions, and the forensic analysis tools are capable of analyzing images of multiple disks at one time.

      One thing that makes a forensic analysis of a CD or DVD difficult is that there is no way to tie it back to being burned on a single computer.  On the other side, depending on the application used to do so, it is often very difficult in an analysis of a hard drive to determine if a CD/DVD was burned. 
    • USB Storage Devices

      USB storage devices are one of the biggest threats to a company’s proprietary data.  While this group of devices includes external hard drives, the primary type of device is the thumbdrive.  They developed their nickname by being small, with most of them about the size of an adult thumb.  They currently are being sold in sizes as large as 16GB, so they are capable of holding a significant amount of data.  Like backup tapes and CD’s/DVD’s it is quite easy to preserve a USB storage device.  Place it in a safe, secure location until it can be imaged.  Do not plug it into a machine to “have a look”, as any access will alter the file system on the device and thus potentially alter evidence.  Much like a hard drive, specialized forensic hardware and software are necessary to image and analyze a USB storage device.

      Each USB storage device contains a serial number.  When the device is plugged into a Windows computer, the serial number is stored in the USBSTOR key in the Windows Registry.  When conducting a forensic analysis of a hard drive, this information is reviewed and can prove to be very helpful in determining if the same device was used on multiple systems.  Say for instance, the computer at a former employer and a computer at a current employer.

      Analyzing a USB storage device is quite similar in both form and function to analyzing a hard drive.  Most devices are formatted with the FAT32 file system.  The devices will contain both allocated and unallocated space, and both active and deleted files.  Data carving can be done to recover files from unallocated space.  Issues that may be encountered when analyzing a USB storage device stem from several manufacturers including encryption tools on their devices.  If a user has placed files into a “secure locker” on a USB storage device, they will likely not be recoverable without the password.  A forensic examination must be completed on the device to determine what is, or is not, accessible or recoverable.

-END-

< Previous  

Print Article
Printable Version


When Every Move Matters

2550 Northwinds Parkway, Suite 275, Alpharetta, Georgia 30004
Copyright 2008 K&F Consulting Inc. This site is for informational purposes only. For technical advice please contact a representative.