Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Data Storage Security

What is the Scope of Computer Forensics? 45

Posted by Cliff from the forget-everything-you've-seen-on-TV dept.
Jety asks: "I do general-purpose tech support for a variety of individuals and small businesses. Today, one of my clients presented me with an interesting situation, which made me recommend that he get his own attorneys and computer forensics experts on the job. Above and beyond that, to satisfy my own curiosity and to have some insight to offer him in the meantime - I have some question about the scope of what computer forensics can accomplish, for this I turn to the experts of Slashdot, which can be boiled down to one issue: What exactly can a good computer forensics guy pull off of a hard drive - particularly once it's gone on to be used for a full week after the incident in question?"
"The sanitized details of my client's situation:

- Person A (my client) and Person B are business partners. Person A leaves the business, and before doing so copies a series of files to 5 CDs using Roxio under Windows XP.
- The computer continues to be used under normal circumstances for about a week.
- Person B confronts Person A, and Person A hands over the CDs to Person B.
- Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.
- Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.

How detailed a record of file use does NTFS or WinXP keep? Can you really show what files were accessed during a one-hour time span seven days ago? Above and beyond the 'last modified' date? On a read/write/execute basis? Accessed by the system or by a user? Do commercial burning programs keep a record of burn jobs they've performed? Does the CD drive itself have any appreciable nonvolatile cache? Is there any other general insight applicable to this situation?"
This discussion has been archived. No new comments can be posted.

What is the Scope of Computer Forensics? More

What is the Scope of Computer Forensics?

Comments Filter:

  • Complicated Issue (Score:3, Interesting)

    by morcego ( 260031 ) * on Wednesday December 14, 2005 @09:13PM (#14260635)
    You want a simple answer to a complicated question.

    And short answer is, unfortunatelly: "It is impossible to know".

    There data might be there. Then again, it might not be. Yes, it is possible to track many records and cross many small pieces of information. One could, for instance, detect that he burnt 6 CDs, not only 5. Or maybe he burnt 10. Maybe some filed he access where not accessed since then. Maybe the machine clock changed, or some space space with critical data was reused by the system.

    Your best bet is to hire the professional, and see what he can pull out. But remember that the forensics process might compromise the machine, so make certain you are hiring a good and respectable lab to do the job, and make sure they follow all the current standards.
    • If the forensic expert is competent, it won't compromise the machine. I took a cool computer forensics class a few years ago. There's a physical device forensics experts connect to a hard drive through. I forget what it's called, but it physically blocks the write bits from the connector, so that it's impossible for the computer to write to the drive. I can't imagine any competent forensics expert would not use such a device.
      • Unfortunately, it is not that simple. Just using those write-block devices might not be enough. The handling of the HD itself can not be done lightly (more than one HD has failed due to poor handling). The evidence collecting process has to be done right, with the right tools, otherwise it has no value.

        Just by using a write-blocker will not give you enough assurance he is a competent professional. I don't think that is what you said, but one can understand that this way.

        Make sure you do a good background ch
    • Exactly. There is no single answer without looking at the specifics and performing an investigation.

      Some data points:

      • Properly configured, Windows >= NT will store file access times. Note that "access" will include things other than "opening a word document".
      • Law in this area is still evolving. The fact that the machine wasn't taken off line and left unused until an investigator dd'ed the disk and started poking doesn't necessarily mean "reasonable doubt", or if this is civil, "preponderance". OTOH, i

  • NTFS Access Time (Score:4, Informative)

    by FreshMeat-BWG ( 541411 ) <bengoodwyn AT me DOT com> on Wednesday December 14, 2005 @09:21PM (#14260675) Homepage
    NTFS has a "last access time" attibute on each file and directory. It has limitations, is configurable, and isn't perfect, but this document [microsoft.com] outlines a number of issues about it. That, however, would not be the only way to determine if a file was accessed. Third party software could be involved such as a file system filter driver that logs activity, MRU lists could record access to the files, the CD burning software could generate a log of activity, temporary files could have been generated by opening the files which were stamped when the file was opened. There are a seemingly unlimited number of indirect ways to determine what a user has done during a certain period of time.

  • The only sure way to delete a hard drive (Score:4, Interesting)

    by ndansmith ( 582590 ) on Wednesday December 14, 2005 @09:32PM (#14260713)
    is to cast it into the heart of Mt. Doom.

    When a file is "deleted" in NTFS, that space is marked as free and the record of that file is still there. After that, it is sort up to chance whether that space will be reused (or parts of that space - more likely). So odds are, after one week, assuming it is just Joe User's machine, a file will most likely still be at least partially accesible.

    The only way to be sure that a drive has no data is to "zero" it out (that is, assign a 0 to each and every bit on the drive). Still, I have heard that some forensic techs can detect the inetria of a bit's previous value - they can tell what was there before. I read a Slashdot comment somewhere today that mentioned that it takes multiple cycles of randomizing and zeroing out the bits on a hard drive to get the job done. Or you can just strap it into a cement chasis and drop it in the Hudson (is it OK to make two lame jokes about eliminating a hard drive in one post?).

    • In 1985, the military standard for a hard drive wipe was 5 full writes. Why? Because that is the point where their experts could no longer pull data off the drive. I have no reason to believe that number has gone down.
      • Actually, 5-pass wipes are considered obsolete for high classified data destruction. There are labs and equipments these days that can read the data as it was before the last 6 rewrites.

        ===WARNING, VERY INCOMPLETE AND SIMPLISTIC ANALYSIS===
        The point is that, magneticaly speaking, we don't have 0's and 1's. Lets day that for a given data system, 0 is marked by -5 Magnetic Field Unities, while 1 is marked by 5 Magnetic Field Unities. Now, of course, the hardware itself is not digital (given number of isolated
      • Going from memory (which is occasionally faulty):

        Current DoD standards call for 7 writes - several random with at least one of all zeros and at least one of all ones.

        Some research in the last year using electron microscopes suggests that to really make the data unreadable, 14 writes should be done.

        Despite both of these, modern (in excess of 20 GB) drives are using increasing levels of abstraction where without intimate knowledge of the drive firmware logic AND the full contents of the drive ROM AND the elec
    • that's /mostly/ true, but since hard drives are magnetic, each time you flip a bit (1->0 or 0->1) you loose a *tiiiiny* bit of magnatism. If you have the proper equiptment you can still recover data from a "zeroed" hard drive. It used to be the US government agencies would require a disk be randomly zero'd 5 times before it could be discarded. Now they probably melt them.

      • While true you can still get the data, you need an electron microscope, and it is a very expensive process. In the vast majority of cases, it is simply not worth it. If data has been zeroed out, it is safe from most forensic technicians, most of whom don't have the equipment and probably wouldn't bother even if they did.
        • Do you really need an electron microscope? I thought this recovery was performed by reading the analog data produced by the drive head and then analyzing the signal looking for the tiny shifts that are the palimpsests from prior writes. I suppose an electron microscope would give more data, and perhaps read back through more write cycles, but I don't think it'd be necessary if you only wanted to read back through one or perhaps two cycles.

  • Copied files (Score:5, Insightful)

    by IceHead2 ( 904793 ) on Wednesday December 14, 2005 @09:39PM (#14260737)
    A side note, even if you can verify that the cd's he gave back contain all the data he took from the company computer. There is nothing to stop him from having made copies of those cd's when he got home.
    • "There is nothing to stop him from having made copies of those cd's when he got home."

      Sure, but you can assume those files are compromised, and try to figure out how to minimize the affect. Not knowing what other files might have been compromised means that you have to treat the entire system as compromised.

  • Plenty (Score:5, Interesting)

    by linuxwrangler ( 582055 ) on Wednesday December 14, 2005 @09:41PM (#14260751)
    Way back in the day (early/mid 1980s) I did a job like this.

    Person A left company AA and started company BB then started taking customers. Attorney for AA got a court order allowing inspection of all magnetic media. Of course, by the time I was allowed access to the drive, several months had passed during which time "something had gone wrong with the computer" and "I think the repair shop had to format one of the drives". Yeah, right.

    In any case, they thought that a basic reformat of a DOS hard-disk removed all the data. As I started pulling off and saving directory-fragments and disk sectors which showed that they had illegally installed specialized and unusual software belonging to the former employer as well as lists of names of clients they made fundamental mistake #2 - they started blabbing "explanations" for the data I was recovering. As a former law-enforcement employee I simply listened attentively to their stories...and included the additional incriminating evidence in my report.

    Never even had to go to court and testify.

    Things are more complicated, today. You are right to get a computer forensic expert involved. Many of the disk-recovery services like Drivesavers [drivesavers.com] provide forensic services in addition to data-recovery.

  • Mostly none by dafault. (Score:1, Informative)

    by Anonymous Coward
    Windows (I assume this is a Windows box with the NTFS filesystem) has auditing turned OFF by default. You need to A) turn on auditing and then B) set the "auditing bits" on the object(s) you want to modify. [and C) - read the security logs religiously).] Most of this is too complicated for the average user to setup (and interpret from the logs), so it almost never happens).

  • You need a good NTFS tutorial... (Score:5, Insightful)

    by stienman ( 51024 ) <adavis@@@ubasics...com> on Wednesday December 14, 2005 @10:14PM (#14260897) Homepage Journal
    How detailed a record of file use does NTFS or WinXP keep?

    Pretty detailed. User account, time at a minimum.

    Can you really show what files were accessed during a one-hour time span seven days ago?

    Yes.

    Above and beyond the 'last modified' date?

    Yes.

    On a read/write/execute basis?

    In a roundabout fashion. I'm not as familiar with NTFS as I would need to be to give a good yes or no or yes with limitations. It keeps records of modification (write) and access (read) so the only unknown is whether one could tell if a file was merely read or executed. It is a journalling file system, so depending on how exactly it performs journalling, it may even be possible to find out which parts of a file were modified in the case of writes. This is less likely as journal records are, presumably, overwritten with new records over a short period of time.

    Accessed by the system or by a user?

    If I remember correctly, NTFS does record the date of creation, modification, and access with the user performing each action. Many "system" actions are performed in the user's name since, technically, the user is running the system program.

    Do commercial burning programs keep a record of burn jobs they've performed?

    Many programs do keep a short log of actions. They won't necessarily detail files involved, though. You'll be lucky if such a log tells you how much data was written to the disk in MB. This might actually be just as useful.

    Does the CD drive itself have any appreciable nonvolatile cache?

    No.

    Is there any other general insight applicable to this situation?

    Yes:

    Person B hires a computer forensics 'expert', who claims that Person A accessed something like 3000 files during the 1 hour time span in question, when Person A was burning files to CD.

    This points to a very simple search of all files modified, accessed, or created during that time period. Please note that this could indicate a virus scanner or system backup utility running in the backup as much as it indicates a cd writing program. Viruses can also exhibit this behavior. Try to find out how many files were accessed in the previous 24 hours before this particular hour, and the following 24 hours. It could be that every hour during that time had several thousand files uniquely accessed.

    Person A primarily wants to prove that the data he turned over on CD was the only data he took, approximately 50 word/excel type files, which we will assume to be true.

    Quite frankly, if he needed 6 CDs to burn 50 word/excel files... well, let's just say that you should explain to him that you try to assume nothing so that you can have the best view of the facts.

    Also note that if data backups are made of the computer on a daily/weekly/regular basis, it may be that one can use those to show useful data about your client's use of the computer. An interesting tactic would be for your client's attornies to request a detailed log of computer use for the week previous and the week following the incident to establish a pattern of use. Request all possible backups. Request... well, everything. The attorney will know what you mean.

    Lastly, keep in mind that your client has already 'confessed' - the only thing left to determine is not whether he is guilty, but how guilty. Chances are good that even if he didn't do more than he says he will have a hard time proving that he has fully complied.

    Lastly: Don't become personally involved, or emotionally invested. Your client will be, and he may even be pulling you into it without knowing it. Understand that anything you say to him may be used in any forthcoming legal case, and you may find yourself more involved than you desire to be.

    -Adam
    • Lesson 1 in forensics: Secure the data carriers as read-only devices so you don't mess it up more than you already did. Common advice is to pull the plug (don't shut down properly) to make sure the shutdown process doesn't wreck anything.

      Lesson 2: Making sure the computer doesn't know what you did anymore requires using a method to destroy the physical harddisk. There is almost no software method secure enough to make it actually impossible. Try Mt Doom, a forge or a sledgehammer.

      Practical advice for your p
    • lastly, keep in mind that your client has already 'confessed' - the only thing left to determine is not whether he is guilty, but how guilty.

      We haven't even ascertained who the files legally belonged to? If A & B are 'partners' I doubt that they had service agreements or non-compete/non-disclosure agreements executed, which would address the terms in the case of a termination or breach of such agreements. Even if they had No-Compete clauses executed, most are not enforceable unless specific compensa

  • If your client copied 50 'approximately 50 word/excel type files' then somebody should ask him why it took 5 CDs (and an hour) to do so.
  • You mentioned Person A copied the files using Roxio... I'm not terribly familiar with that program specifically, but if I were doing this the first thing I'd do is dig around Roxio, and see if it stores some record of the jobs it ran, and what files were included. That could save a lot of trouble.
  • It depends a lot on the network setup. Was it part of a domain? Were the files on a file server? If the answer to these questions is yes, then the answer would be yes, with the right audit settings he can tell what files were accessed when. I do it all the time at work, we have serious problems with CAD drafters accidently deleting folders and files from the server thinking it's their local drive. To solve that problem I log all file access on the file server, and have a program that runs at the end of the
  • If these were important files on an NTFS partition, the admin should have set a security audit object on them. Then all you have to do is hit the event log to see what was accessed an by whom. But from what I can tell, no such luck there.

    In that case, a reputable data recovery lab should be hired for this one. They can do some pretty extensive stuff, but don't be surprised if they come back to you with nothing. Nonetheless, I would think that's your best bet on this one.
  • This is a mess. If at all possible, turn the computer off now, don't let anyone else touch it, and call a forensics expert before you contaminate this evidence any further.

    You mention that the drive has been used for a period of time since the original forensics expert examined it. That could be a problem.

    Ideally, the orignal forensics expert would have used a write blocking device (hardware) and carefully made a bit for bit (dd, encase, etc.) image of the drive.

    That image is evidence and should be made a
  • can pull even deleted files off with the greatest of ease. Hook one up to computer control, and you can recover data that's been overwritten multiple times. The hard drive electronics could be fried, and the heads gone, but if the platters are in shape, you're in business. That's why we have secure file shredder utilities: to overwrite the data so many times that the data is definitely gone.
  • lets say I search for
    "investment potential" as the TITLE of and WITHIN all .doc files on a PC

    if XP opens every file (all 3000 of them) then NTFS records me as opening all those files.

    guess what-- even if I only copy 50 of them, I've opened all of them.
  • I suspect most antivirus programs are mature enough to not update the last access time on all the files they read, and Windows probably won't falsely update them either, but there are a lot of other programs that will. A homebrew backup script might do it. Technically, it's up to the app to decide to update the access date, but many library functions will do it without the programmer specifying that they should. It seemed to always happen automatically with the programs I've written.

    If there's a pattern to
  • A number of the comments here are more like a bar conversation regarding computer forensics than actual informed advice. Additionally, a number of the comments are wrong wrt/ technical facts concerning NTFS.

    The first question is this: do the parties need to retain legal counsel? If A and B are shaking hands and good to go, great. If not, they need to retain counsel.

    If counsel is retained, then they need to work with their clients to find a reputable computer forensics expert. And that's all there is to it,
  • I've mentioned this before here in this context, but it does sound like a near perfect-fit (only "near" because it is cheap rather than free and is Windows-only). Basically, keep all the things that you work on as items in a list (which can be imported from a text file). Each item has various attributes (such as project) and you can "focus in" on a particular set (e.g. project) to just work on that.

    Some things can be fixed to start at a certain time but the way that you work it's easier just to have every
  • Virus scanners, for instance, access files as they scan them. This could account for the large number of files accessed in such a short period of time. Also, Windows can "index" files "for faster searching." Could this also cause an access time or flag to be set?
    • The virus scanner and indexing service will normally be running under another account (SYSTEM, usually) so if this 3000 files number is from an audit log, it should be possible to screen out that activity. If it's from some indirect measure, maybe by analyzing the journals or something, it may not.
  • There is no way to prove anything here, and therefore forensics will be a waste of time. The guy could've easily made another copy of the CDs during the time he had them in his possession. Therefore, there's no point in wasting time doing forensics on the drives in question.
  • Windows NT platforms support some amazingly granular access permissions, and permission-use auditing. Anything from changing the permissions of the audited object, to auditing mere access to it, stored in the audit's log in the Event Viewer.

    Trouble is, unless this was specifically enabled, it didn't record anything -- auditing is typically not done, since it's a performance hit (think double the number of system calls every time an audited object is hit) and it makes logfiles fill up very quickly.
  • Yes, it is "possible" for a computer forensics examiner to recover some of that information. The one thing to keep in mind about NTFS, is that there are lots of NTFS artifacts all over the computer that tracks everything you do. Sometimes, this information isn't recorded for the purpose of tracking, but it's just there. For example, I've found some screen shots of what was on the screen at one time thanks to memory being swapped to disk. Another good example: Windows XP has built-in spyware by default:

Slashdot Top Deals

"Protozoa are small, and bacteria are small, but viruses are smaller than the both put together."

Close