Disk Drive Forensics

A computer’s main storage, “the drive”, often holds the “Smoking Gun” – And at GDF, we find smoking guns!

When it comes to finding digital evidence, it’s hard to find a better friend than a disk drive. Whether it’s a Hard Disk Drive (HDD) in a desktop, or Solid State Drive (SSD) found in a laptop, iPad or tablet, the hard drive is the focal point of nearly everything we do in the digital universe and holds a wealth of information on the people using the computer and/or device, most of the time without them even realizing it.

So, whether they were browsing the Internet, communicating with friends, family, colleagues or even someone more nefarious, or they’re shopping online,
doing research, writing the next great American novel, connecting with the network at the office, or looking at pornographic websites, they are creating digital fingerprints that can be recovered, analyzed and combined to reveal a wealth of information.

It’s easy to see why it’s the hard drive that usually spills the secrets of a user’s travels, interests, deeds and interactions, and unless the user takes extraordinary steps to cover their digital tracks (which almost never works), GDF’s disk drive forensics experts can recover information hidden by even the savviest of computer users, even if they delete it.

The reason hard disk drive forensics can uncover so many secrets has to do mainly with how operating systems (like Windows or Mac OS X) work and how they use resources, like the disk drive, to keep users connected, create files and documents, and surf the Internet.

We all know hard drives can be used for permanent storage. We create or download things and save them. We give them a name, choose or create a folder on the disk drive to save them in, and whenever the mood tickles us or when we need the files, we navigate to where we left them and there they are, safe and sound (under normal circumstances). Then we can open them, edit them and save them again, or just delete them when we see fit, nice and easy.

That’s the simplistic version of the life of a disk drive, and for many users, that’s the end of the story. But to a hard disk drive forensics expert, that’s nothing more than the forward to a complex story of files that aren’t really deleted, temporary storage that is created without the users’ knowledge, backups of mobile devices and cell phones that happen automatically, all stored on the hard disk or solid state drive without the user knowing it. If you know where to look and have the elite training and tools to access these hidden gems, evidence abounds.

Let’s have a quick look at how and why all this data, just waiting for a GDF disk drive forensics expert to uncover, is created. Of course, this page is not intended to make anyone a computer forensics expert or provide technical specifications, it’s simply intended to give an overview, in lay terms, of how digital evidence is created on a hard disk drive and how a disk drive forensics expert can assist in accessing and using that evidence.

(Click Through Tabs)

Deleted Files and Data, an eDiscovery Goldmine

When a user creates a file on a computer, usually even if they don’t save it, the information contained in the file is copied to the hard disk drive in a physical location. The location and the file name are then recorded in what is basically a table of contents on the hard disk drive that tells the operating system (the user and applications) where that file is located on the disk drive, how large it is and what its name is.

Simply put, when the user deletes a file from the disk drive, the “table of contents” (in Windows this could be FAT or NTFS, or on a MAC it could be HFS or HFS+) is updated to reflect the space where the contents of the file exist as being available and ready for use. At this point, the file is no longer displayed to the user or applications, and the system is freed to reuse the space as necessary. However, even though the file is no longer seen by the typical user, the contents of the file still exists on the disk drive and can be recovered by a hard disk drive forensics expert.

But there is a caveat. The longer you wait to get GDF involved, the better the chance the critical evidence you seek may eventually be overwritten by regular system usage, and that could cost you plenty, like a successful resolution to your case.

Internet History and Cache

Web browsers, like Internet Explorer, Firefox and Chrome, among others, create a temporary storage area in memory and on disk that holds the most recently downloaded Web pages. This storage is called the browsers cache. As you jump from webpage to webpage, caching those pages in memory lets you quickly go back to a page without the system having to download it from the Web again, thereby speeding up how fast webpages load and making the browsing experience more enjoyable.

A skilled disk drive forensic expert can extract those pages cached by the web browser and reconstruct the content. If a user went to Yahoo Mail or Gmail, it may be possible to reconstruct messages that were composed on the system, messages received, and in the case of cached messages, for example using Google Gears, entire inboxes, sent messages and other Webmail messages.

Internet history or browser Internet history, also called Web history and browser history, is a list of the webpages visited. Your web browser stores this list on your hard drive, which a skilled disk drive forensic expert, using specialized tools and training, can extract and build a timeline of sites visited. Even when a user deletes their Internet history, or uses extreme methods like a file wiper, it is still often possible for GDF’s experts to reconstruct a detailed timeline of websites visited using the subject computer.

Knowing what sites were visited, when, by whom and how often, can be instrumental in unlocking the truth, and can also often be the key to helping fit other puzzle pieces of your case together.

You know, we know, the courts know and your opposition knows, your case is only as good as your evidence. And when evidence goes digital, Global Digital Forensics is the first and last call you’ll ever need to make.

Metadata Embedded in Documents

Metadata is often defined as data about data. For the digital forensic analyst, this is a virtual (pun intended) gold mine of information. Many applications create metadata in files they create. Good examples of this are Microsoft Office applications, like Microsoft Word, Excel and PowerPoint. These applications embed information (metadata) into the documents they create so users can identify documents, authors or systems that created these documents, as well as how large they are and when they were last printed. Microsoft Office also tracks things like last 10 authors, last accessed, last modified and date created, among other things. This information can be used to reconstruct document histories, provide evidence of printing, or even tampering with the document. Microsoft also tracks changes and comments that are embedded directly into the document, spreadsheet and slide show files.

When a skilled forensic analyst extracts metadata from files, it may be possible to find amazing amounts of information on the history, validity and use of the documents. Microsoft office is not the only source of metadata embedded in files, many software packages include this feature. For example, Open Office, Word Perfect, Adobe Acrobat and many others. GDF can work wonders with metadata to help connect all the dots of your case.

Temporary Files

Computers, in the most basic sense, have two types of storage, RAM ,or volatile memory, and non-volatile memory like the hard disk drive, SSD Drive, USB drives and sticks, and for our purposes Network Attached Storage (NAS), like file shares, application servers (email, accounting systems, SharePoint, SkyDrive’s and the like), cloud storage and many, many more types of storage. When a computer is used to access this available storage, the user only sees a small part of what is happening in the background.

Many applications also create cache files and temporary files which are more potential treasure troves of digital evidence with GDF’s forensics experts on the case. Microsoft Office (and other Office-like products, such as Open Office, Word Perfect, Works and even Google Apps) creates temporary files when a document is created. These hidden files are intended for the autosave feature and for crash recovery if the application or computer locks up, and can often be recovered by a knowledgeable disk drive forensics expert. These files can contain the entire contents of a document that was created or edited on the computer system.

Even if a user deletes a file and tries to wipe the file, copies of the documents, spreadsheets, and other potentially valuable information may still exist. And not just the finished copy of the file may be retrievable, even edits to a document, file or email that were autosaved by the system may be yielded with the right touch. These are just a few examples of the many, many temporary files created by Office type applications and just as small a part of what GDF’s forensics experts can find, reveal and acquire when put to the test.

Log Files and System data

Microsoft Windows logs and tracks many user actions, as well as system actions, that a skilled digital forensic analyst can use to rebuild the usage of a system. Some examples of these logs include software that was/is installed, external storage that was attached to a system and network connections to other systems. Additionally, users that logged onto the system and the files they created are tracked.

Using this information, digital forensic analysts may be able to ascertain when devices were plugged into a system, if files were copied, if a user has other storage that is being used, or connects to a device on the Internet were files are stored, not to mention webmail accounts and other locations and applications where even more important evidence may be stored. GDF analysts have the tools and skills to leverage system information that is often overlooked as sources of evidence.