800-790-4524 24/7/365 Support Service Open
Digital Forensics: The Basics

Computer Forensics/Digital Forensics is a science involving the recovery and investigation of items found on electronic devices, often performed as part of a legal dispute. Forensic examinations can be performed on nearly any device that contains digitally stored data, including cell phones, laptops, hard drives, servers, thumb drives, SD cards, even cloud storage.

A forensic image (also known as a bit-by-bit copy or cloned image) is a read-only image of an entire storage drive, whatever the type. This image contains all the files, as well as the unallocated or un-used space on the hard drive. The purpose of making a Forensic Image or copy of a drive is to make sure that the evidence on the original device remains unaltered. Examinations are performed on the copy only. This is necessary to produce legally admissible evidence.

A forensic image can be made with hardware duplicators or software. If encryption is involved, making a clone can require something known as a live forensic image, which is accomplished by making a forensic image of the computer while it is still turned on and connected to a network or in use.

A “forensic copy” is used to collect and preserve active files and is a precise, unaltered copy of the data, including original file metadata, but is in not a complete image of the original drive. A forensic copy may be necessary to preserve data from a shared server or cloud storage, where a drive has multiple users or when the drive must remain in use. The downside to a forensic copy is that because it does not include unallocated or un-used space, its use precludes the recovery of deleted files or information.

Encryption is a digital process wherein data is converted into a format that cannot be read without a password or key. Without the key, all information remains scrambled and incomprehensible. When encryption is used, a forensic examiner requires the key to decode the data. If the key is not supplied or available, a live forensic image may be the only hope of reading the data, since only the active processor can decrypt the data. Encryption is becoming increasingly common for companies who may fear data breaches. Better known encryption software include McAfee’s SafeBoot Encryption, Symantec’s Endpoint Encryption, and PGP Whole Disk Encryption. Windows has a built in encryption program called Bit-locker, as does Apple’s OS, which is called File Vault.

Most digital devices contain deleted files. A forensic examination can produce list of deleted files and ultimately recover some or all of those files. Sometimes deleted files, if they are over-written by new data, cannot be fully recovered. When a file is deleted, the section of the hard drive in which the file is located is labeled deleted and is considered “unallocated space” by the system. However, in most cases, the data remains on the drive and is simply not “visible” to the system. When a device or hard drive under analysis contains absolutely no deleted files, this can be an indication that some kind of intentional data wiping has occurred, or that the operating system has been re-installed.

When a forensic image of a drive is made, the unused portion of the drive, which is called “unallocated space” is included in the copy. Unallocated Space can contain portions of data or files that have been deleted. When an operating system overwrites unallocated space with new data, the original deleted files may no longer be recoverable. Often, however, a quirk in the way computers store data, allows portions of even these overwritten files to be recovered. Since data storage is divided into tiny sectors, if a smaller file overwrites a larger file, there may be “slack space” or unused space within that sector, from which fragments of overwritten files can be recovered. This technique is sometimes called “carving unallocated space.”

Metadata is data about data. Metadata contains information such as the creation date of a file, the dates it has been accessed or modified and the times. Using specialized forensics software, the author or creator of the data, the number of revisions it underwent, and the last time it was printed can be revealed. Metadata can also identify where and when photos or videos were taken and on what sort of camera or device.

Forensic examination can tell us what external devices have been connected to a particular device and when. Most devices produce evidence of their make and model, and some may include unit serial numbers. This can provide a trail to follow to other potential devices to be examined during an investigation.

Link Files, or Microsoft files with the extension .lnk, can show that a file was present or accessed at some point on a particular system even when that file may no longer exist. A link file is a shortcut file that points to an application or a file. A link is usually created by the operating system and contains important information, including the original location of the file, its metadata, modification dates and size.

The cost of a forensic examination depends on many factors, from lab time to hardware and software requirements to the scope of the data or files being sought. Because digital forensics is a science, highly skilled examiners and engineers must perform series of steps to produce a forensically sound report. This can take time and a significant amount of labor. To avoid the uncertainty of hourly billing, Digital Forensics Corp offers clients case-specific pricing. Once the client provides the parameters and scope of the investigation, DFC calculates a flat fee which will be honored unless the scope of the client’s needs change.

Back to Top