It is surprising how much usage and behavioural history can be gleaned from a forensic examination of a computer. I want to give you a quick rundown of the kinds of artifacts that can be uncovered from current computers.
Microsoft Windows, which I deal with primarily, contains a vast amount of usage history. Some of this is the accidental byproduct of design decisions made decades ago. Others are the result of the need to make the user experience as fluid, flexible and intuitive as possible. The result of these is that your computer records a great deal of your actions.
Deleted Files – The most important implementation related artifact is the existence of whole or fragmented copies of deleted files. In order to ‘delete’ a file, it needs to be overwritten with blanks. That’s the equivalent of writing the entire file again, and that takes time. Decades ago it was decided that there was no need to waste time by doing this and that the fastest and most economical method was to just remove the name of the file from the index list of the drive. A clever and sensible design choice. But the result is that a deleted file still exists after its deleted, and that even if a new file overwrites the old one, there is still a reasonable chance that at least some of the old file remains. This design-in “feature” was, and remains, the core of a forensic analysis.
Windows Storage – The second component relates to the information that MS Windows stores. Here is a partial list –
- WiFi Connections – which among other things helps track your movements
- Recently opened folders – which shows what you have been looking through
- Thumbnails of pictures – Even if the picture was never opened or was simply on a USB drive, there is a reasonable chance that a thumbnail of it exists.
- Network connections
- Internet history – even if you erase your history it is likely still there. In particular your internet behaviour is easy to reconstruct.
- Deleted emails – often the whole email is recoverable, but often just as valuable is the recovery of fragmentary evidence
- Deleted files – In broad terms most files are recoverable in their enterity or as a fragment.
- USB drives – All USB devices (flash drives, cameras, printers, external hard drives) have unique serial numbers. These are all stored and can be used to identify if a device has ever been attached.
- Recently opened files
Metadata – the simplest form of metadata is the size and date of your files as listed in Explorer. This metadata is created by Windows itself. Other metadata is created by the programs that create the file. For example, MS Office embeds useful metadata into documents that include the name of the person who created the file and the name of the last person to edit it. “Low hanging fruit” like this is often the easiest way to identify the author of a document such as an extortion letter. Another favourite piece ” of “low hanging fruit” is email metadata which can often be used to pinpoint your location when the email was sent. Just for fun I used metadata like these to reconstruct my movements during a recent trip through Europe.
Deleted Files, Emails and Internet Usage – In an earlier post I described how deleted files can be recovered. Sometimes it is possible to recover the whole files, in particular when the deletion was relatively recent. For older deletions, it may only be possible to recover a fragment. The value in recovering deleted data lies not just in recovering office documents, but also in recovering items like deleted internet history.
It is important to remember that although all four classes I have described do not necessarily require a sophisticated analysis, but they must be performed according to strict and well known rules of forensic analysis. If not then their value in a Court setting is essentially nil.