There are several byproducts or ancillary services that come of us working on digital forensic investigations. Most of the time, we perform these services in the course of working on a case. They are just another tool in the toolbox so that we can solve the case or help make 
the case for our litigation partners. But sometimes, we have people request that we perform them on their own, if they don’t need the full Monty as it were. A few such services include data recovery, data destruction and data authentication. As you can see, if data is involved in your business, there’s a good chance we can or may be needed at some point. With today’s post, I want to touch on a few of these lesser-known things we do since as I said, they are normally obscured within the larger tasks we perform.
First, data recovery. It may be obvious, but if not, we recover data. And not just in the “whoops, I deleted a file I really need” sense. We do that, but moreover, if there is potential data of interest somewhere on a device, we can pull out all kinds of stops to get at it. As I’ve mentioned previously, there is a fair bit of difference between computer forensics and e-discovery. The primary differentiation being we don’t just take a look at the data as it sits on a drive or device and produce it to the client. We recover files that have been deleted, partially overwritten and even considered outright obliterated because they were never intentionally “saved”. 
Why? Because there is almost always something usable in a fragment of a file or some sort of meta-data of a file that we can use in solving a case for a client. If we are able to partially recover a file that showed someone’s devious business plan, or the “anonymous” email that was sent disclosing inside information, that can be potentially used in a case against a party like an employee who recently left. We may also find evidence showing coercion. On the other hand, we may be able to show a lack of response to the concerns you voiced to your employer which can be used to refute allegations your previous employer has put forth when they sued you. In addition, this isn’t just data residing on a hard drive or a USB drive, this can include data on a defunct backup in a format that no one has seen in years. How about a travan tape, a DDS/DAT tape, a Jazz tape or an obscure OnStream drive (and you’re forgiven if you don’t remember several of those). We do that too and have a shelf full of these old drives. On that note, I’m reminded of a case we had where tapes were hidden in a drop ceiling inside an executive’s office. They were 4mm DDS-2 backup tapes made over previous years with systems that were no longer in existence. The interesting thing about this case that comes to mind is that at the time we were focused on analyzing systems we had 
already imaged so we outsourced the recovery of the data on the tapes to a specialized data recovery company. After two different data recovery companies threw up their hands in confusion over the data on the tapes, we brought it back in house and actually built a system to pull the data ourselves to incorporate into our investigation. This was a number of years ago and early on in our forensic practice, but it taught me something. While other companies approached the data that we needed as business as usual, we were more interested in finding anything at all possible to help our client win their case. We approached recovering the data from those tapes as an investigation, figuring out what tools were needed as we went. I could go on and on with the whole story, but in short we found password protected word documents (which we used password cracking or bypass software on) outlining the subject of our investigation’s plan to place siphoned company funds in out of town banks under a mistress’s name so that our client (the company he worked for) would be clueless as to where to search. Until we found it.
Another service typically integrated into our work but sometimes separately requested is data destruction. This is actually a pretty simple thing that again is a by-product of what our main focus is. Typically we destroy data in several scenarios but the most common is when data is found where it shouldn’t be. If we investigate 
an ex-employee’s computer and they have our client’s data on it, oftentimes one of the agreements/outcomes is that certain information be permanently removed from their systems or devices. Most often, this is best achieved by specifically removing the files from the system, then actually writing over that data with other data (which is typically referred to as wiping). There are other times that the data that needs to be removed is so pervasive and integrated into the system that it’s actually most cost effective to wipe the entire drive or computer/device and do a system restore to a factory new state. Less billings for us but happier clients. Additionally, once the case concludes we will typically wipe over our evidence drives or copies of evidence files, extracted files and case indexes. Most clients and opposing parties don’t want their data sitting anywhere it’s no longer needed.
Yet another ancillary service worth mentioning in this vein is data authentication. This need can come about in several ways. One way is as simple as it sounds; authenticating presented data (such as a file or an email) that actually came from a system, account or even individual. An example where this would be needed is sometimes during a harassment investigation (among others) where we track data back to an I.P. address and get access (voluntarily or via court order if need be) to show
that a file or an email came from the computer or device at that location. In addition to that, we are sometimes asked to analyze a system to prove that a document did not come from a machine. When would that be needed? We’ve had several instances but two quickly come to mind. One case involving a “photoshopped” image that was incorrectly attributed to our client and another involving a so-called “digitally signed” document. In both cases we exonerated our clients by showing the lack of corroborating evidence on the systems themselves along with metadata that did not jibe with what was alleged. Remember, when you use and manipulate files on a computer, there are a number of fragments and artifacts that should be present on the system on which the editing occurred. When those typically found pieces are missing, something doesn’t look right, almost like a crime scene that has been staged. When you consider that, the likelihood of the work or actions having occurred on the system in question can be called into question and oftentimes refuted.
One more service that comes to mind that we sometimes get called for is password bypass or cracking of files that someone rightly owns. Yes, there are a number of free or cheap programs online that can “perform” the service for you, but you are almost always left not getting the password due to one limitation or another. 
Hence the quotes around “perform”. Not only do we use a slew of vastly superior programs for a much greater likelihood of success depending on the file, but we also have another area where we can help those trying to do it on their own. Time. If you’ve ever used one of the programs that seem to be even halfway decent, you’ll realize in short order that the password is quickly discovered or it will take 3 years. Yes, I made up the 3 years part but if you’ve done this exercise you likely smiled at that notion because it’s true, it seems like it will take forever to get the password to the file. However, instead of it taking us 3 years we try to take advantage of distributed computing with additional processors (using more than one computer) to shorten that time substantially going from days to minutes sometimes. Those are some of the services that we routinely execute in the course of an investigation, but we can and do perform a la carte when asked.