Once you’ve got images in hand and can verify they are authentic to the original evidence (via hash value), it’s time to begin processing the evidence. How we proceed typically depends on the type of matter we’re working, but for our purposes here, we’ll say there’s a laptop running Microsoft Windows, the employee has left the employment of the company rather abruptly and they were in a position to have access to a multitude of data critical to the company’s endeavors. This scenario is typical to what we work with on a daily basis so it’s rather easy to address! Ok, so the person left and they had access to trade secret data, intellectual property or some other critical info. We’ll typically load the forensic image into one of our digital forensic programs to index; Access Data’s Forensic ToolKit (FTK) is a great example of a program that does this. Doing so at the outset allows us to conduct a search of specific terms at any point down the road without having to run a long search of the drive which might take hours.
I’m dating myself a bit here by saying long search (my term) because when I first started investigating computers (back in 1997), one of the early tools I used was Guidance Software’s EnCase as my main means of searching and investigating evidence. Every time we needed to search for some specific terms (a client name or a contact for example), we’d need to have the software restart its search, which as I just said could take hours every time you develop new information to search for. For the record, EnCase has had the ability to index for quite some time but I’m partial to FTK for this function typically.
While the data is being indexed, we can get more information from the client. Specifics of the case like names, dates, times, contacts, and content in question. This information will form the basis for the search for key terms and keywords to look for on the forensic image. As a side note, we’ve gotten a wide range of keywords offered when we start a digital investigation, particularly with a client that is new to the process. And when I say wide range I mean anything from a specific serial number, phone number or email address (which are good starting points) to words like money, steal and cheese. That’s really not made up. We don’t always receive or even need these keywords or search terms on every case, as such, this is something that will be discussed again in the future. Sometimes our focus is on what actions took place on the computer but we’ll discuss that aspect of an investigation later.
Once the drive is indexed of its contents including document contents (Word, Excel, PowerPoint, etc.), OCR’d (Optical Character Recognition – which is needed to learn the text contained within image files and includes jpegs, bitmaps, gifs, PDF’s, TIFF’s and more) as well as emails AND unallocated areas and deleted data, we can throw these developed keywords at the index and see if we have some relevant hits. There are a number of things we can do to ensure we have more relevant hits like exclude known files (such as operating system files) and apply filters, but for this post we’ll not get too bogged down in such minutia. If we’re simply searching for some contents then we can export findings and work with the client to see what’s relevant and what’s not. Cases are rarely that cut and dry, instead we normally will use this as a jumping off point to see where these files reside on the computer (ideally in a folder called “Stuff I Plan on Taking” but we’re rarely that lucky!). Many times the places we find these files, or artifacts pointing to some of these files of interest, cause us to take a look and closely examine other areas and avenues of data exfiltration such as a USB drive, an email account or an Internet storage location. Much like how Netflix recommends another series to watch after you’ve binged 3 seasons of a show.
On that note, we’ll pin this here and next time go into the exciting world of USB drives! We find USB drives are still the most likely used mediums to abscond with data when leaving an employer, so why not touch on it next? #KeywordSearch