In the process of moving our office we’ve recently had the rather neat experience of uncovering some equipment that we’ve not used in years. It’s our own little version of a time capsule someone buries in the ground then digs up in 25 years. Ok, maybe not as neat or interesting as that but still a moment for some contemplation when these “antiques” are uncovered. Overall, it’s amazing how easy it is to acquire electronic devices that are used for a time period then discarded for something newer, faster and with more capabilities. When I say discarded I actually mean placed in a closet, box or cabinet to be discovered 5 to 10 years later (when are you not going to need a 12 volt 1 amp converter!). And when I say acquire I mean get, use for a time period, sometimes too long (if it isn’t broke don’t fix it right?) or not long enough because a newer widget came out which makes the old one look as cutting edge as a Lincoln Log.
When surveying the pile of old equipment or toys depending on how you want to look at them, and trying to figure out what is potentially still useful and what belongs in a museum of some sort, it’s pretty amazing how things have changed not only in the last 15 years but in many cases just the last 5. This is rather geeky, but I smiled as I uncovered a device I hand built early on to write block an IDE drive. When I say an IDE drive I’m meaning the interface for a hard drive in your computer but from a number of years ago. I know it’s not been used in a long while but out of curiosity I looked up online how long ago those types of drive connections were common. According to Wikipedia (sometimes a scary statement), SATA superseded IDE (or Parallel ATA) in 2003. I guess that seems about right because the next thing I found buried was a laptop hard drive (back when you needed a converter to go from the smaller 44 pins on the drive to the standard size 40 pins on a 3.5” hard drive). I wasn’t bored enough to look at the data on the drive though it was probably running windows 98 or perhaps even 95! Instead I drilled it full of holes…you know, just in case it had anything confidential. Another interesting thing to note was that the drive size was 80 GB. Compare that to today when the average size of a drive is more like 500 to 1000 GB.
What does this all have to do with digital forensics you might be asking? A couple of points as it turns out. As drive sizes have gradually increased, the likelihood of interesting and actionable data not only appearing, but remaining on the drive has increased as well. Not only that, but while we try to preach that if there is any suspicion of wrongdoing by a current or recently departed employee, the fact is that even if you just slide the computer over to a new user the likelihood that data from the previous party will still reside there. There may be some loss of potential evidence but as long as the machine isn’t wiped there’s still going to be a good deal of actionable data available assuming wrongdoing was performed. Think of it as a pecking order of evidence that can be beneficial. The first preference would be as soon as possible after the subject has used the computer to prevent another user or some automated processes from possibly eroding forensic artifacts. Next in the list would be a computer that a subject used but it was handed over to a new or replacement employee. The important thing to note here is that it wasn’t wiped or factory restored or had a new “image” put on it. If the user we’re interested in still has a profile on the computer that wasn’t deleted, there is a typically a wealth of information available still. Email, online activity for the profile, folder/file history, deletions, saved passwords and more are still going to be available if the profile is intact still. The final category of evidence (not really final but go with me here) would be of a computer that has had a new image put onto it. Notice I said new image put on it and not wiped then new image. What’s the difference? Wiped (as we’ve discussed previously) involves putting new data (typically some repeating character like a 0) over or in place of the data that’s there. When you do this properly you really do obliterate the data that resides on a hard drive but it takes time, sometimes minutes sometimes hours depending on the size of the drive. In that case, you can realistically kiss finding anything useable goodbye.
Something I didn’t specifically address is if someone formats a drive then installs a new version of the operating system (like Windows 7 for example). This is sort of a hybrid type of evidence between the second and third mentioned. The odds that we’ll recover the complete profile of the subject are not good but then again they might be. There’s just no telling. This is where we say “it depends.” It depends on how much of the drive was actively used when the format and re-install was performed for one. Most likely in this scenario we’ll be able to carve many files from the drive but we’re not going to be able to completely recover all data from the drive, since as you may know or surmise, much of that data was overwritten with the new operating system install. Having said that, there is a chance we’ll be able to locate and rebuild a copy of the previous file allocation table and actually locate many more files. As I said, “it depends.” Either way, while we’ve seen a number of different scenarios or circumstances over the last twenty years there seem to be a much smaller number of “templates” that can be applied to try to find and maximize evidence of wrongdoing. As such, if you’re unsure of the likelihood of recovery of actionable data, just ask. Not only are we experienced but also quite forthcoming on the chances of actually being able to assist on your matter, so again, just ask.