content top

What kind of information can forensic software find?

What kind of information can forensic software find?

Forensic Software is used to analyze data and find:

• Uncover Hidden Files – (identified by file header, not file extensions)
• Written over (Fragmented Data)
• Files and fragments in Slack Space (space between data blocks)
• File remnants in Unallocated Disk Space (space flagged usable)
• Files flagged as deleted
• Trojan’s (programs intended to obtain your private data)
• Virus’s (programs intended to disrupt, destroy, mutilate data)
• Vulnerabilities – private data stored ‘in the clear’ not encrypted, accessible
• Hacking utilities, Malware, Spyware, Remote Access, and scripts, Key Loggers
• Financial data – account numbers, account spread sheets
• Business Secrets – budgets, projected business plans
• Client lists – names, phone numbers, addresses, other private data
• Planned acts of Terrorism
• Chat Room Dialog, E-mail, Social Media Posts
• Child Pornography – Explicit Image Detection (EID)
• E-Mail – headers, Phishing, Pharming, Stalking, other inappropriate data

Read More

Confidential Consultation

(Phase 1)

• Perform personal and Confidential Consultations with key individuals associated with the Data Discovery Process.

Identify ‘key’ evidentiary components
• Interview individuals involved to develop investigative strategies
• Identify Source Evidence components (Computer, Mobile Device, Tablets etc)

Preservation of the Computer Evidence
• Evidence Chain-Of-Custody – (establish / document / preserve)
• Acquire Source (key) Evidence – Building a Data Dump (DD) Image
• Utilizing ‘Forensically Sound’ set of protocols to investigate
Digital Evidence.

Analysis and Restoration of Key Evidence
• Recover key information from the acquired image (DD) data.
• Deleted, Hidden, Encrypted, and obfuscated files and metadata
• Metadata – (.exif)
• Partial remnants
• Registry components (last documents accessed, Registry item time stamps)
• Password recovery and decryption (building indexed word lists)

Analyze Evidence (Attempt to establish motives)
• Perform key-word searches (browser searches - manually entered searches keyed into browsers)
• Establish time-lines
• Establish moods
• Establish connections / accomplice(s)
• Establish actions taken to obfuscate data
• Establish possible motives

Documentation and Presentation of Computer Evidence
• Detailed reports
• Recovered documents - (previous versions of Microsoft Excel and other Microsoft documents)
• Recovered file and data remnants
• Decrypted Documents
• Local E-Mail audit (Local artifacts are those associated with a locally installed E-mail client)
• Recovered Graphics (.exif data containing GPS data, what type of camera took the picture, when the picture was actually taken)
• Internet Related - (what and when were they looking at specific sites, what they manually keyed into the browser line)
• Web Mail artifacts – Cached artifacts into Internet History, pagefile, system volume, applications)
• Internet Surfing Audit - Where are they going?
• Down-load Audit - What did they download ?
• Up-load Audit – What did they upload ?
• File Transfer (FTP) – What did they transfer ?
• Vulnerability Audit (Remote Access) – Are there key loggers on the device?,  is there Capture-ware on the device?
• Identity Theft Audit – Where there attempts to log into social media, email and other sites requiring login userid and passwords ?

• Hashed files MD5 and SHA
• Reconstruction of time lines where possible*

Trial Depositions and Testimony associated with computer / Tablet related incidents and Digital Forensics as required.

* Not all data found in ‘unallocated disk space, file slack and system files such as the pagefile.sys will contain time stamped artifacts

Read More

Recognizing Potential Evidence

Typically, an investigator may not know what type of evidence may be associated with the digital media. There could be potential “Smoking Guns”, or they may not reveal anything substantial. It is for this reason that all evidence be handled with strict Electronic Evidence Protocol.

Typically if an individual thinks that there is evidence on the computer, they will go to the document or other type of evidence and try to delete it or obfuscate it so that it can not be easily found by using search utilities.

Digital Forensics Software such as AccessData’s Forensic Took Kit (FTK) are highly sophisticated software packages that are designed to reveal these deleted and obfusticated digital artifacts.

Once these digital artifacts (evidence items) are revealed, then the examiner may be able to build detailed time-lines and reveal motives and other items crucial to an investigation associated with computers, mobile phones and other digital media.

Read More

Security Alert: If you access the Internet from your home computer, Cell Phone, or a Tablet, you need to seriously consider these issues

Are your home internet connections secure?
If you use a wireless router, is it configured properly?
Do you have a hardware or software Firewall installed?
Are they configured correctly or is it running right-out-of-the box?
Do you have intrusion detection software installed?
Do you have Anti-Virus software installed?
Do you use your computer to access On-line Banking?
Do you make any purchases over the Internet?
Do you or a member of your family access ‘Chat Rooms’?
Do you download music or other software from questionable sites?
Is your system exploitable?
Has your computer already been exploited?
Is your system running slower than when you first used it?
Do you have a Trojan or other Malware already on your PC?
Does your mouse pointer move and select objects on it’s own?
Does your screen flash or change size on it’s own?
Do Web pages appear with out being selected?
Have you ever clicked on links in E-Mail messages from people you do not know?
Do applications open and close on their own?

If you have experienced any of the above issues, you may have already been hacked!

Read More

TCF Recommended Software Monitoring tools.

Over the years, TCF has been involved in numerous types of cases associated with networking issues (mal-configured Wireless Routers), Remote Control hacks (HaXdoor), disclosure of personal and confidential information, Remote Access(VNC), malware, trojans, WebWatcher, and network sharing issues.

I have found the following software applications were helpful to identify and/or reveal important issues associated with some of the above vulnerabilities.

Of all the major Antivirus Software applications I have used, VIPRE (Still) stands out far beyond the others. As a Forensics Investigator, my tool box contains dozens of programs/applications ‘not typically seen or used’ by the every day computer user. I always wondered why none of the ‘major’ antivirus software packages did not detect any of these applications.

I downloaded the ‘full 30 day trial’ version of VIPRE, updated it, then scanned my computer. Within the first minute, it had already started to identify suspicious software installed on my computer (that I knew were there). When I saw that, I was sold. I didn’t wait until my 30 day trial was over, I went out and purchased a copy for all of the computers in my office. I have been using VIPRE since 2007 and I am still using it today (2014).

  • Identity Finder

Ever wonder how much ‘personal information’ or userid’s and passwords could be easily found on your computer?

Download and install “Identify Finder” on your computer. Once it is installed, you have options to filter for specific types of information or you can run it right-out-of-the-box as it is installed. Once you run this program and see what it finds, I expect you will do as I did and purchase a full copy. When the program is finished running, you will have the options to wipe files containing important information such as account numbers, userids, passwords ….. etc

Read More
Page 1 of 212
content top