DATA RECOVERY – FORENSICS STYLE 2

Posted on Aug 27, 2013Written by Obama Mishy
Remember the End Game. The bad guy going to jail and/or paying a hefty fine for their illegal activities. And this AFTER the court case is won. So… what do we know about the court system? Paper- work. Forensic Data Recovery is NOT exempt. In fact, it is key to a successful litigation process. So what kind of paperwork would be involved in a Forensic Data Recovery?
It is always good verify the requirements of the law to determine what specifically needs to be accomplished. FRCP Rule 26 speaks specifically to the evidence type of electronic discovery. It is rather lengthy and may be viewed here: FRCP Rule 26. The short version, with the addition of FRCP Rule  801, can be stated thusly: Copious documentation of said evidence will keep discussions regarding the Forensic Data Image to a minimum and on point. The following are steps towards good documentation:
  • Photograph the evidence. Remember, once it has been determine that the computer and/ or electronic device may have been compromised or has been compromised, and a Forensic Image required, the hard drive and/or electronic device is now considered evidence and must be treated as such. This is important because there is prosecution for tamper- ing with evidence. So… begin by photographing the evidence. Labels that are sold with the hard drive can come off or become damaged. To successfully verify that the electronic data gathered via hard drive imaging matches the hard drive and/or electronic device that was imaged, take a photograph of the hard drive and/or electronic device. There are serial numbers that are on the label that will match the data kept in the Service Area of the hard drive which will be brought forward upon successful completion of the forensic imaging process. These numbers should match. If they do not, and there is a photograph of the hard drive / electronic device, there will be a good starting point to work back and discover how the la- bel was changed etc. Photograph all sides of the evidence. This quells any argument that the evidence in question was/was not tampered with prior to / or after being forensically imaged.
  • Chain of Custody. There needs to be paper work showing the responsible party releasing the hard drive or evidence (it should now be called) into the hands of the individual perform- ing the forensic image. This Chain of Custody paperwork should include the following at the minimum:
    • Make / Model and Serial Number of the evidence, any markings and or labeling.
    • The name of the individual responsible for turning over the evidence  for forensic imaging along with their signature
    • Date/Time stamp of the transaction
    • The name of the individual responsible for performing the forensic image and signature.
    • The make/model and serial number of the drive to be used to capture the image
    • others

This is just the very minimum. If the image has to be shipped to a Forensic Lab, then tracking numbers, signatures of people handling the evidence along the way also needs to be recorded.

So at the end of all this imaging, paperwork etc. …. there should be a bit-stream image exactly the same as the original down to the very last bit. This image can then be processed to determine what, if anything was taken as to documents etc., when, where it went to and if any other network devices that were connected to this device may have been compromised along with ability to take any findings in to a court of law to be litigated upon.

Let us revisit our victim. He has contacted his IT friend and based upon his IT friend’s expertise what has been gleaned from the conversation has been determined that indeed there is a good chance something is up, and action needs to be taken. Question: Should the IT person (as good as they may be) take over from here and move to secure the network and gather evidence to be used in court if necessary? To secure the network? Absolutely! To produce the Forensic Images? Probably not. Why? This question is best answered with this question: What does the victim really want? Just to get the data back? Fine… let the IT friend have at it. Go to Court? In the over-litigious society in which we live, it would be best to have someone that can meet / exceed FRE (Federal Rules of Evidence) Rule 702 and let that standard be the guide as to defining a Forensic Expert. Why? Because all it takes is one good attorney and all bets are off and the victim could lose. The paperwork must be completed correctly, the investigation (which is the next step after completion of the Forensic Image) must be completed in a timely manner… and the list goes on.
If the victim chooses to go to court with the evidence that the network was compromised, the data is missing etc., the expertise in evidence acquisition will pay big dividends towards winning the case.

Author bio

IT person with 20+ years’ education and experience in the field. Owner of D. Eno Forensics, a full service Digital Forensics company, and recently working with AccessData, LLC a forensic software company. Leveraging the previous 20 years of IT education and experience to provide expert IT analysis to Computer Forensic investigative work. Experience includes over 400 cases, written opinions, deposi- tions and court testimony. www.denoforensics.com

Published under: Computer, Data Recovery for Mac, Software

Tagged with: ,

Comments are closed.