The Truth is in There: Sleuthing for Data with Digital Forensics

Page 3 of 3

      Bookmark and Share

Companies Featured

Basis Technology Corp.
www.basistech.com

Computer Forensic Associates, Inc.
www.4nsic.org

dtSearch
www.dtsearch.com

Guidance Software 
www.guidancesoftware.com

LTU Technologies
www.ltutech.com


Sidebar: Five Steps of a Digital Forensics Investigation
Brian Karney of Guidance Software identified five key academic principles involved in a digital investigation:

Step 1: Acquisition 
This is of critical importance, Karney says, because when you make a copy of the data you want to make sure you get all of it. The term "forensic acquisition" refers to using a special technology or engine to make sure you copy every sector as it lived on the hard drive at the point in time you acquired it. This could refer to any type of drive whether it is a Flash drive, hard drive, MP3 player such as an iPod or a PDA, or cell phone.

Step 2: Preservation 
After you make a copy, the second major premise is called "preservation". It is basically like a vessel. I have this information and I need to preserve it in a vessel so that all of the metadata is intact. In this way, the investigator can learn when files were accessed, what deleted files are available, unallocated space and so forth—all of the ways file systems store data on hard drives. 

Step 3: Analysis 
This is where the analyst begins to understand what's on the drive and begins slicing and dicing the data in an absolute fashion using tools (such as EnCase) to understand what's there. Karney describes this as looking at the layers of the drive, with lowest level being the ones and zeros as they live on the hard drive. Next you look at the sectors and clusters and finally you have the file system itself. Within the file system, investigators can see what documents live on the drive, and finally within the files is the content.

Step 4: Presentation 
Once you analyze the data, you need to be able to generate some meaningful reports from it. For example, you may have found certain pictures, some deleted files, these hacking tools or stolen content and so forth.

Step 5: Authentication 
This is a critical piece because it involves being able to authenticate the information and validate the findings. Digital forensics is ultimately about how I got this information and how I analyzed it to prove this point. 


Sidebar: Using dtSearch to Find Missing Data 
While experts like Jeffrey Gross, who founded Computer Forensics Associates, Inc., use an arsenal of tools to extract data, Gross says one of his "secret weapons" is dtSearch, an enterprise-class indexing and search tool. In fact, it's the same kind of tool you would use to index data on your local hard drive or your content management system to access, then slice and dice the data in a variety of ways. 

"dtSearch is a phenomenally potent evidentiary extraction search tool that the average user remains unfamiliar with. It has massive capability. It exceeds many if not most products out there. It has a terrific interface and is phenomenally efficient at getting data out. I use it in forensic investigations, as opposed to what was its initial design as a commercial search tool," Gross says.

Gross says that he uses traditional digital forensics software tools to carve out the areas on the hard drive that contain the elements he wants. "Most cases involving forensic investigation of media usually utilizes dedicated proprietary forensic software tools that have been designed to carve out things that have been deleted, that are partially overwritten, to recover fragments and remnants from places like unallocated space, to swap files—many of the areas not accessible to [most] end users." 

Once he has identified this area with forensics software, he can build an index with dtSearch. "Using dtSearch with the forensics software, I can carve out the unallocated space just like a regular file, then recover the individual files, whether they are text files or spreadsheets, deleted files, word processing files...and put them all into an index." He says this ability to put the files into an index upfront is a tremendous advantage over traditional forensics search tools because instead of having to search in real time, he can search against the pre-built index and get precise answers back in seconds. 

What's more, Gross says, he can use dtSearch across multiple hard drives, making his search process vastly more efficient. He says he typically works on complex financial cases and these involve multiple computers, many individuals, and many issues, and dtSearch enables him to see everything that's there in a single index. "Rather than just getting back the results of an individual search, you can actually see a vocabulary list and the frequency of every word that appears in the entire universe of your data." 

dtSearch can also do advanced searches like fuzzy search, stemming searches, numeric ranges, synonyms, and so forth. For instance, Gross says you could search for "Geoff" or "Jeff" or even find near matches. If you want to search through emails from "Jeff"/"Geoff" about a certain transaction, you can find specific words that are within a certain number of words. 

Gross says he can also embed dtSearch into a CD or DVD and hand it off to a lawyer working on his case, a very powerful capability, making for very happy clients and giving him a competitive edge in a competitive market.        

Page 3 of 3