REPORT OF EXAMINATION
December 29, 20XX
Our Case Number: CIT-255-XX
Pursuant to the request of Mr. John Jones, XYZ Company, Philadelphia, Pennsylvania, I have forensically examined and forensically recovered data from an XXXX laptop, model 1234, s/n 123456 provided to me by ABC Corp. and is reported to be the laptop computer of Ed Jones. This report is organized in five parts: RESULTS and COMMENTS, CONCLUSIONS and OPINIONS, STEPS TAKEN, EXHIBITS, and TECHNICAL ISSUES.
RESULTS and COMMENTS:
The media was searched for any normal files[1], temporary files[2], deleted files[3] or file fragments[4] in unallocated space[5] for names, words and phrases as provided by ABC employees, the client and Bristol Community College.
Multiple searches were made of the entire drive for the following names, words and phrases:
Potentially relevant documents and data relating to the above names, words and phrases were found in the following areas:
Mail Files
Deleted Files
File Slack[6]
Unallocated Space
Printouts of potentially relevant data were provided to the client and/or XYZ Company. All data found was also provided in the form of six (6) identical read-only CD-ROMs marked with Bristol Community College case number CIT-255-XX- Exhibit 2 to XYZ Company for distribution and investigative leads.
Documents and EMAIL found on the media indicate that the computer was being used by Ed Jones.
Virtually no normal user created data files, i.e., word processing documents, spreadsheets, etc were found.
Numerous previously deleted facsimile files were found and recovered.
EMAIL files from a Windows Explorer mail application were found. These files were from 1997 and 1998 and apparently discarded when the Windows Explorer was replaced with Netscape in 1998. The EMAIL files for Netscape had been deleted and were not recoverable.
The computer was last accessed on 12/22/99. It was initially accessed at approximately 3:01AM and finally shutdown at approximately 5:53PM. During this period numerous files were deleted, including those located in the \....\WINFAX\DATA directory and \My Documents directory.
Sometime on 12/22/99 prior to 5:44PM the Windows defragmentation utility[7] was used to defragment the drive. This has the effect of overwriting deleted files. This is evidenced by the lack of recoverable deleted files.
The only recoverable deleted files on the drive were recovered from the \....\WINFAX\DATA directory. These files were last accessed at approximately 5:44 PM and therefore were deleted after the defragmentation process. The computer was shut down at 5:53PM.
A directory \UTILS was created on the media 12/22/99 at 1:30 PM. This directory holds the Norton Utility WIPEINFO application. This application can effectively wipe all information from the media and prevent recovery of any data. This file was accessed on 12/22/99 but was not used to wipe the drive. The directory also contained an application called Norton Commander. This application allows quick access to and the deletion of files.
As potential internet or computer related leads developed, Bristol Community College conducted limited internet Whois[8] searches and similar checks. The information found as a result of the leads was provided to the client in document form and the information is also contained on the CR-ROM provided. It should be noted that the Domain name XXXXXXXXX.COM is currently registered to XXXXXX XXXXXXX. A copy of a previous registration query found on the laptop media indicates that the Domain name XXXXXXXXXXX.COM was previously registered to XXXXXXXX, Miami, Florida with Tom Smith listed as the administrative contact. This information is located in the BCC Leads folder.
COMMENTS and OPINIONS
It is my opinion, based upon the above information and other information found on the media of the subject laptop, that numerous files created by Ed Jones, including FAX documents, directories and documents in the \My Documents directory were purposely deleted and that the drive was purposely defragmented in an attempt to overwrite or wipe the deleted files. Many deletions occurred on 12/22/99. The defragmentation occurred on 12/22/99.
STEPS TAKEN
To simplify my explanation of what was done, I have provided the following information which outlines the standard processing procedures that I followed when processing this computer. These procedures are recommended by the International Society of Forensic Computer Examiners.
1. All Bristol Community College media utilized during the coping and recovery process was
freshly prepared, completely wiped of data and scanned for viruses before use.
2. All software utilized is licensed to, or authorized for use by, the examiner and/or Bristol Community College.
- The subject computer hardware was physically examined. It was an XXXXX
laptop computer, model 1234, s/n 123456 with one Hard Disk Drive (HDD) and the hardware necessary to connect to a network. The computer media was one IDE interface hard disk drive, 2.1 gigabytes (2,100,000,000 bytes) in capacity. Nothing unusual was found during the physical examination of the computer hardware.
4. A bitstream (exact) copy was made of the Hard Disk Drive (HDD) contained on the subject
computer to Bristol Community College HDD. Since the original media was to be returned to the client, one original bitstream backup copy was made and preserved as an original. The actual examination was conducted on a copy of the original media.
- The contents of the CMOS, as well as the internal clock were checked and the internal date and time were accurate to within a few minutes. The time and date of the internal clock is frequently very important in establishing file creation, modification or deletion dates and times.
- The media was examined and was found to contain the Windows 95A (FAT 16) operating
system with one logical partition. Nothing unusual was noted.
7. The boot record data, and user defined system configuration and operation command files were examined and nothing unusual was noted.
8. All recoverable deleted files with potential evidentiary value were restored or recovered. When practical or possible, the first character of restored files were changed from a HEX E5 to “-”, or other unique character, for identification purposes.
- A listing of all the files contained on the examined media, whether they contain potential
evidence of not, was made. This listing is contained on the provided CD-ROMs.
- The unallocated space was searched for potentially relevant lost or hidden data.
11. The “slack” area[9] of each file was searched for potentially relevant lost or hidden data.
- The contents of each user data file in the root directory and each sub-directory (if present)
were searched for potentially relevant data.
- There were no password protected files.
- Executable programs of specific interest were examined. User data files that could not be
accessed by other means were examined at this time using the native application.
- A printout or copy was made of all apparent evidentiary data and provided to the client
and/or XYZ Company. The file or location where any apparent evidentiary data was obtained can be found on the provided CD-ROMs. All files and data recovered are contained on the provided CD-ROMs. All exhibits were properly secured until transmission to XYZ Company or the client.
EXHIBITS:
Printed copies of potentially relevant data and files were personally transmitted to the client and/or XYZ Company employees. All of the data and files found and leads pursued by Bristol Community College were placed on six (6) read-only CD-ROMs. The data and files on the CD-ROMS are structured as follows:
\README.TXT – A copy of this section of the report showing the structure of the exhibits. This file can be viewed/printed from the CD-ROM with Microsoft Word 97.
\MAIL - A subdirectory that holds the internet valid EMAIL files found on the subject computer. This file can be viewed/printed with Microsoft Office 97 or above.
\Deleted Files\FAX – A subdirectory that holds the deleted facsimile files that were recovered. These files are in a standard CCITT Group 3 format. These files cannot be viewed using normal Microsoft applications. A demo version of a file viewer called QUICKVIEW PLUS is located in the \Viewer Software directory. In order to view these files this viewer must be installed on your computer. Printed copies of all recovered fax files have been provided.
\FILE SLACK – A subdirectory that holds copied of data found in the slack area of valid files. The file location of the data is noted before the data. The slack data from these multiple files can be viewed/printed with Microsoft Word 97 or above.
\UNALLOCATED SPACE – A subdirectory that holds copies of data, fragments of files and other pieces of information found in unallocated space on the subject computer. This data was found in many small fragments and was copied from unallocated space to one file. The fragments were not pieced together and are in a random order as found on the media. Some fragments contain formatted data, which means that there may be unusual looking characters interspersed with the actual text data. Some fragments may be intermediate drafts or temporary saves of data and contain a portion or all of the data in a previously deleted or valid file. This data from these multiple files can be viewed/printed with Microsoft Word 97 or above.
\COOKIES - A subdirectory that holds text data sent from internet web pages to this computer. This information can sometimes be helpful in determining the WWW locations were visited.
\BCC LEADS – A subdirectory that holds the results of internet Domain Name registration searches by Bristol Community College as a result of data found on the subject computer. This file can be viewed/printed using Microsoft Word 97.
\BCC CASE INFO – A subdirectory that holds three files created by Bristol Community College to document the case statistics and all directory entries on the media. This should be used to authenticate the date and time stamps[10] on the files on the CD-ROMs. The file DIR.XLS is an EXCEL spreadsheet that holds all of the directory and file information. The files in this sub directory can be viewed/printed using Microsoft Word 97 and Microsoft EXCEL 97. Contact Bristol Community College if you have any questions regarding how to authenticate a file date/time stamp.
\Viewer Software – Holds the demo version of QuickView Plus viewer software necessary to view the facsimile documents in the \Deleted Files\FAX directory.
All of the files/data on the CD-ROMs are accurate copies of files/data contained on the original media.
Since the original computers were returned to the client, Bristol Community College will maintain a copy of the HDDs or other media for a period of one year, unless otherwise advised. The six (6) CD ROM copies contain all of the data that we have recovered from this computer. It is suggested that one copy of the CD-ROM be provided to the defense at time of discovery, if appropriate.
If use of any of the data of this examination is necessary in any judicial proceedings, have the appropriate attorney contact the examiner so that the examiner's expert qualifications can be discussed and properly presented.
TECHNICAL ISSUES:
Basic Windows 95/98 and DOS Disk Structure:
There are two major areas on a Windows/DOS formatted hard disk. They are:
The System Area tells the computer the disk size, where to look
for the Operating System and holds the File Allocation Table (FAT)
The Root Directory located in the System Area which holds
directory entries for files and for sub directory entries in the Data Area
The Data Area holds the actual data and
sub directory entries.
File Creation and Storage
When a file is created three things occur:
- An entry is made into the File Allocation Table (FAT) to indicate where the actual data is stored in the Data Area.
(A File Allocation Table is the means by which the operating system
keeps track of where the pieces of a file are stored on a hard disk.)
- A Directory entry is made to indicate file name, size, date and time of creation, the link to the FAT and other information.
3. The data is written to the Data Area.
Files that are properly created with valid entries in all three areas and not corrupted can be accessed and viewed using the appropriate applications. These are referred to as normal files.
Deleted Files
When a file is deleted only two things occur:
- The File Allocation Table entry for that particular file is zeroed out and
shown as available for use by a new file.
(A File Allocation Table is the means by which the operating system
keeps track of where the pieces of a file are stored on a hard disk.)
- The first character of the Directory Entry file name is changed to a special
character. (E5 HEX)
3. Nothing is done to the Data Area. The data is untouched.
When a file is restored only two things need to be done:
- The File Allocation Table entry for that particular file is linked to the particular location in the data area where the file data is stored.
(A File Allocation Table is the means by which the operating system
keeps track of where the pieces of a file are stored on a hard disk.)
- The first character of the Directory Entry file name is changed to a legal
character.
3. Nothing is done to the Data Area.
As long as the actual data in the Data Area or the directory area is not overwritten by a new file or directory entry, deleted files can be completely recovered.
Windows Long File Names have separate directory entries, but are not directly linked to the FAT. The first character of the Long File Name is also changed to a special character (E5 HEX) upon deletion. The Long File Name can be recovered, but does not need to be recovered to restore the deleted file.
Temporary Files
The Microsoft Word 97 application created certain temporary backup files. These files were created automatically, and the temporary file creation is normally transparent to the user. These temporary backup files are created to ensure recovery from a power loss or other accidental exit of the application without properly saving the file. There are user options that allow the automatic deletion of these files. At least some of the files were not automatically deleted and were recovered. No temporary files were recovered in this case.
File Fragments and Unallocated Space
The Data Area is logically divided into relatively small segments called clusters. The clusters in this case were 32,768 bytes in size. (A byte is one character of data). The File Allocation Table (FAT) keeps track of the cluster usage. If a specific cluster is occupied by a file, the FAT indicates that that particular cluster is in use. That cluster is allocated to that particular file. Obviously many clusters are occupied at one time. When that particular file is deleted, the FAT is changed to indicate that the particular cluster is unallocated (not allocated to any particular file). That particular cluster can then be used by a new file.
If the actual data in the Data Area has been partially overwritten by a new file, only a fragment of the original file remains and the fragment still can be recovered.
Whois and Internet Registration
Anyone who wishes to have a site (Domain) on the Internet must register the Domain name and must have an Internet Service Provider (ISP). This ISP is normally a company and will have hard disk space that is connected to the internet. That hard disk space will be assigned a block of Uniform Resource Locators (URL). A URL is a unique number to designate a web site location and allow access by others. In order for someone to register a DOMAIN name and receive a URL from one of a small number of companies who are permitted to register Domain names and assign URLs, they must provide certain information. This information is public information. One of the primary registering companies in the United States is Network Solutions. By running an internet “WHOIS” search at Network Solutions, searches can be conducted for DOMAIN Names, Billing Contact for the DOMAIN, etc.
There are few limitations on who gets a particular Domain name. They are issued on a first come, first serve basis and cost about $35 per year. The billing and other contacts listed are the best source to determine who is actually running or who owns the Domain name.
File Slack
As discussed previously, the cluster size for this particular hard drive was 32,768 bytes. This is the smallest unit that WINDOWS or DOS will write to. What this means is that when a file is written it must be written in 32,768 byte “chunks”. If the file is smaller than 32,768 bytes, or the last “chunk” of the file is not exactly 32,768 bytes, part of the last cluster in a file is not written to and will remain unused. Any residual data in the cluster will be untouched and recoverable. A simple example of the concept of file slack is the following graphical representation of a file: