REPORT OF EXAMINATION
February 00, 20XX
Our Case Number: CIT-255-XX
Pursuant to the request of Jim Jones, Anycity, nystate I have forensically examined and forensically recovered data from a floppy disk drive provided to me on 00/00/00. This report is organized in four parts: RESULTS and COMMENTS, CONCLUSIONS and OPINIONS, STEPS TAKEN, and TECHNICAL ISSUES.
RESULTS and COMMENTS:
The media was searched for any normal files[1], temporary files[2], deleted files[3] or file fragments[4] in unallocated space[5] for names, words and phrases as provided by attorney Jim Jones. Additional searches were made of unallocated space for Microsoft Office documents, graphical images and executable files.
Multiple searches were made of the entire drive for the following names, words and phrases:
The phrase “XXXXX” was not present anywhere on the hard disk drive.
The word “XXXXX” was not present anywhere on the hard disk drive.
The word “XXXX” was not present anywhere on the hard disk drive.
The phrase “XXXX” or the word “XXXXX” were not present anywhere on the hard disk drive.
The word “XXXX” was not present anywhere on the hard disk drive.
The word “XXXXXXX” was not present anywhere on the hard disk drive.
The phrase “XXXXXX” was not present anywhere on the hard disk drive.
The phrase “XXXXXXXXXX” was not present anywhere on the hard disk drive.
The phrase “XXXXXXXX” was not present anywhere on the hard disk drive.
The phone number or the “XXXX” fragment of the phone number “XXXXXXXXXXXXX” was not present anywhere on the hard disk drive
The word “XXXXXX” was not present anywhere on the hard disk drive.
There was no evidence that an application called “XXXXXXXXX” was ever present on the hard disk drive.
XXXXXXX
The word “XXXXXXX” was found 450 times on the restored copy of the hard disk drive. The context and locations of the word “XXXXX” indicates that XXXXXXXX, including XXXXXX and XXXXXXX were installed and present on the computer at some past time. Neither the XXXXXXX nor the XXXXXXX were currently installed on the computer and no directory entries for these applications were found.
Data Recovered
Numerous deleted files were recovered. These files primarily consist of Microsoft Word 97 and Excel 97 files and can be viewed/accessed with Microsoft Office 97.
The files in \My Documents were recovered. These files primarily consist of Microsoft Word 97 and Excel 97 files and can be viewed/accessed with Microsoft Office 97.
Quickbooks company records for XYZ Company were recovered. These files must be viewed/accessed using a licensed copy of Quickbooks.
Numerous files were recovered in unallocated space. Some of these files may only be fragments of files and may be difficult to view or understand. Many files are Microsoft Word 97 and Excel 97 files and can be viewed/accessed with Microsoft Office 97.
COMMENTS and OPINIONS
It is my opinion, based upon the above information and other information found on the media, that someone with a good working knowledge of the Windows 98 file system purposely deleted many files on the media.
STEPS TAKEN
To simplify my explanation of what was done, I have provided the following information which outlines the standard processing procedures that I followed when processing this computer. These procedures are recommended by the International Society of Forensic Computer Examiners.
1. All Bristol Community College media utilized during the tape restoration, any coping and the data recovery process was freshly prepared, completely wiped of data and scanned for viruses before use.
2. All software utilized is licensed to, or authorized for use by, the examiner and/or Bristol Community College.
3. A ‘bitstream” copy of the 3 ½ inch floppy diskette that was provided, was copied to
forensically sterile 3 ½ inch floppy diskette. The provided diskette contained no markings and was marked as “BCC-1” by the examiner.
4. Because we did not have access to the computer, the contents of the CMOS, as well as the
Real Time Clock could not be checked and the internal date and time could not be ascertained.
5. A search of the entire media was conducted for names, phrases and files as provided by the
client.
7. All normal data files with potential evidentiary value were copied to other media.
9. All recoverable deleted files with potential evidentiary value were restored or recovered and copied out to other media. When practical or possible, the first character of restored files were changed from a HEX E5 to “-”, or other unique character, for identification purposes.
10. The unallocated space was searched for potentially relevant lost or hidden data and all potentially relevant data/files were copied out to other media.
11. The “slack” area[6] of each file was searched for potentially relevant lost or hidden data.
12. A listing of all the files contained on the examined media, whether they contain potential
evidence of not, was made.
13 No password protected files were found.
14. Executable programs of specific interest were examined. User data files that could not be
accessed by other means were examined at this time using the native application.
TECHNICAL ISSUES:
File Date and Time Stamps
When Windows creates a file, a directory (or sub directory) entry is made to describe this file to the operating system. The file name is only part of the entry. The file size, starting cluster and other information about the file are also part of the directory entry.
The file creation date and time, the last modification (written) date and time and the last accessed date information is also kept in the directory entry. These dates and times are placed in the directory entry and are taken from the Real Time Clock. In most instances when you merely read or look at a file in a Windows environment, the last access date is changed to the current system date as kept by the Real Time Clock.
Before the copy of the original media was accessed, all of the directory listings, including deleted files were documented. This will provide a definitive date/time stamp for each file, should the date/time stamp become an issue for the client or in our conclusions or opinions.
File Creation and Storage
When a file is created three things occur:
1. An entry is made into the File Allocation Table (FAT) to indicate where the actual data is stored in the Data Area.
(A File Allocation Table is the means by which the operating system
keeps track of where the pieces of a file are stored on a hard disk.)
2. A Directory entry is made to indicate file name, size, date and time of creation, date and time of last modification, the last access date, the link to the FAT and other information.
3. The data is written to the Data Area.
Files that are properly created with valid entries in all three areas and not corrupted, can be accessed and viewed using the appropriate applications. These are referred to as normal files.
Deleted Files
When a file is deleted only two things occur:
1. The File Allocation Table entry for that particular file is zeroed out and
shown as available for use by a new file.
(A File Allocation Table is the means by which the operating system
keeps track of where the pieces of a file are stored on a hard disk.)
2. The first character of the Directory Entry file name is changed to a special
character. (E5 HEX)
3. Nothing is done to the Data Area. The data is untouched.
When a file is restored only two things need to be done:
1. The File Allocation Table entry for that particular file is linked to the particular location in the data area where the file data is stored.
(A File Allocation Table is the means by which the operating system
keeps track of where the pieces of a file are stored on a hard disk.)
2. The first character of the Directory Entry file name is changed to a legal
character.
3. Nothing is done to the Data Area.
As long as the actual data in the Data Area or the directory area is not overwritten by a new file or directory entry, deleted files can be completely recovered.
Windows Long File Names have separate directory entries, but are not directly linked to the FAT. The first character of the Long File Name is also changed to a special character (E5 HEX) upon deletion. The Long File Name can be recovered, but does not need to be recovered to restore the deleted file.
Temporary Files
Most applications create certain temporary backup files. These files are created automatically, and the temporary file creation is normally transparent to the user. These temporary backup files are created to ensure recovery from a power loss or other accidental exit of the application without properly saving the file. There are user options that allow the automatic deletion of these files.
File Fragments and Unallocated Space
The Data Area is logically divided into relatively small segments called clusters. The clusters in this case were 512 bytes in size. (A byte is one character of data). The File Allocation Table (FAT) keeps track of the cluster usage. If a specific cluster is occupied by a file, the FAT indicates that that particular cluster is in use. That cluster is allocated to that particular file. Obviously many clusters are
occupied at one time. When that particular file is deleted, the FAT is changed to indicate that the particular cluster is unallocated (not allocated to any particular file). That particular cluster can then be used by a new file.
If the actual data in an unallocated cluster in the Data Area has been partially overwritten by a new file, only a fragment of the original file remains and the fragment still can be recovered.
File Slack
As discussed previously, the cluster size for this particular hard drive was 4,096 bytes. This is the smallest unit that WINDOWS or DOS will write to. What this means is that when a file is written it must be written in 4,096 byte “chunks”. If the file is smaller than 4,096 bytes, or the last “chunk” of the file is not exactly 4,096 bytes, part of the last cluster in a file is not written to and will remain unused. Any residual data in the cluster will be untouched and recoverable. A simple example of the concept of file slack is the following graphical representation of a file:
A file is 50 bytes in size
File slack may hold data One Cluster–512 bytes
that was there before the
new smaller file was written
to that particular cluster
If there are any questions regarding this examination, the exhibits or technical issues please feel free to contact me.
John Walther
Examiner
4
[1] Complete, intact files that are accessible or viewable using the computer operating system and the various applications on the computer. See the Technical Issues section of this report for a further explanation or discussion.
[2] Intermediate files kept by the operating system or an application .The user is not normally aware that these files
are present on the media. See the Technical Issues section of this report for a further explanation or discussion.
[3] Complete files that were previously deleted and later recovered and linked to a file name during this examination. See the Technical Issues section of this report for a further explanation or discussion.
[4] Data from all or part of a previously deleted file that was recovered during this examination, but could not be
linked to a file name. See the Technical Issues section of this report for a further explanation or discussion
[5] The portion of the magnetic media that is currently unoccupied by a normal file, but which may contain all or
part of previously deleted files. See the Technical Issues section of this report for a further explanation or discussion
[6] File slack is the area past the end of a file that may contain fragments of previously deleted files. See the Technical Issues section of this report for a further explanation or discussion.