|
CnW Recovery forensic investigation tools
|   |
|
CnW Recovery forensic investigation tools
| |
CnW recovery software can assist in two main aspects of forensic investigation. These are recovering files, and tracking how and when they were written, changed or deleted.
Each type of media has it's own 'style' of information, so investigating a CD-R will be different to an NTFS hard drive, or a FAT memory stick. For rewritable media, there is often the issue of slack and unallocated space to be considered. A write once CD can be simpler, but multiple sessions add to the fun.
For all types of media, there are several areas that need consideration, but these can vary on type of investigation. Important points though are listed below
These features are all stored in the logs for each recovery job done. The above points are generally device independent and represent just the data.
File names.
The name given to a file is often a good guide to the file contents. File names are made of several parts, the directory path, file name, and file extension. Most people have some structure of where they store files, and often this is the default for the application that wrote the file. If users want to hide files, then placing them in different directories, or using different filenames can mean that a quick glance at the media will overlook such files. They can also be marked as Hidden files within the operating system
File attributes
Probably the most interesting attribute for investigation will be the Hidden attribute. A normal hard drive has very few hidden files, and they are normally protected operating system files. CnW Recovery will always copy all files, irrespective of their attributes. The file attributes are stored in the log so hidden, and system files can be detected. Other attributes such as compressed, or archive are not normally very interesting forensically speaking.
Dates and times
Dates and times can be very interesting to examine. Exactly which dates and times are stored can be media dependant, but typically created, modified and accessed are interesting dates.
The creation date is when the file was first created
The modified date is when the file was last modified
The access date was when the file was last accessed
All these dates come from the PC clock, and are viewed in local time. There can be issues where the modified date is earlier than the creation date, which at first glance sounds rather odd. It can arise if a file is moved from one medium to another, eg copied form a floppy to a hard drive. Then the new file on the hard drive will have a creation date of when the file was copied, but a modified date of when the contents were last changed. If somebody is trying to cover up a change, it is possible to change the system clock, and modify a file, and possibly then change the system clock back again. To do this consistently is actually very difficult and this type of attempt may well be spotted by inconsistencies in dates, and maybe dates in logs, or when writing external media such as CDs.
File signatures
Many data files have a unique sequence of bytes at the start of the file. This can be used to see if a file is the correct type for the extension applied. For instance, all jpeg files start with the hex bytes 0xFF 0xD8 - after which there can be many variations. Thus if a file has a .jpg extension, and not the first two bytes, then either it has been renamed, or there is an error. Forensically, the opposite way around can be of great interest. A jpeg file could be renamed .dat in an attempt to hide it. CnW Recovery software always checks a signature on each file and it would therefore detect such a file as jpeg and this information would be stored in the log.
File validation
In certain modes a file validation routine can be run. Although it cannot handle all known variations of files it can indicate if the file is valid or corrupt. This should be treated as a guide, and not as evidence
Which file a sector is part of
If information is found in a sector it is useful to know which file it is part of. The search function in the log will allow the sector number to be entered, and it will display the file (or files) that the sector is found in. Multiple files will sometimes be found if one of them has been deleted, and the disk area reused.