General Information
to consider when reviewing the generated reports
If you are an attorney, before you do anything else, please go to
this page
and read the editorial in the January 2007 issue by
Craig Ball. The page may take some time to load, and you may have to register to
see the content.
Direct links within this document:
General Searching Questions
FILE DATES
In the simplest terms: These are general rules, but
Microsoft advises that any or all of the file dates can be modified by any program. Keep this
in mind when trying to determine if an individual intentionally did something to change a
file date, or if the system intervened.
-
The Created date is the date when a file is first placed on that drive or moved to that
folder. Consider this, when assuming a file was "copied" from one source, (a thumb drive) to a
second location (a hard drive), or vise versa. The create date seen on that respective drive is
the first time it is written to that drive, not the first date it "EVER" came into existance.
When dealing with documents, it is the date the document is first generated/opened/created by
the individual. Generally this is done via the FILE->NEW menu option. See Microsoft technical
explanation below.
-
The Modified date is the date the file is last manipulated (changed or written to). With
a document, it is when the document is "saved". This is usually accomplished when the popup
question is displayed: Do you want to save changes to the document. Printing and
"saving" after the print may change this date.
NOTE: That when a file is modified on one drive on Jan 1, and later copied to another
drive on Mar 1. The create date on the destination will be Mar 1, but the last write date
will be Jan 1. This conflict of an apparent create after write date confuses some people.
Be aware that a create date CAN and often is, after the last write date.
-
The last Accessed date is generally the date when just about any action is taken on the
file. If the file is opened for any reason, (read, write, print, copy, move) this date
may be altered. Virtually any action (by a user, or the operating system)
to a file will change this date. When you right click explorer to see the properties,
this date is generally updated.
Special section on file dates explained from:
Microsoft explanation of file dates
or
More common explanation
Here is the text from one of the above pages:
Notice, that MOVES affect the dates differently than copy.
"File properties with regards to the date and time stamps"
- If you copy a file from C:\fat16 to C:\fat16\sub, it keeps the same modified date and time but it changes the created date and time to the current date and time.
- If you move a file from C:\fat16 to C:\fat16sub, it keeps the same modified date and time and keeps the same created date and time.
- If you copy a file from C:\fat16 to D:\NTFS, it keeps the same modified date and time but changes the created date and time to the current date and time.
- If you move a file from C:\fat16 to D:\NTFS, it keeps the same modified date and time and keeps the same created date and time.
- If you copy a file from D:\NTFS to D:\NTFS\SUB,it keeps the same modified date and time but changes the created date and time to the current date and time.
- If you move a file from D:\NTFS to D:\NTFS\SUB, it keeps the same modified date and time and keeps the same created date and time.
- In all examples, the modified date and time of a file does not change unless a property of the file
has changed. The created date and time of the file changes depending on whether the file was
copied or moved.
CAVEAT: These definitions are provided in "hopefully" plain English to assist
individuals in understanding how and why the data in the report is to be
interpreted. The definitions and explanations are not designed or intended to be
used in any legal documents or legal proceedings.
Cluster:
The allocation unit of the file system. A group of sectors (512 bytes) are
logically combined to form a cluster. The cluster is the way the operating
system addresses file contents. Clusters can contain from one to 64 sectors of
data.
Data:
Data is information that resides on the
hard drive or other storage medium (ie: USB "thumb drive", memory
card, etc). It includes 100% of the storage area of the drive. Not restricted
to that data or information which is usually visible to the casual computer
user.
File slack: Space between the
logical end of the file and the end of the last allocation unit (cluster) for
that file. File slack may contain remnants of files and other data that at one
time resided in that allocation unit, and have been deleted or moved. The
reason file slack exists is that the current file data (ie: 1000 bytes) does
not take up the entire cluster (ie 32000 byes), and thus residual data (31000
bytes) is left by prior files and is visible (only by forensic analysis). Some
operating systems, and programs take special steps to make certain any or all
of the file slack is wiped when writing data to the disk.
Keyword Searching:
The process of using specialized
software to search for a list of keywords or phrases provided by the requesting
party. The most common search is a keyword search of files to locate those
files containing the supplied words. Depending on the type of image/clone
available, in addition to the user visible files, a more in depth search may be
able to search within slack, free space, zip files, and possibly e-mail files.
Keyword searches generally produce substantial (in the thousands) number or
"hits" which need to be reviewed for relevance. Keyword lists should
be carefully thought out in advance, as someone will most probably have to
review thousands of hits, most of which are non responsive. Keywords that are
industry generic should definitely NOT be included in any keyword search
request. (you wouldn't search for zipper on a drive from the garment industry,
or contract from a real estate agent).
Meta Data
Is "data" about data. Generally
includes file attributes such as the date and time stamps associated with the
file. Can also include file size, and folder or path location and name. Meta
Data when used in conjunction with Microsoft Office products generally refers
to internally stored information not readily visible to the casual user.
Depending on the current version and setup of the Office environment, this
internal Meta data may contain additional file processing dates, author(s),
print characteristics and other internally stored information.
Sector:
The smallest addressable data storage area
on a hard drive. Generally a sector contains 512 bytes of user data. Operating
systems generally do not access data by a sector; they access data at the
cluster level. Specialized software is needed to access data at the sector
level.
Unallocated space: Allocation units (sectors or
clusters) not assigned to active files within a file system. When a file is
deleted the area of the disk that the file resides on is marked as free and is
available for future use. The data or content of the file is NOT overwritten.
Until this data area is overwritten, this "unallocated" area may
contain any residual file data that has not yet been overwritten.
Some Common Questions:
Can online (yahoo, AOL and similar) type e-mails be recovered?
Usually only remnants of these e-mails are seen. Since
the online e-mails are read as web pages, unless the documents are specifically
saved to the hard drive, the web pages viewed remain only as long as other web
pages on the system. The longevity of the web pages (cache) on the system is
usually user defined. Usually to get "content" of the e-mails you
need to contact the e-mail service provider. (Yahoo, Microsoft, AOL etc).
When a link in a report is "clicked" on, why is it not being displayed properly?
1. The internal link in the report is simply broken. To overcome this problem, examine the
filename in the report shown as
Exported as: 123456.xls. This is the name which the
software program exported the file as, and placed it in the report folder structure. Use
your windows explorer to navigate to the folder in the report called:
EXPORT and
search for the file named 123456.xls. There may be sub-folders to navigate to locate the
correct file. Click on the file when found and it should open correctly. If not, the
next possible cause is:
2. File content as extracted by the forensic software may be any one of the following:
internal metadata, partially extracted file data, not fully intact or incomplete
data, or partially recovered deleted data.
In any case, the forensic software gave the exported data a file name extension which was
a best guess as to the type of file the data belongs to. It is probably incorrect and as
such the browser and associated program can't properly render the data in its native
format. (ie: WORD doesn't know what to do with corrupted data which has a .doc extension).
In this case, the file is not rendered correctly, or NOT rendered at all, and it may be
necessary to open the file with "WORDPAD" or " NOTEPAD" to view any
text within the file.
The reviewer is reminded that the data included in the report is usually a result of a
keyword match somewhere in the file/data. There is no guarantee the the data extracted
will be an in tact file, and the reviewer may have to resort to a basic examination (using
WORDPAD or other basic software) to examine the content of the extracted information to
locate the specific keyword identified.
3, The file is that the reviewer's
computer does not have an acceptable viewer for the file listed. This often happens when
proprietary software created the file in question, and special software is needed to view
its contents. An example would be the drawings/schematics created by a CAD (Computer Aided
Design) program. It was listed because a reviewer may determine that the filename may
refer to file content of confidential information.
4. The file may be a partial Internet file, which is a remnant of a web page. Most often
occurs when the content extracted refers to a partial content of an on-line e-mail account
and the browser attempts to contact the web page(s) identified in the extracted data.
Can you do a live search of a drive, and what is searched for?
Yes, we can do a live search on a hard drive. You must realize that a "live" search will only
search in files which are normally available to the Microsoft Explorer program, (and minimal
access to some system and hidden files). Live searching DOES NOT search freespace or slack
space. In some instances it will search within files being held in the recycle bin, but NOT in
deleted files that have been removed from the recycle bin. Generally a rule of thumb for the
files being searched is only files containing text information will provide useful hits.
Outlook pst files, data bases, spreadsheets, pdf files, and other files which format their
content to "binary" data will not produce valid hits. If however, you are looking for keywords
within Word, html or other text documents our string search program can usually search at about
1-2 gigabytes per minute.
FREESPACE
What do you get when a keyword hit is found in drive free space?
Drive freespace (DFS) is the multi-gigabytes worth of data on the drive that is not currently
assigned to any file. DFS contains remnants of items that once were files, and now have
been deleted, and possibly partially overwritten. No date, filename, or other identifiable
information is generally associated with the content of DFS. When a keyword is found within
DFS, the surrounding text may be related, and it may not. Only a visual/manual review of the
surrounding content will determine its relevance.
Generally, the surrounding text will also include a lot of noise data, and in most cases the
extraction of recognizable text around the keyword is a manual process. The extraction of
keyword hits in DFS should only be requested as a last resort, and the requestor should
consider and be aware of the extremely slow process it is.