This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ FEATURE
remaining 3 kilobytes will contain the remaining three kilobytes History Logs, which record every Web address, component
of the old file. This old data will be preserved on the disk until the and cookie file accessed by the computer together with the
new file is itself deleted. Hence, even if a user thinks she has de- time and date of access. The history logs also record a certain
leted a document, parts of it can persist in slack space for months amount of file access data.
or years afterwards. See Figure 1 for a visual explanation of how API Logs, which record the connection of devices (such as
data is stored in clusters and what happens after data is deleted. USB drives) to the computer,
Application Logs, which contain details of events logged by
applications such as media programs. The events to be written
are determined by the developers of each program, not the
operating system.
/ Conclusion
It is dangerous for digital forensics specialists to ignore the pos-
sibility that evidence on the computers they analyse has been
tampered with or deleted. Our own experience is that a significant
proportion of the computers we analyse have undergone some
form of evidence modification before coming into our possession.
The safest approach for an investigator is not automatically to
assume that his forensic applications are telling him the whole
story. Even the most apparently complete tools have their weak-
nesses, and investigators should not be afraid to look at the raw
data to double-check whatever the software is telling them. Of
course, this requires that the investigator understand where the
tools he is using are getting the data they display on the screen.
Figure 1 – Storing data in clusters Above all, a complete digital forensics skill set does not
begin and end with a platform-specific certification. A good
Systems data Modern operating systems accumulate a lot investigator should take the opportunity to expand her knowl-
of tracing data within themselves, usually in an attempt to edge, and should not be afraid to look more deeply at the un-
make the computer more user- friendly and to help users work derlying operating principles of the systems she investigates.
more productively. A lot of this data can be of immense value A useful piece of advice, even for commercial digital foren-
to a Digital forensics investigator. For example it can tell them: sics specialists - for whom every hour must be accountable –
is not to be scared to follow your nose. If a forensic tool gives
• The files and documents most recently used. findings that are difficult to explain, or look inconsistent with
• What folders were opened, and when. the other evidence you are seeing, do not be afraid to look
• The creation, last access, and last modification dates of the “under the bonnet”. /
files stored on the system.
• What users logged onto the computer and when. REFERENCES
• What devices, such as USB pens drives have been connected [1] Nelson, S.D.; Olson, B.A. and Simek J.W. The Electronic Evidence
to the computer, and when. and Discovery Handbook American Bar Association 2006.
• What web-addresses have been typed into web-browsers. [2] Andy Clarke, Inforenz, How effective are Evidence Eliminators?
• Which programs have been used on the computer, by whom, Presentation to COSAC Conference, Kildare, Ireland 2002.
and how often (if the system offers per-user authentication). [3] http://www.usdoj.gov/criminal/cybercrime/cccases.html
Often this data replicates and corroborates other data stored
in the active spaces, logs and historical data, making it a use-
ful resource for the forensic investigator.
/ Author BioS
Noemi Kuncik is an IT Forensics Specialist with a BA(Honours)
Logs and historical data Most computers regularly log the
degree in Computer Science and Masters in Computer Science
activity and performance of both the operating system and the
and Informatics from University College Dublin. Noemi worked
applications running on it. This is done to help administrators
with Mick Moran of Interpol to create a training program
countering child grooming and is researching the use of data
diagnose problems on the system, to help users remember
mining in conjunction with Digital Forensic Investigations.
what they did in the past – or for security reasons. Obviously
this data can be enormously helpful to a forensic investigator
Andy Harbison is a Director and IT Forensic Lead holding a BSc
trying to assemble a timeline of events. For example the key
in Electronic Engineering & MSc’s in Business Administration
and Information Technology. Andy lectures at the University
logs found on a Windows computer are:
College Dublin, Law Society of Ireland and Dublin City University
Event Logs, where applications and the operating system and has written articles on computer fraud, electronic litigation
record events such as hardware and software errors, system
and data privacy. He is a regular speaker at conferences.
shutdowns and restarts, and many others.
46 Digital / ForensicS
DF1_43-46_5th Feature.indd 46 30/10/09 4:33:03 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com