Hard drives forensic examiners tackle may be as little as 20 gigabytes, or some newer drives are 250 gigabytes, even up to 750 gigabytes.
Computer forensic examiners, using special computer forensic software, first acquire an image of the target media, then do an analysis.
A lot of the evidence you seek will not be visible to the untrained eye. You won’t find it in a Word document by using Windows Explorer, or by starting a program from a shortcut on the desktop.
Finding evidence on a computer
When someone deletes a file, is it gone?
No, not always. When a computer user deletes a file, the operating system only deletes the first letter of the file name from the file allocation table. The place where the deleted data resides reports the sectors containing the deleted data as "empty," or available for storing new data.

Even so, the data remains intact and unchanged until the user writes new data to the specific sector and cluster containing the "deleted" data. This data is truly deleted only when it is overwritten by this new data. At that point, it becomes unrecoverable through normal processes.

Since data is randomly stored into the millions of potentially available sectors, it' is unusual for all sectors containing a file to be overwritten with new data. This means that at least part of the incriminating file can be recovered long after the user has deleted the file from the computer.

How much evidence could you potentially find on a hard drive? Read more...

Recovering Electronic Evidence - The Process
Computer forensic examiners, using special computer forensic software, first acquire an image of the target media, then do an analysis "byte by byte" of the data. This acquisition must be non-invasive (not change or alter any data) and complete (a sector-by-sector bit-stream image that copies ALL the data on the media).

Searching the digital evidence file
Usually, there is more than just a single hard drive involved in a case. The examiner adds to the hard drive evidence other pieces of media, such as additional hard drives, floppy disks, zip disk, CD-ROMs and the like. These then are all searched, sorted, and analyzed as a single case, simultaneously.

Working in Windows, the examiner then uses a program that simulates the Windows Explorer view so he can display the files and folders of the target media. The examiner, after sorting the evidence by date and time, by filename, by file extension or some other criteria, looks through each file in a spreadsheet format. A preview pane using a hex/text viewer displays the contents of a highlighted file, with the file slack - portions of unallocated clusters - shown in red. When the examiner finds a file that is evidentiary, he "bookmarks" the file so that its contents show in the final report.

The examiner then does keyword searches to find words relevant to the investigation. All search hits are highlighted automatically so they are easy to spot as the examiner plows through thousands of file hits looking for evidence.

Critical to recovering digital evidence in your case is developing appropriate search key words that lead directly to the evidence you are seeking. For example, searching for the word "kill" may locate tens of thousands of hits, many of them computer machine language used to "kill" processes. It is in wading through too many "false hits" that an examiner's time is unnecessarily consumed. Redefining search terms can get to the evidence much more quickly, reducing the cost to you.

Forensic software also locates drafts of documents, back-up files, temporary files Internet cache files, and computer registry data. If you are looking for specific phone numbers or credit card numbers, wild card searches can be done for general formats in which you will find these numbers. In this way, the forensic examiner can also search for specific area codes, network IDs or e-mail domains. The examiner can also use searching scripts that will tell him every e-mail address used on the machine over time.

Other important evidentiary artifacts include time and datestamps, access logs and recycle bin activity.

Files that are visible can be sorted by creation date, last accessed, or last saved. Print spooler files, with their original time stamps, can be recovered and reviewed, showing the actual document printed out and when it was sent to the printer.

The examiner can determine which files that were recently accessed, and provide a complete list of all Internet sites (web page URLs) visited, along with the time and date of access. Also, the examiner can use his special software to run a forensic picture gallery that automatically identifies all graphic files on the computer and displays these pictures as thumbnails that can easily be copied onto a CD ROM for the client.

Forensic examiners will also be able to identify any attempts to hide a file by merely changing its name. Each file's extension (i.e., .jpg, .gif, .doc) is matched against the file’s actual "signature" to determine if an attempt has been made to "hide" the file. If a file was created in Word (.doc) and the extension was changed to .jpg, the forensic examiner is able to identify and flag that file, which is good proof that the computer user tried to hide certain files.

Recovery of electronic evidence starts with an effective "presearch"
Before an examiner looks at a computer, he generally visits with the company or a person who knows about the target system to find out more about it. Each computer system is different, and poses different technological issues and hurdles. Finding out in advance whether the computer is a desktop or notebook, the size and type of the hard drive, the manufacturer and year of manufacture, the operating system, and the type of browser and e-mail package used (Netscape mail, Outlook, AOL, etc.) will eliminate the potential for numerous time-consuming missteps.

Critical evidence may exist in a number of other locations. In addition to looking at a computer and its hard drives, the forensic examiner might also have to contend with off-site servers, Internet web site off-site storage, mirror sites, backup tapes, PDAs (personal digital assistants such as Palms), cell phones, and removable media such as diskettes. Some fax machines contain exact duplicates of the last several hundred pages of documents transmitted and received. Digital telephone systems may contain computer logs of all calls made and received, and often store voice mail messages in digital form on hard drives (.wav files). Network audit programs (if properly configured) can contain a history of all files accessed, downloaded or printed. Network firewalls monitor all web sites visited, communication and information transmitted or received from the Internet.

Preserving electronic evidence
In each case where a computer is involved - whether criminal or civil - the location where the computer is should be treated as if it were a crime scene. The key to getting good evidence that will stand up in court is to get the information off the target media as soon as possible in a forensically sound way. Personal computers should not be powered up or used until a forensic examiner comes to image the data or take the media to a lab to do so.
Download our brochure, HERE