| |
Computer Basics:
How Computer Forensic Investigation is Possible
Undeleting Deleted
Files
Most users assume
that deleting files from a computer actually removes the files.
We only have to look as far as Ollie North and Bill Gates to
see that even very sophisticated users can fall prey to this
assumption.
|
 |
|
A computer’s operating
system keeps a directory, much like a telephone directory, of the
name and location of each file. When a user deletes a file, the
operating system does not remove the data. Instead, it indicates
that the space is available; the contents remain in place until
they are over-written by some other process. The treatment of “deleted”
files is comparable to a telephone company that deletes a subscriber
from the phone book but leaves that customer’s service active.
|
|
| |
Someone who knows the phone number
can still call the subscriber in question. Similarly, someone who
knows how to access these released-but-not-erased areas, and who
has the proper tools, can recover their contents.
In computer forensics, the operating
system is both friend and foe. Its friendly nature makes the system
easy to use, but to do so it must keep track of information that
it hides from the user. This hidden information is a rich source
of details about what the user has been doing. It contains information
such as Web sites visited, e-mail sent and received, Internet-based
financial transactions, and letters. A computer forensics expert
exploits these hidden pockets of data to acquire information and
to evaluate its usefulness as evidence in a particular matter.
|
|
| |
A user need not save
documents on his computer for them to be accessible to forensic
specialists--as one bank robber discovered. Involved in twelve bank
robberies in San Diego in late 1999, the “Gap-Toothed Bandit”
wrote threatening demand notes on his computer, but exited his word
processor without saving them. A forensic investigation of his computer
yielded five of his demand notes. |
|
|
| |
How is that possible? In order
to display the notes on his monitor, the system stored them in
a temporary location; and, when he exited his word processor,
the “friendly” operating system neglected to tell
him the notes were still there.
While accessing the Internet, browsers
keep records of the sites a user has visited. If a user permits
cookies, small files used by browsers to keep track of a user’s
visits, the cookies may yield passwords and other information
about the user’s Internet practices. These records can be
deleted if the user knows about them, is zealous in regularly
deleting them, and overwrites their locations. If not, forensics
investigations can disclose clear evidence of sites the user has
visited.
|
|
|
|
