Digital Forensics to the Rescue
Article by Rick Leinecker, February 7, 2007

I fall for it every time. It's the damsel in distress. When she came to me and asked for help I melted. It seems that her significant other was doing things that he shouldn't have been doing. And his laptop computer was the key to unraveling the mystery. As a digital forensics practitioner, I took the challenge head on.

The first dilemma was logging on to the computer since it was password protected. That took a grand total of ten minutes using several software tools that are designed for that very task - logging on to a computer that is password protected.

The most obvious evidence trail is the browser history. The Web sites that someone visited can reveal a lot. Sure, you can clear the browser's history, but the evidence is still there. And in this case, the Web sites that had been visited told an incriminating story.

The next step was to look for email evidence. Outlook Express is a prime candidate for giving up valuable information. If someone uses Outlook Express to read and send email, it's an easy matter to get old emails. In this case, however, Outlook Express wasn't even installed, so this pursuit led to a dead end.

Most people keep documents in the My Documents folder. Checking the contents of this directory is a simple as opening My Computer and navigating to the folder. This laptop gave up yet more clues as there were documents with the goods.

The last thing to do in a cursory examination is to look for deleted files. I'm not talking about the files that reside in the trash can. These can be easily retrieved. But files that have been permanently deleted can usually be recovered, too. There are a few caveats to this, though. The more time that has elapsed between deleting a file and recovering a file, the less chance there is that the file will still be intact once it's recovered. Also, the more a computer is used, even for a short time, the less likely that any files can be recovered. So the rule of thumb if you want to recover deleted files is this: refrain from using a computer until the files in question have been recovered.

In most of my forensic investigations, I usually take the hard drive out of the computer and put it in another computer. The hard drive that's under investigation becomes a slave in the master computer, and this prevents any data from being written to the slave hard drive. This is the safest way to recover deleted files since I'm careful to only read from the slave hard drive and not write to it.

There were lots of deleted pictures that had been taken with a digital camera on my friend's computer. Some of them told the story. You know the saying "that a picture is worth a thousand words." In this case, the recovered pictures were the smoking gun.

There's a happy ending to the story. Confronted with the evidence, the significant other confessed everything and changed his ways. That's the kind of ending I like to be a part of. Digital forensics can act as a methodology for evidence collection for good if both parties want to keep it together. And if not, then it can be what one side needs to receive a fair resolution.

That's it for digital forensics for now.