All of us are familiar with our favorite computer programs and documents, rarely giving thought to the unintentional information that remains without our knowledge. This article will examine several places where information about a computer user’s activities can be found and of which the user is completely unaware.
Much has been said about deleted documents not really being deleted. In this respect, think of the library card catalog you might have used 20 or 30 years ago. Deleting a computer file is like discarding a card from the catalog. The book is still on the shelf until another book replaces it, but there is nothing leading to where the book is. In a computer hard drive, forensic software can usually recreate the “card.” Even if the “card” can’t be recreated, the file or “book” can usually be located.
One: Over time, some files on the hard drive become fragmented. Periodically, Windows collects the file fragments into contiguous space and then deletes the original file fragments, but like the example above, deleting the file just eliminates the user’s access to the file. Thus, another form of deleted file is created when the computer defragments the drive.
Two: Deleted Outlook emails remain longer because they reside intact in the email database until the emails have been “permanently” deleted and the Outlook data files have been compacted. Although invisible to the user, these files remain in plain view of forensic tools until these two deliberate steps have been taken.
Three: Windows allows a user or software to “hide” files so that they are not visible to casual viewers. Although there is the ability to tell Windows to show hidden files, some operating system files are hidden from users, no matter what the user does. For example, every Windows folder contains a file called “$I30” that is only visible to Windows and forensic tools. Every file that is or has been in the folder is listed in the “$I30” file even if the file has been deleted and the file sectors overwritten. Although the data may be gone, they could be useful to show that a particular activity has taken place.
Four: One convenient feature of Windows is the ability to have multiple windows open and jump between them. When we do this, Windows moves programs and files not in immediate use from memory to an operating system file called “pagefile.sys” on the hard drive, also sometimes called a swap file. When a different window is selected, the contents of the memory and the file on the disk are swapped, allowing near instantaneous changes for the user. This file is hidden from the user, but available for forensic analysis.
Five: Both Word and Excel have the ability to track document revisions by keeping a log of changes as a document is developed. If revision tracking has been turned on, everything that has been typed is saved in the document history and remains, out of sight, even if the revision tracking is turned off later. In both cases, revisions are available to forensic tools.
Six:Those of us who use the Windows hibernate feature leave a copy of everything we are working on or viewing at the time in another operating system file called “ hiberfile.sys” — sometimes called a hibernation file. This information is restored to memory when we return from lunch and if the memory isn’t filled, it bounces back and forth between memory and the hibernation file.
Seven:Windows keeps track of nearly everything it encounters in the registry to speed up recurrent access. Previously connected external hard drives and thumb drives are included along with the files accessed. In one case, it was possible to determine when an employee moved a competitor’s work from the built-in hard drive to an external hard drive and continued to work on it. Frequently the model number and serial number of the external devices are available.
Eight:When a laptop connects to a Wi-Fi hotspot, the name of the hotspot and possible other information about the hotspot will be stored in the registry. Although much of the registry is accessible by a typical IT department, many useful areas are only available to forensic tools. Examples are user IDs and passwords for websites and information that have been entered in online forms.
Nine: Another inaccessible folder, System Volume Information, stores a snapshot of the registry and “Recycle Bin” every time software is installed, providing additional useful information. Multiple versions of the registry can frequently be found, possibly showing changes over time.
Ten:Windows sets aside disk space in blocks of 4,096 bytes, called clusters. If a user file doesn’t completely fill the last cluster, the remaining space, called slack space, contains whatever was there previously. This potentially interesting fragment of a file is invisible to the user and most software.
As shown above, there are many places for data to hide in a Windows computer, invisible to the user. All of them are available for examination using forensic tools.
Bill Roberts, PE, CSFA, is a Washington-licensed professional engineer with ClearData Forensics LLC in Renton. He is a CyberSecurity Forensic Analyst and holds a certificate in digital forensics as well as being an occasional contributor to the Bar Bulletin. Comments and questions about this article are welcomed at email@example.com.
...login to read the rest of this article.