All too frequently a peer will contact me in a panic about recovering deleted files from a suspect's hard drive - after my peer has trampled on the digital evidence like a rookie police officer at his first crime scene. Often valuable evidence is lost for good,or unusable in court; or worse, the suspect knows he is being investigated.
With the proper hardware that you probably already have and freeware available online, you can easily build your own basic computer forensics lab that will hold up in court, reduce e-Discovery costs and, most importantly, retrieve valuable evidence for all your investigations.
Here is the cardinal rule at the beginning of any forensic investigation: Don't touch the suspect's computer or hard drive.
On television you see detectives and CSI staff walk into a crime scene, log onto the suspect's computer and start looking for evidence. Do not do this. Ever. Any touch of the keyboard, or mouse, or even the simple act of powering the computer down, forensically changes the hard drive.
These are the two critical steps you must take first:
First, when you approach a suspect's computer unplug from the back of the computer (not the wall) and let it die. Powered-on laptops should have their battery removed to shut the system down. This sudden shutdown freezes the hard drive's evidence in place.
Second, never attempt to view the suspect's hard drive without a read/write blocking device. Read/write blocking devices prevent your computer from altering the suspect's hard drive while you are looking for evidence.
Without these two steps in place your evidence will have a tough time holding up in court. For more information on digital evidence collection check out the Secret Service's Best Practices For Seizing Electronic Evidence, Pocket Guide for First Responders.
With those rules clear, nothing should hold you back from building a basic setup to forensically image your suspect's computer (ie create a duplicate copy of it) and review it for evidence.
The first step before gathering evidence is reconnaissance. In advance, find out the make and model of your suspect's computer. Most businesses use stock systems, so knowing your suspect's computer model number can help you determine the type of hard drive (SATA vs ATA), its size (40GB and beyond) and - most important - how to access and unplug the hard drive. Computer makers are getting creative with cramming hard drives into odd spots, so a simple search for Dell Latitude D400 hard drive on YouTube or Google may help you quickly and easily remove the drive.
For the read/write blocking device you have two options: buy or build.
If you choose to buy, there are a variety of commercial options available at different price points. I personally use Logicube's Portable Forensic Lab, which works like a portable copier. This device runs for a few thousand dollars but can make copies at a rate of 4GB per min and is easy to ship to non-tech people to use. Logicube and other vendors also make small portable units for a few hundred dollars that work fine too.
However, here is a simple and cheap trick to make your own device. Using an empty USB external hard drive case and a simple change to your registry, you can be imaging like a pro.
First set up your registry with the following steps. (Note: Editing the registry isn't usually recommended if you aren't reasonably familiar with PC technology.)
1. Click on the Start Button and type in Regedit and hit Enter.
2. Navigate through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
3. Right click on Control and select New and then Key. Call the new key FORENSICWRITEBLOCK.
4. Right click on FORENSICWRITEBLOCK and select New and then Dword. Call the new dword WriteProtect.
5. Right click on WriteProtect and select Properties. Set the value to 1 and hit OK.
(Note: To revert and remove the blocked write access to USB drivers after you're done imaging, just delete the StorageDevicePolicies registry key, or delete the WriteProtect registry entry, or change the value data for WriteProtect to zero.)
When you have finished setting up your registry, test your external drive with a personal or blank hard drive by trying to copy a file to the plugged-in external drive. Windows should give you an error message indicating the drive is write-protected and your attempted file copy will fail.
After covertly grabbing your suspect's hard drive (preferably during the middle of the night - see How to be a Better Burglar), plug the drive into your read/write blocking device. Windows should recognise the new drive and explorer will open. At this point you can search and use the drive as it was your own or make a forensic image that can see deleted files, be reviewed at a later time by you or a third-party and will hold up in court.
To make a forensic image, download Accessdata's FTK Imager 2.6.1. On the forensic market there are a lot of open source, freeware and paid software to choose from, but I find FTK Imager is very easy to use for beginners with its step by step wizard and of course, free price tag. Once installed select Create Disk Image, select the source of the image (your usb drive), name your file and save location (I recommend saving to a large external drive) and click start. After a few hours you will have an identical copy of your suspect's drive to explore. At this time you can return your suspect's drive without them knowing you made a copy. FTK Imager can also review the imaged drive or original drive by selecting "Add Evidence Item." In this function, Imager acts much like Windows Explorer, but will show you many deleted files marked with an X.
For greater forensic capabilities vendors like Guidance and Accessdata offer software solutions that organize your suspect's documents, emails, and instant messages; index complete drives for searches; crack encrypted passwords; and much more. Personally I recommend and use FTK 2.2 for its easy-to-use tools, high processing speed and excellent technical support team.
In the end I tell people computer forensics is more of an art than a science. Whether you make a copy and use Windows Explorer to find evidence or purchase tools like Encase and FTK to make searching easier, it all comes down to taking your time, connecting the dots and sorting through a lot of information.
Find your next job with techworld jobs