Welcome to computer forensic portal - your online resources to all computer foreniscs
 
Knowledge Articles
Books Database
Legal Cases
Forensic Dictionary
PDF documents
Web Resources
FAQ

 

5 Rules of Collecting Electronic Evidence
Computer Evidence
What Kind of Files are you Looking for?
Methods for cracking encrypted text
Filesystem Areas containing deleted data
Malware - Viruses & Worms

 
  Home > Knowledge Articles > What Kind of Files are you Looking for?

What Kind of Files are you Looking for?

In a computer forensic investigation, finding what you are looking for can be quite tedious considering that there are so many places to search for evidences. Operating systems vary, applications vary, storage methods differ and data can be hidden in many places. To determine what you are looking for, you must first identify the type of crime and the appropriate response.

Internet Files

For example, an employee may have violated an act of downloading copyrighted materials such as pictures for use of proprietary designs. Some of the locations where you can look for internet activity are:

a. Temporary Internet Files Folder

When a browser downloads a web page, it looks in the temporary internet files folder to see if the information is already there so as to increase the speed of loading the web page. Web browsers cache the web pages that the user recently visited. The cache data is stored in the temporary internet files folder. They are stored in the computer for a certain amount of time or deleted when it reaches a certain amount of storage size.

You can look into the following directories to search for these folders.

For netscape, go to: C:\Program Files\Netscape\Users\username\cache

For Internet Explorer, go to: C:\Documents and Settings\xxxi\Local Settings\Temporary Internet Files (where xxx refers to the account username)

 

b. History Folder

You can also find evidences in the history folder which contains all the list of links visited for a certain period of time based on the settings that they indicated in the browser. For internet explorer, the default is 20 days but for people who are more computer-savvy, they often change this default value to a shorter period or they can “clear history” to remove records of previously surfed websites.

 

c. Cookies Folder

Cookies are text files that hold information by internet sites visited by the user. One such utility known as CookieView, allows you to display the cookie files in a readable form. You can download from: http://www.digital-detective.co.uk/freetools/cookieview.asp

 

d. Temporary Files

Most of the applications create temporary files when the application is installed or when the file is created. Normally, it is deleted after the installation is complete or when you close a file but sometimes it does not happen as the files still remain in your computer. For example, if you create a Microsoft word document, the software creates a temporary file (.tmp extension). These files sometimes can possibly provide some useful evidences.

Email Headers

Let’s consider this example; several employees reported that they received an email by the system administrator to supply their login username and password to update their database. We know that this is a fraud case because administrators do not ask users for their login details. In this case, the first thing you may want to look for is the e-mail header.

The following image shows the email header. This email header was retrieved from Microsoft outlook. Go to view > options.

For details on exposing e-mail headers for different email software, visit http://www.spamcop.net/fom-serve/cache/122.html for further instructions.

 

Deleted Files

The recycle bin is another place where you might find useful deleted data. The recycle bin also includes information on where the original file location is deleted from, the date and time it was deleted.

Many will think that once the recycle bin is emptied, all the files are gone for good. However, this is not the case as these deleted files still reside in your hard disk unless it is overwritten by other contents during the write process. We can use recovery software to actually recover back the deleted files that still resides on the hard drive.

Back to Top

Passwords

Password file is often captured before it can be cracked. On windows 98 or earlier versions of windows, password files are stored as (.pwl) extension. The password file is stored in a database called Security Accounts Manager (SAM) for computers running Windows 2000 / 2003 Server.

One of the ways to obtaining passwords is through a method called brute force. Many programs used this method to crack the password.

So after breaking into the system, what do you look for? Normally you may want to look at the log files, e.g. log success and failed attempts at logons. It can suggest that someone is trying to hack into the system.

Various logs can be reviewed to find evidence. On windows, logs are stored at C:\Windows\Security\Logs directory.

 

Hidden Evidence

So what happens when you can’t find evidence when you know its there? Most probably the chances are the data is hidden.

 

Metadata

Metadata is created virtually for all applications. It is information about the data. For example, to view the metadata of a Microsoft word document, right-click on the file and select “properties”. This information can be quite useful to a forensic investigator.

However, if the criminal is well-trained in IT, metadata may not be that useful as there are ways to delete it. Microsoft has a tool to erase personal or hidden data for the documents. This tool is called rhdtool.exe and can be downloaded at Microsoft website.

Although metadata for Microsoft documents are readily accessible through the user interface, some application files require special means to access that information, example opening the file in low-level binary format such as a Hex Editor.

 

Hidden disk partition

Another method of hiding data is through hidden disk partition. For instance, you may have a dual-boot system of windows XP and SuseLinux. You set the system to boot Windows XP and when you view the Windows system, the Linux partition doesn’t show up because Windows doesn’t understand Linux file system. It is as if that the partition is not there. Some operating systems allow you to choose which operating systems to boot without user interaction. The criminal may configure the system not to display the operating system boot option upon start-up. Data can then safely be kept in the hidden partition undetected to the untrained user.

 

Covert channels

A Trojan horse such as Loki, creates a backdoor to a computer on which the client is installed. It then transmits data to another computer in what looks like a normal network traffic. Such backdoor programs can be found at http://www.antihackertoolkit.com/tools.html

More >>Anti-Forensics – Data Hiding

Back to Top

 

© 2009
Computer Forensics Portal
All Rights Reserved

Disclaimer | Privacy Policy

Home | Contact | Sitemap

Knowledge Articles | Books Database | Legal Cases | Forensic Dictionary | Web Resources | Frequently Asked Questions