S2 Forensics, LLC
- Uncovering the digital truth one bit at a time
Have a question about digital forensics, information security, industry compliance or any other data security topic? If you question is not answered below please call us at 253 549-5602 or use the form on the contact page to ask your question. We will provide you an answer as soon as possible.
Frequently Asked Questions
What is Computer Forensics?
Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. The subject matter includes:
the secure collection of computer data;
the examination of suspect data to determine details such as origin and content;
the presentation of computer based information to courts of law;
the application of a country’s laws to computer practice.
What is data recovery?
Data Recovery is the process of retrieving the data from inaccessible or damaged disk drives, media, computers, peripherals or operating systems or recovering lost or deleted data from media.
What is the difference between Computer Forensics and data recovery?
Data recovery techniques are used in everyday Computer Forensics cases. However, whereas a data recovery technician’s job is to recover lost data and get a system running again with that data, a Forensic Analyst’s job is to ensure the chain of custody, recover data in a forensically sound and repeatable manner, analyze that data and interpret the data in a forensically sound and repeatable manner and possibly present their findings in court.
Why not just use an ‘IT’ person from our IT Department, or a local 'computer guy' to perform Forensic Analysis?
Typically, they do not have the training, experience or the knowledge to comply with the requirements for such things as chain of custody, admissibility, verified acquisitions etc. If an improperly trained person does attempt to copy and review such evidence, it is quite likely that the evidence will become tainted making it inadmissible into a court proceeding. In order to protect yourself from this – ensure you hire or use appropriate computer Forensic Experts.
What can a forensic examination recover?
damaged or corrupted files;
password protected files;
some encrypted files;
email and web mail correspondence;
evidence of web browsing;
Internet chat data;
Or anything else that is present on the computer or media.
Can deleted files be restored?
Yes, if they have not been completely overwritten. If they have been partly overwritten, the answer is maybe.
What happens when you ‘delete’ a file – is it really gone?
Think of a file system as a book with an index. When you delete a file all you are in fact doing is removing the index entry in the book for that page or chapter, the page or chapter still stays there. When your computer writes more data to the disk it may, or may not, overwrite the previously ‘deleted’ file. If it is overwritten, then the file is gone, if not the file still remains on the hard disk. Just turning your computer on, or browsing the Internet will cause new information to write to your hard drive. This means that the more time passes from the time the file was deleted, the higher the chances of the file being overwritten due to continued computer use.
What is Imaging?
In forensic analysis it is essential that all work is done from a complete and accurate copy of the original media. When you copy files and folder using for example Windows Copy-and-Paste, you do not get deleted files and other "remnant" information that may prove vital in a computer forensic examination. Many off-the-shelf programs do not copy the ‘hidden areas’ of the media, rendering some of the most useful areas for possible discovery unreachable so a forensic bit-for-bit copy (or bit stream copy) is made that includes the entire disk.
How can a Computer Forensic Analyst help if litigation is involved?
A Forensic Analyst can assist attorneys in drafting discovery requests so that all pertinent electronic information is likely to be gathered. Once the evidence is produced, the Forensic Analyst can sort through it, searching it using keywords (such as dates, names, times file types etc) and present the results in a readable and informative form. If necessary, the Computer Forensic Analyst can ‘acquire’ (capture) entire hard drives, preserving the chain of custody, can restore deleted information, and can identify hidden files and carry out searches and file recovery. If required the Computer Forensic Analyst can give testimony in Court.
How do I determine who owns an IP address?
Nobody actually ‘owns’ an IP address. Registrars around the world assign blocks of IP addresses to organizations that request them. In turn, an organization is responsible for allocating their block of IP addresses. To determine which organization is responsible for a given IP address, you can search the appropriate Registrar's WHOIS database.
How is data hidden in slack space?
Data can be hidden in the slack area caused by file sizes that don’t exactly match the size of the clusters in which they are stored. Cluster sizes can vary, but any time a file or portion of a file is smaller than the cluster size, the ‘leftover’ bits in that cluster go unused. In file systems such as FAT16, where cluster sizes increase based on the partition size, this can result in a very large amount of ‘empty’ space, and that space can be used to covertly store other bits of data.
Is it possible to determine when files were deleted?
Sometimes, depending on the operating system.
What are Rootkits and how do I detect them?
Rootkits are used by intruders to hide and secure their presence on your system. A Rootkit gets its name not because the toolbox is composed of tools to crack root, but because it comprises tools to keep root. Rootkits are detected by means of checking to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. A commonly used tool is tripwire.
What are the dangers from ‘alternate data streams’ (ADS)?
The primary reason why ADS is a security risk is because streams are almost completely hidden and represent possibly the closest thing to a perfect hiding spot in a file system — something Trojans can and will take advantage of. Streams can easily be created / written to / read from, allowing any Trojan or virus author to take advantage of a hidden file area. But, while streams can easily be used, they can only be detected with specialist software. Programs such as Explorer can view normal parent files, but they can’t see streams linked to such files, nor can they determine how much disk space is being used by streams.
What is computer security?
Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users from accessing any part of your computer system.
What is information security and why is it different to computer security?
Information security is the process of protecting the information that may be on a computer or on paper or any other media from unauthorized use, access, deletion, modification or disclosure. Information security goes much further than computer security in that it protects the information for its whole life cycle, not just protection of a computer system.