Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Swantao
New Today: 1
New Yesterday: 0
Overall: 29538

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 is it possible to verify if a HDD was wiped with DBAN
 Forenic artifacts if someone accessed a remote Win10?
 timeline analysis
 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics

Computer Forensics World Forums


Pages Served
We received
56066984
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Computer Evidence Search
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Computer Evidence Search
Goto page Previous  1, 2, 3, 4  Next
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Thu Aug 15, 2013 2:44 am    Post subject: Computer Evidence Search Reply with quote

PreferredUser,

Lets deal with the first example first:

If a porn picture is deleted, then say about 25% of the cluster space on which the picture was written on is overwritten by a new file.

Then the remaining 75% of the cluster space that was occupied by the porn picture is recovered.

Can the recovered data be reconstructed to enable an investigator see that the picture that was deleted was porn?
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Thu Aug 15, 2013 4:44 am    Post subject: Reply with quote

And again, still too many variables to give a definitive answer. With the description you just gave, the answer is maybe.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Thu Aug 15, 2013 5:58 am    Post subject: Computer Evidence Search Reply with quote

Please help me understand something here.... what kind of variables are you talking about? Mention about three in the order of importance...
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Aug 15, 2013 7:22 am    Post subject: Reply with quote

All equally important:
- size of the file
- size of the partition where the file resides
- amount of fragmentation of the drive that contains the file
- what file system (which then leads to questions about a journaling or non-journaling file system, do file table or backup file table entries exist for the file(s) in question, etc.)
- what parts of the file are overwritten
- was the file deleted and then overwritten

And those variables just scratch the surface.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Thu Aug 15, 2013 4:27 pm    Post subject: Reply with quote

Well, these variables indeed make it difficult to just state whether it is possible or not to reconstruct the recovered data to a meaningful status. I would like to believe that these variables apply to the other two examples I stated earlier - database and executable.

These variables are the more reason digital evidence chain of custody needs to be airtight - such that all the stakeholders are comfortable with the starting point - seizure of digital evidence AND NOT SEIZURE OF PHYISCAL EVIDENCE. The issues of just merely trusting that the other party cannot do this or that shouldn't be part of the equation.

In conclusion, I would like to state that I have learnt quite a great deal through this interaction.

Many thanks for your contributions.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Aug 15, 2013 10:19 pm    Post subject: Reply with quote

ComputerLearner wrote:
These variables are the more reason digital evidence chain of custody needs to be airtight - such that all the stakeholders are comfortable with the starting point - seizure of digital evidence AND NOT SEIZURE OF PHYISCAL EVIDENCE. The issues of just merely trusting that the other party cannot do this or that shouldn't be part of the equation.
The chain of custody for digital evidence is no more or less important than physical evidence.

Your continued delusion that law enforcement would need to frame your porn watching friend is sadly pathetic.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Fri Aug 16, 2013 5:34 am    Post subject: Reply with quote

Well.... this is a political case we are looking at.... if you should know.

We expect the standard of chain of custody to be much higher than what I see here.

Where you come from, perhaps it is a crime to suspect foul play from the security agencies.... but where we come from, we don't take such chances.

Surely, identifying and securing (thru hashing) digital evidence on the crime scene in the presence of the accused is a better practice .... than just identifying the computer that contains that evidence by serial number and color.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Fri Aug 16, 2013 6:21 am    Post subject: Reply with quote

ComputerLearner wrote:
Surely, identifying and securing (thru hashing) digital evidence on the crime scene in the presence of the accused is a better practice .... than just identifying the computer that contains that evidence by serial number and color.
From your description you must live in a totalitarian state where even if the data was secured (thru hashing) in the presence of the accused you would have some other conspiracy theory. Sad to think that your law enforcement is not honest and has such a capacity for corruption that they can manufacture evidence and no one is the wiser.

I am not sure why there is any difference in the standard expected in a chain of custody for a political case versus any other. The standard should be the same for all cases.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Sun Aug 18, 2013 9:33 pm    Post subject: Reply with quote

1. Does EnCase or indeed any other data recovery tool show WHEN a file was deleted?

2. When a document is created and saved onto a computer....say TEST.DOCX. This document undergoes 20 modifications on 20 different dates....but each modified document maintains the same name, therefore...overwriting the old version.

Eventually TEST.DOCX is finally deleted. EnCase or indeed any other data recovery tool is used to recover TEST.DOCX - how many copies of TEST.DOCX will be recovered?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Aug 18, 2013 11:26 pm    Post subject: Reply with quote

ComputerLearner wrote:
1. Does EnCase or indeed any other data recovery tool show WHEN a file was deleted?
Possibly. Depends on the OS and the method used to delete the file.

ComputerLearner wrote:
2. When a document is created and saved onto a computer....say TEST.DOCX. This document undergoes 20 modifications on 20 different dates....but each modified document maintains the same name, therefore...overwriting the old version.
The old version is not necessarily overwritten (see my follow up answer below).

ComputerLearner wrote:
Eventually TEST.DOCX is finally deleted. EnCase or indeed any other data recovery tool is used to recover TEST.DOCX - how many copies of TEST.DOCX will be recovered?
It depends. What is the setting for track changes in Word?
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Mon Aug 19, 2013 6:19 pm    Post subject: Reply with quote

Am a bit lost here.... What do you mean by "What is the setting for track changes in Word?"?

If a program executable with MAC times of say 1st January 2013 is deleted on 1st June 2013. The program executable is recovered on 1st August 2013 and reverse-engineered to the original source code.

What will be the MAC times of:

1. the recovered program executable

2. the reverse-engineered source code
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Aug 19, 2013 11:19 pm    Post subject: Reply with quote

ComputerLearner wrote:
Am a bit lost here.... What do you mean by "What is the setting for track changes in Word?"?
In your previous question you asked about document modifications, deletion, and recovery. In your question you referenced a DOCX file. You mistakenly assumed each modification overwrites the previous version. I just wanted clarification on your scenario before trying to provide an answer.

ComputerLearner wrote:
If a program executable with MAC times of say 1st January 2013 is deleted on 1st June 2013. The program executable is recovered on 1st August 2013 and reverse-engineered to the original source code.

What will be the MAC times of:

1. the recovered program executable

2. the reverse-engineered source code
Why are you suddenly jumping to executables when we were discussing DOCX files?

You have not provided enough information in your scenario. Also it seems as though you do not understand MAC times. You ask what the MAC time of a file would be and do not specify which MAC time.

It is quite difficult to provide meaningful answers when you are so vague.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Aug 20, 2013 2:25 am    Post subject: Reply with quote

Starting to look like this is either someone trying to get us to do his homework OR his criminal case is going very badly for him and it involves more than just CP.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Tue Aug 20, 2013 7:24 am    Post subject: Reply with quote

OK.... Lets exhaust the DOCX issue first.

A personal assistant to a CEO has a template in Microsoft Word for communicating with a Bank. The information that changes on the template is DATE and AMOUNT.

The template is called Bank Transfer.docx. This file name is maintained.

Every month end, Bank Transfer.docx is modified - date is amended, amount is amended too. But filename is maintained.

So, when Bank Transfer.docx is deleted, how many deleted copies are most likely to be recovered?

Will discuss the executable example later....
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Aug 20, 2013 7:42 am    Post subject: Reply with quote

Yep, Homework.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Goto page Previous  1, 2, 3, 4  Next
Page 3 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.