There have occasionally been issues translating client objectives into practical digital forensics tasks. This is understandable, because “plain English” requests do not address all the complexities involved in the technical implementation of a task. Even when the task is seemingly simple, such as “give me all the pictures from the computer drive,” there are several items to take into consideration, such as:
As one can see, a simple sounding task can quickly get complex. Tasks associated with timeline analysis and connection/usage of external devices invite an entirely new host of questions.
The Good News! PRUDENTIAL Associates has created descriptions of the relatively common task items to make it easier to define the tasks given to us. This should allow clients to effectively describe their problem in a format that is easy for a forensic analyst to take action on. When clients come in they simply circle task items that they believe will produce relevant findings, fill in additional details where prompted, and we are able to hit the ground running. These task items appear on our standard Computer and Cell Phone Forensics Case Task Form, which you can request a copy of by email. Here they are in simple bullet form:
1. Identify, document, and recover any evidence of installed keystroke recorders (key loggers), monitoring software, remote access enabling software applications, or related activity. To the extent possible determine vector and originating source (responsible party).
2. Recover and export for client review any and all deleted emails or email fragments. (Please note, webmail is not generally stored locally unless used in conjunction with an email client application such as Microsoft Outlook, which is set up to download and store the messages. If no email client is used then what is most likely to be recovered from webmail are only fragments of a limited number of emails. There are exceptions in which more can be found; however, generally what is stored on the local drive is limited. By “webmail” we mean email services such as Hotmail, Gmail, Yahoo Mail, etc.).
3. Recover and export for client review deleted files such as documents, spreadsheets, videos, or pictures.
4. Identify all files modified or created before, during, or after a specific timeframe or date range.
5. Recover and export for client review any files containing a specific search term, name, number, character string, or email address. (When search term “hits” occur in unallocated space and in unrecoverable files, Prudential Associates can export for client review a report containing snippets of 200 characters surrounding the search hit for context. The client can then decide upon relevance before we export more information/data regarding the occurrence.)
6. Identify and export for use as evidence any Internet porn activity or other online activity relevant to the client’s litigation. Clients are advised that this can become a labor-intensive task depending on how much total Internet activity is recovered. Clients should understand that searching for such evidence in hundreds of thousands of lines of Internet activity is a semi-manual endeavor and there is no magical “find porn only” button.
7. In relation to an asset determination investigation, identify and export for the client and review any and all files or activity potentially related to banking and other asset ownership, transfer, or sale.
8. Perform a timeline analysis of a file, set of files, or identified activity that has taken place on a specific device.
9. Identify and document the usage of any external devices such as thumb drives or external hard drives and, to the extent possible, any files or folders stored within these devices.
We hope this helps you and your clients zero in on the most important evidence by enabling you to more precisely utilize the tools and capabilities provided by PRUDENTIAL Associates, Investigations & Digital Forensics.