Carrying out a forensic analysis of file systems is a tedious task and requires expertise every step of the way. Following are the steps that can help analyze a file system for data that may provide evidence in a forensic investigation.
The system should be secured to ensure that all data and equipment stays safe. In other words, all media required for forensic analysis should be acquired and kept safe from any unauthorized access. Find out all files on the computer system including encrypted, password-protected, hidden and deleted (but not overwritten) files. These files must be acquired from all storage media that include hard drive and portable media. Once acquired, forensic investigators have to make a copy of them so that the original files are kept intact without the risk of alteration.
This can be done in four ways:
- Disk-to-Image: This is the most common method as it provides more flexibility and allows to create multiple copies.
- Disk-to-Disk: Used where disk-to-image is not possible.
- Logical: it captures only the files that are of interest to the case. Used when time is limited.
- Sparse: It gathers fragments of deleted or unallocated data.
Validation and Discrimination
Before you analyze an image, you need to validate it to ensure the integrity of the data.
Hashing algorithms help forensic investigators determine whether a forensic image is exact copy of original volume or disk. This validates the integrity of an evidence and conforms to its admissibility into the court.
Next comes data extraction, which involves the retrieving of unstructured or deleted data and needs to be processed for forensic investigation. Many computer users think that a file, once deleted, will disappear forever from the hard disk. However, this is not true. Deleting files only removes it from the disc contents table. In FAT systems it is called the File Allocation Table, while in NTFS it is called the Master File Table. Data is stored in clusters on the hard disc and consists of a certain number of bits. Parts of files are mostly scattered throughout the disc, and deleting the files makes it difficult to reconstruct them, but not impossible. With increased disk capacity, it now takes longer for all fragments of a file to be overwritten.
In many cases, the criminals may have hidden the data that can turn out to be useful for forensic investigation. Criminals with basic technical knowledge have many options available for hiding data such as disk editor, encryption, steganography, and so on. Recovering and reconstructing this data can be time consuming, but generally it produces fruitful evidence.
Extracting data from unallocated space is file carving. It is a helpful technique in digital forensics that finds deleted or hidden files from the media. A hidden file can lie in any areas such as slack space, unallocated clusters or lost clusters of the digital media or disk. For using file carving, a file should have a header which can be located by performing a search which continues till the file footer is located. Data that lies between these two points is extracted and then analyzed for file validation.
Extracted data can be reconstructed using a variety of available software tools that are based on various reconstruction algorithms such as bottom-up tree reconstruction and inference of partition geometry. Reconstructed data is thoroughly analyzed for further evidence and put forth in the form of a report.
In order to keep a track record of every step of the investigation, document every procedural step. Evidence presented without proper documentation may not be admissible in court. This documentation should not only include the recovered files and data, but also the physical layout of the system along with any encrypted or reconstructed data.
Forensic analysis of time-based metadata can help investigators correlate distinct information quickly and to find notable time and dates of activities related to improper computer usage, spoliation and misappropriation.