[FoRK] electronic forensics

Kevin Elliott < K-Elliott at wiu.edu > on > Sat Dec 16 20:51:20 PST 2006

I actually spent some time interviewing with a company that's pretty 
active in this space (at least on the OSX side).  It's not as 
advanced as you might think.  My understanding is that the basic 
procedure is to duplicate the drive and then work off the copy.  I 
suspect that the legal side of things is mostly protected by always 
being able to start over again from the original drive and 
replicating the results.

Software wise it was pretty standard data recovery tools with the 
addition of lots of logging.  Not really a lot of extra 
"intelligence" in the software to find things the investigator might 
overlook, etc.  Very much a tool for an expert rather than an 
automated do all the work for you problem.

FYI- I think if somebody is willing to point an electron microscope 
at your platters your pretty well screwed.  If they're willing to 
spend that kind of money, they're probably willing to grab you and 
break your arms to get what they want ;).  Certainly it's well above 
what the average police department is willing/able to pay for.

At 1:11 -0500  on  12/16/06, Reese wrote:
>I'm curious what is entailed in a forensic examination of a hard drive.
>I've heard that people with electron microscopes can pull things off of
>a platter that have been overwritten several times but gee, how many
>of these garden variety places* advertising their forensics services
>can afford one of those and all it entails?
>So they are presumably using some software solution, perhaps even hex
>editing programs. What software though? Do these software solutions
>have names? Browser history records, cookies, cache files, all the
>usual places the OS will let you store files at. What else is there
>to know about doing a forensic exam on a hard drive? The odd program
>that will let the user save a file in an unusual place? Which programs
>do that? And which programs check for existence of things like that?
>Presumably, forensics examinations differ from simply data recover in
>that there are chain of evidence protocols and added documentation
>requirements on what is found, as well. Is there more?
>*- Google it, they are legion and they clutter search results like the
>many pieces of straw in a haystack concealing a few grains of rice.
>FoRK mailing list

Arguing with an engineer is like wrestling with a pig in mud.
After a while, you realize the pig is enjoying it.
Kevin Elliott   <mailto:kelliott at mac.com>
AIM/iChatAV: kelliott at mac.com  (video chat available)

More information about the FoRK mailing list