Many digital forensics investigations start with finding files that belong to the computer’s previous user. Allocated files refer to those that can be viewed through the file system and whose contents, under normal circumstances, are not inadvertently overwritten by the operating system. Many digital forensics tools allow investigators to see allocated files in a disk image without having to use the computer’s native operating system, thereby maintaining the forensic integrity of the evidence.
Many people might have the impression that if you delete a file and empty the computer’s trash can, that the file is gone forever. Not true at all. In fact, much of digital forensics relies on recovering “deleted” files. Files can be de-allocated and file names can be hidden, but their contents can still be on the hard drive, in memory, or on external media, even if the metadata that could be used to find it are lost.
Recovering these data requires a technique called file carving. Many file types contain characteristic sequences of bytes known as file headers and footers at the beginning and end of each file. While scanning the disk, when the headers and footers are found, all the data in between are saved into a new file. File carving can even reassemble files that are broken into multiple pieces.
File carving can be combined with memory parsing—techniques for acquiring and analyzing the contents of a running computer system. Memory parsing can be done using many available open-source tools that can report the system time when a memory dump was captured, display a list of running processes, and show the contents of a computer’s clipboard and screen. These tools are also used to reverse-engineer malware, such as computer viruses and worms, and to understand an attacker’s actions in a computer intrusion case.
For assistance with any digital forensics investigations, contact Forletta. Our Pittsburgh and Cleveland private investigators are knowledgeable and are ready to help you with any of your investigation needs.
Garfinkel, Simson L. (2013). Digital Forensics. American Scientist.