Home 
Contact CFI 
Secure Client Area 


 EVIDENCE RECOVERY: SEARCHING DIGITAL EVIDENCE 


Specialized forensic software provides several methodologies for searching the evidence file. Multiple pieces of media evidence; for example 2 hard drives, a floppy and a multiple session CD-ROM, can be searched, sorted, and analyzed simultaneously.

A Windows Explorer view displays the files and folders of the target media in an easy to browse format. Each file is displayed in a spreadsheet format where the files can be sorted and filtered under numerous fields. The examiner can designate which files to include in this view, such as files from a single folder or a single volume. A preview pane using a hex/text viewer displays the contents of a highlighted file, with the file slack – portions of unallocated clusters - shown in red. All search hits are highlighted automatically.

Keyword search utilities are used to find words relevant to target documents or messages. These searches will locate any "bytes" of data matching the search term. So the development of effective search terms is critical to recovering digital evidence and is a major factor in the success of any forensic examination. For example, searching for the word "info" may locate tens of thousands of hits where the letters "info" where used in a file or line of code. Redefining the search for "info@cf-intl.com" would help narrow the number of responses. Reviewing the hits from every keyword search consumes a major portion of the examiner's time while combing through digital evidence. Narrowing the search to terms or phrases unique to the case situation will enhance the results and reduce the cost.

Forensic software also locates drafts of documents, back-up files (.bak, .wbk), temporary files (.tmp), cache files, autosaves, registry data and residual data. Wild card searches can be conducted for "general formats" such as all telephone numbers of a specific area code, network IDs or email domains, even when the specific ID is not known.

Time and date stamps, access logs and recycle bin activity are often a critical focus of examination and can be recovered. Files (but not residual data) can be sorted by creation date, last accessed, or last saved. Swap files and file slack, which are locations on the disk were deleted residual data often resides, can be recovered. Print spooler files, with their original time stamps, can be recovered and reviewed. Files that were recently accessed can be determined and a list of all Internet sites (URL’s) accessed, and the time and date of access, can be compiled. Also, a forensic picture gallery automatically identifies all graphic files and displays them as thumbnails that can easily be copied onto a CD ROM.

Forensic examiners will also be able to identify any attempts to hide a file by merely changing its name. Each file’s extension (i.e. .jpg, .gif, .doc) is matched against the file’s actual "signature" to determine if an attempt has been made to "hide" the file. If a file was created in Word (.doc) and the extension was changed to .jpg, the forensic examiner is able to identify and flag that file.