Chapter 6

Extracting Information from Data

• Understanding the different types of evidence
• Understanding how people think
• Picking the low-hanging fruit
• Finding hidden evidence
• Locating trace evidence
• Preparing evidence
• Presenting evidence

After you capture a data image, what should you look for? How do you figure out what portion of the captured data image is useful to your investigation? What happens if you can’t find what you are looking for? These are some of the questions that run through the mind of every forensic investigator.

Criminals or intruders can (and do) use programs to delete e-mail, pictures, and documents that might provide proof of their activities. Trained forensic investigators must have tools available that will help them not only recover this information, but help them prepare the evidence for presentation to corporate executives, law enforcement officials, or the court.

In this chapter, you’ll look at the process of divining the information you need from the data you have captured. You’ll learn to analyze the information you have gathered and organize it into a usable format. You’ll understand when to grab the low-hanging fruit and when to dig deeper for data that may or may not exist. You’ll study the types of hidden and trace evidence you’re likely to encounter. Finally, you’ll move on to learning best practices for preparing and presenting evidence.

Tales from the Trenches: Check That Evidence!

It’s important for investigators to make certain that evidence makes sense before performing an in-depth analysis. With blood evidence, an investigator would ensure that the blood sample is human before processing a DNA match. The same common sense approach applies when working with computer forensic evidence. As a forensic investigator, you will need to examine much more than what the hiring client asks you to examine. There are three things Neil Broom always checks: the registered owner, the operating system install date, and external USB connections.

In one case, a defendant swore that no external hard drive had been used. However, the preliminary analysis showed that an external Seagate hard drive had been connected and that backup software had been used. In another case, the forensic investigators were asked to examine ten computers. A routine check of the operating system install date in the Windows registry revealed that five of those computers had operating systems which had been installed two weeks previously. Those computers were in operation for three years but their hard drives had been reformatted and older data reinstalled afterward. Because criminals often try to hide their behaviors and obscure evidence, it’s wise to authenticate the evidence prior to analyzing it.