Trace Evidence

Trace evidence is a term that applies to all physical evidence that may be circumstantial evidence in the trial of a case. Trace evidence, although often insufficient on its own to make a case, can corroborate other evidence or even prompt a confession. Tracing some piece of data present at a crime scene to its origin can assist in arrest and conviction. Similarly, finding some trace of data from a victim or crime scene on a suspect’s computer can strongly impact a case.

Computer evidence is often found in file slack and in unallocated file space called slack space. Sometimes a good portion of a computer’s hard disk may contain data fragments from word processing documents, or almost anything that has occurred in the past. This space can be a valuable source for computer evidence because of the large volume of data involved and because most everyday computer users are oblivious to it. In Figure 6-13, a utility called Karen’s Disk Slack Checker was used to check slack space on a hard disk. As you can see, there is quite a bit of stuff here.

Figure 6-13: Karen’s Disk Slack Checker

Slack space results from the way data is written to disks. Operating systems normally write in clusters. Clusters are made up of blocks of sectors. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for each file. For example, if the cluster size is 32KB and you create a file that is 2KB in size, that file is allocated 32KB of space. This means that 30KB is unused. That’s a lot of slack space! Let’s go a bit further and say that you create a 31KB file. You decide that you no longer need the file and delete it. At some point in the future, you create another file that is 4KB. When the system goes looking for a location to write this new 4KB file, it finds the space where the old 31KB file that you supposedly deleted resides, and places the data there. Now you have 4KB of new data plus the remainder of the old data in the same space. To recover that data, you can extract trace evidence from the first file in the new file. These pieces of files or file fragments can hold a good amount of information.

On computers running a Microsoft Windows operating system, large quantities of evidence can be found in the Windows swap file. In Windows XP, Vista, Server 2003, and Server 2008 this file is named PAGEFILE.SYS by the operating system. On Windows 7 and Windows Server 2008 R2 computers the swap file is called READYBOOST.SFCACHE. This is a memory management function within the Windows operating environment. It uses space on the hard drive to swap data in and out of memory to make better use of RAM. Swap space also resides on computers running Linux. When you install the operating system, you specify a Linux swap file partition size.

Trace evidence also appears in backups. Although this option is frequently forgotten, backups can be a great source of information in forensic investigations. Most companies make some type of backup rotation and perform full backups at least once per quarter. Even though files may have been deleted from an individual computer, they may still be available on backups. Third-party service providers frequently back up e-mail and generally keep backups for some period of time. Again, even though files may be gone from a computer, in most cases, e-mail systems are backed up. As a forensic investigator, you can (and should) find out how long messages are kept because you may be able to recover information valuable to your investigation.

Fax buffers, printer buffers, and USB drives also hold trace data and should be examined for evidence as well. USB drives offer another source of trace evidence to forensic investigators. Often people put one or two files on a USB drive and forget about them. USB drives can be imaged and then processed.