Computer Forensics Analysis Challenges
Each computer forensic analysis is unique to the facts of a particular case, and no computer forensic application or procedure is infallible. What may work in the course of a forensic examination of one piece of media may not work on another for a number of reasons including hardware and software compatibility issues. The next sections discuss unique challenges examiners face during forensic examinations.
Text String Searches
An effective technique for finding any type of text string, including names, number sequences, and words, is to conduct a text string search – a search across the media for the particular name, number sequence, phrase, or word. For example, if the examiner knows that a suspect sent a threatening email to a victim and used the word “hurt” in the letter, the examiner could search the suspect’s hard drive for the word “hurt” using a text search. Then the examiner would view the search results to see if the text search helped to find the actual email.
However, although a text string search is an effective tool, it is not without limitations. For example, if an examiner is doing a keyword search for the word “computer” in an image file, the word won’t be found if the user spelled it “commuter”. Further, computer files can be compressed or encrypted, and any words contained in those files cannot be found by text search. Or, a document that contains text of value could have been saved as a graphic because the document was scanned into the computer or saved temporarily as a metafile. No text search utility would find that evidence. Similarly, some graphic files will not open unless they are extracted from the image file, and opened in using the application that created them or other special software. In the end, if the examiner does not find the evidence sought by text search, it doesn’t mean the file doesn’t exist, it means the examiner must use other techniques to find it.
Hiding and disguising files
There are many simple techniques that a computer user can employ to disguise or hide files. Files can be password protected, saved in places on data storage media that typically only contain innocuous system files, encrypted, or compressed. Files or data may be saved with innocuous sounding file names by the user in an attempt to avoid detection. Due to the various methods of hiding files, a thorough forensic examiner will conduct a cursory review of a file to determine if it is of value to the investigation.
Also, most data files have a file extension. A file extension is typically a two or three character alpha-numeric code grouped with a file name. Operating systems use the file extension to identify the proper application to open and use the file. For instance, a file may have the extension “.doc” at the end which informs the operating system that when the computer user issues a command to open the file, the application Microsoft Word should be used to open, read, and/or modify the file. Simply renaming the file extension to something innocuous disguises the true content of the file to the person looking only at the file extension.
Another data hiding technique is the creation of hidden areas on data storage media. Computer users can use software to change the apparent capacity of a hard drive, and/or create a hidden area of the drive, where data of evidentiary value might be stored.