Posts Tagged ‘electronic evidence’


The Process for Recovering Electronic Evidence

Tuesday, March 1st, 2011

There are two primary steps in the process of recovering electronic data; “acquisition” of the target medium, and a forensic byte-by-byte analysis of the data.

Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer medium.

Rather than producing interpretative conclusions, as in many forensic disciplines, computer forensic science produces direct information and data that may have some significance in a case. This type of direct data collection has wide-ranging implications for both the relationship between the investigator and the forensic scientist and the work product of the forensic computer examination.

Using customized computer forensic tools, the target medium is acquired through a non-invasive complete area-by-area bit-stream image procedure. During the imaging process, it is critical the mirror image be acquired in a DOS environment. Switching on the computer and booting into its operating system will subtly modify the file system, potentially destroying some recoverable evidence.

The resulting image becomes the “evidence file,” which is mounted as a read-only or “virtual” file, on which the forensic examiner will perform their analysis. The forensics software used by CFI creates an evidence file that will be continually verified by a Cyclical Redundancy Checksum (“CRC”) algorithm for every 64 sectors (block) of data and a by a MD5 128 bit encryption hash file for the entire image. Both steps verify the integrity of the evidence file, and confirms the image has remained unaltered and forensically intact. Using the MD5 hash encryption, changing even one bit of data will result in a notification that the evidence file data has been changed and is no longer forensically intact.

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, a federal criminal statute outlawing various computer crimes, provides a civil remedy for companies victimized by a violation of the statute.In this new digital age, the CFAA is fast becoming recognized as a proactive tool that can be used by companies to retrieve stolen data, prevent its dissemination in the marketplace and obtain compensatory damages resulting from its theft, use and malicious destruction.

Email Discovery as Electronic Evidence

Tuesday, July 22nd, 2008

In today’s legal discovery world, electronically stored information requires special attention in litigation. The recent emphasis on producing electronically stored information requires an e-discovery team to apply legal principles to information technology. But electronically stored information in some cases drive them out of business, especially in companies as they are unaware to find electronically stored information, especially Email and associated attachments. Most email discovery efforts relate to the collection and review of Email as they remain one of the highest risk areas.

Email is most popularly used by all the people for communication of personal or business related matters. Currently more than 1000 million Email accounts are in use Worldwide, with an average of more than 4 Email accounts per person. With the Email accounts, all your incoming, saved, and sent mail is stored on a mail server with in IMAP folders. As we know we all rely on Email to operate our businesses in our personal lives, it is important to take preventive measures to avoid the ultimate disaster of unrecoverable Email.

The message index in the Email s lists the messages and is stored as entries in a database associated with the file structure. When you delete mail messages the attachments of the deleted file are also deleted as well. How ever you can restore them as they are only moved to a special deleted message folder called Trash folder, like the files in Recycle bin. These deleted Email s still remain on a computer hard drive, servers or retained on back-up tapes.

After deleting the Email from the folder, it reduces the size of the database file by eliminating this vacant space. Once they get deleted they restore it in the trash folder, which can be easily retrieved. These files are not removed from an index of the files, they just move to the trash directory and the space is considered to be available for writing new data.

But if an Email in the trash folder is deleted again then it is no longer indexed and no longer readily accessible. But these files are not truly deleted; they still exist on your hard drive. These deleted files have not been erased, but in most of the cases they can be easily retrieved. To retrieve the data from the trash files, forensic examination is required to locate and retrieve them. In some circumstances, these mails may be impossible to retrieve from the server, hard drive or pc because they have been overwritten by other files.

Even if your Email is completely lost, then these mail recovery tools are used to scan the entire hard disk, locate and recovers the deleted Email and also repairs the database if it is corrupted.

Imagine your Email database deleted or the file system corrupted. If that happens, you would need an undelete tool to get the files back. Though the database becomes corrupted, the data content may still exist, but the structure of the file may be wrong such that the mail cannot list the messages. Then you need to use email discovery tools typically to scan your hard disk and list a whole bunch of files with damaged, crippled file names.

As different mail programs store data in different formats like word, Excel, csv, pdfs etc, you must use a data recovery tool that supports the mail software you are using. For Outlook Express or Windows Mail, Mail Recovery is effective and easy to use, For Microsoft outlook files to recover, you need Outlook recovery, and for Mozilla thunderbird mail folders you can recover by using a text editor as they are plain text files.

To avoid severe legal sanctions, you need an easy way to search for relevant Email in order to quickly meet legal discovery requests. In fact, an effective Email discovery solution can help mitigate these legal risks. www.Datatriage.com is one of the leading experts in the field of email discovery, which restores electronically stored information in Email and associated attachments.