Well I've recovered data from drives that have been formatted and/or defraged, not really that big of a deal today, maybe 5 years ago but there are so many automated tools today for carving it's fairly routine. Another factor I think he implies but doesn't mention is the large size of hard drives today and corresponding increase of sectors assigned to clusters......I believe that contributes to the availability of data for recovery, even with ....I don't have anything to support this other than isolated examples. I've never really run into a case where I had to reassemble a fragmented file, most of the time the file isn't fragmented or if it was the portion recovered is evidence enough to meet the element of proof I've been looking for or there was enough intact evidence so that further effort wasn't warranted. As far as the recovery of portions of a child porn graphic and the prosecution for that graphic.......mmmmmm....I'm not sure what he's getting at there. If you recover enough of a graphic for it to be identified as child porn (it meets those criteria as specified is the USC) and you can prove the other elements then you can charge it.....but I doubt anything like that would happen these days....especially in the 9th Circuit. You usually have a lot of CP, if the CP is so limited you're having to present fragments for prosecution then I don't think an AUSA would take it (this is at the federal level, not necessarily state or local). -----Original Message----- From: dhibbelnat_private [mailto:dhibbelnat_private] Sent: Friday, August 24, 2001 11:08 AM To: FORENSICSat_private Subject: How to be a Computer Crime Investigator Folks, I would welcome comments on this post from another list that a long time member made: " I spent a week in May learning how to be a Computer Crime Investigator, I have attended a number of FBI seminars this year on Computer Crime and at the Information Systems and Control Association's annual convention, I sat in for another week on multiple seminars on hacking, computer crime and forensic investigation. These seminars were put on by industry and by the DEA and Justice Department. I have appllied for a Computer Crime Investigator certifiaction, I am waiting for that to come through. "First on the low level formatting. It used to be that any IDE drive could be easily low level formated. That is no longer so. Each manufacturer has its own algorithims for doing this. So in order to low level format more recent IDE drives you have to have software specific for THAT drive. Apparently there is no standard software anymore. SCSI still has low level format capabilities, usually built into the controller. A high level format (the one you normally do on your computer) does not really erase much of anything. The forensic experts claim that they can recover data after 7 (seven) high level formats. One lecture I was in, was put on by a company in Oregon who are forensic experts, talked about recovery. The question was asked about how much a defragment operation permanently erases. The expert's comment was that very few people defragment, so most information is easily recoverable. The defragmenting does make it harder, if is has been done over time many times. Essentially it has to do with how much disk activity there has been, how much deleting and rewriting has gone on and the level of expertise of the forensic technician. This company in Oregon puts their diplomas in fragments on a formated floppy. You have to retreive the pieces forensically and reassemble them to get your diploma. The porno cops have indexed many of the known child pornography pictures as many of the pictures have been around for a lot of years. Many of them came from a series done in the early 1980's. If, forensically, they find snippets of the pictures on a hard drive, not the entire picture, only small pieces, they will prosecute based on that snippet because they can identify which picture it originally came from. Usually prosecution is based on one count per picture. Snippets are also used in hacker prosecution. Often hackers will leave traces of their activity with these snippets after they think they have deleted all of their activity. There are software forensic tools that will examine a hard drive cluster by cluster. Much of the forensic data is found in slack space between files. It takes as long as 40 hours to examine a 4 gb drive. If you have the time, money, expertise, equipment and software, you can do an amazing amount of recovery. Most people do not take steps or know the steps to take, to minimize or eliminate what is left on an erased hard drive or how to truly delete files" Regards David R. Hibbeln . ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 12:24:05 PDT