It’s important to understand that deleted email is not recovered or indexed using common litigation support or electronic discovery software. These applications only process email that is still visible within the email software.
Some email recovery software can also fall short when restoring deleted email records. Why is that? Because they are designed to undelete email records that still have an entry in the mail store index. Unfortunately, many mail stores will remove those entries once the database is compressed. So many people believe that email cannot be recovered once the mail stores database has been compressed. However, this isn’t always the case.
Deleted email content may still be intact and recoverable. By using software tools designed to ‘carve’ email data, it is still possible to recover the original content. Using the following steps, email can often be recovered even after typical recovery tools fail.
1) Use Winhex, EnCase or other file recovery tools that can recover email fragments
2) Import recovered files (MBOX) through Aid4Mail into Paraben’s Email Examiner
3) Export email and attachments to msg, pst and other formats
Using the same approach to recover email as deleted files can often provide better results than doing a recovery on the individual mail store. As mentioned above, when performing recovery on Mozilla Thunderbird mail stores and others, many programs only recover what is still listed in the index files. If these files are missing, corrupted, or no longer contain the email record, you can try Zmeil from Zero Assumption Recovery
(http://www.z-a-recovery.com/zmeil-email-recovery.htm). Zmeil doesn’t rely on the mail store index; it parses the data files and is a great tool to use for additional verification of recovered email data. Zmeil works great as an inexpensive standalone email recovery tool.
Email communication is often a critical piece of the electronic discovery puzzle. Deleted email doesn’t get fully processed with common electronic discovery software. If you believe you may miss critical evidence because a custodian deleted important emails. then a specialized recovery process should be performed by someone with the appropriate training and knowledge of the process.
Copying corporate data and using it at a competing company (intellectual property/corporate asset theft) is a common and serious concern for companies and their legal counsel. When employees leave companies, there are often questions about the security of the information they previously accessed. Will they use the contacts, forms, or product details as a competitive advantage in their new job?
I had previously written about how to use the file activity records located in the index.dat file to identify when files were accessed. This can help determine if files were copied from a corporate file server. I want to expand on a couple of additional artifacts that can be used and then provide an illustration. There are three primary artifacts that can be used to help determine if someone accesses and copies specific files using an external drive, CD/DVD, flash device, or other storage media.
1) USBStor Registry Entry – Microsoft Windows uses its registry to track information about the computer’s users, operating system, hardware, applications, security, and other relevant information. When USB devices are plugged into a computer, several key artifacts are captured including the make, model, serial number (if available), and when the device was plugged in.
2) Index.dat Access Record – Microsoft Windows uses the index.dat file to track website activity in Internet Explorer. It also contains when and from where files were accessed. We often have to recover deleted or purged activity using programs like NetAnalysis to do a thorough analysis. NetAnalysis can often recover hundreds of thousands of records that are no longer available in the index.dat files on the system.
3) Link File (.lnk shortcut) – Shortcuts can be created by a user and are commonly stored on the desktop. Microsoft Windows also automatically creates shortcuts for files that are accessed in .lnk files. These files store a wealth of information about the source document, including the path, date and time created, written, last accessed, size, volume serial, and several others. This information is encoded and requires special software to display it in a format that is useful.
4) “File Sniper” - Use a product like Harvester from Pinpoint Labs to create a hash list of the suspect files and scan all locations where the files could be in use. It isn’t uncommon for a computer forensic examiner to be asked if there is a way to create a list of files from a corporate network or employees system and check if they are in use by a competitor.
By using the above artifacts, it is possible to determine that files located on a company server or client machine were copied or accessed after a specific date and time. Note that this doesn’t provide the contents of the file and a thorough review would be necessary to make sure it is the same file. However, if the file name and other relevant metadata is a match, it does appear suspicious and may be enough to construct a solid argument that the employee did copy or burn files, access the contents, or used the information. This may lead to criminal and civil charges around possibly benefiting a future employer or a new company that the employee decided to start.
Recovering data from a hard drive is one of the most common tasks during a computer investigation. Here are a few of the artifacts which computer investigators may retrieve from unallocated (free) space to assist in a case:
* MS Office documents
* Acrobat files (.pdf)
* Email messages and attachments
* Images in various formats
* Internet history (pages visited, searches)
* Registry files (current and past)
* File access records (when and where files were opened)
* Pre-fetch files (when a specific program was ran)
Many cases revolve around correspondence, work products, whether or not files were stolen or manipulated, and to what length the suspect went to cover up his or her activities. A common misconception among attorneys and litigation support professionals is that all relevant data from a computer hard drive is recovered during electronic discovery processing. The truth is that off-the-shelf electronic discovery software doesn’t index or search data that was deleted and resides in unallocated space. A considerable amount of valuable information is available on computer hard drives, but it resides in an area of the hard drive that may not have been collected from or was not searched during a typical electronic discovery project.
I don’t believe that every project warrants a complete computer investigation. I just want to clarify that if the computers of certain individuals involved in a lawsuit require a more thorough analysis, then a forensic image or hard drive clone is required. In this case, a computer forensic investigator with the skills and appropriate software tools needs to be hired to search deleted items which aren’t typically reviewed during the electronic discovery processing phase.
What is unallocated space? I have provided an illustration that helps show the different states for the physical area of a file, before it was deleted, and then once it is deleted, the different stages of retrieval possible from unallocated space.
There are three common scenarios in which you may want to recover deleted images:
During a computer forensic investigation, it is common to recover tens of thousands of images from a user’s hard drive. The majority of the images will be irrelevant, because they include icons, application images, toolbar pictures, advertisements from web pages, and windows default pictures. Images on web pages visited are cached (automatically downloaded) to a computer, then cleared or purged after a period of time or by the user who chooses to clear them. Images and web content are automatically cached so that the web page will load faster the next time a user visits the website. This information can be recovered and used to recreate web mail (Yahoo, Gmail, Hotmail, etc.) and pages visited.
Valuable artifacts may be included in the large collection of irrelevant images related to the websites that a user visited and images or pictures that were downloaded. Computer forensic examiners employ powerful recovery tools that can restore images from a variety of media.
Carving files, which can be performed manually or through an automated process, permits the recovery of a portion of a corrupted or deleted file. During a computer investigation, examiners may encounter deleted files that cannot be fully recovered. However, enough of the file may still be intact and worth restoring.
For example, if a deleted Microsoft Word document called ”sales report.doc” contains the keywords ”Mr. Smith, Bonus,” but the file cannot be viewed, then it is most likely damaged. Even though not enough of the file is intact to be opened, it may still be possible to carve the useful content. Using specialized software, such as Encase, FTK, WinHex, ProDiscover and several others, it may be possible to locate, restore and even repair damaged or overwritten files.
Many file types can be identified by using what’s known as a file header. A file header is a ‘signature’ placed at the beginning of a file, so the operating system and other software know what to do with the following contents.
Many electronic discovery applications will use the file header as a means to verify file types. The common fear is if a custodian changes a files extension or the file wasn’t named using an applications default naming convention, that file will be missed during electronic discovery processing. For example, if I create a Microsoft Word document and name it ‘myfile.001’, instead of ‘myfile.doc’ and then attempt to locate all Microsoft Word files at a later date, I would miss the file if I were looking for all files ending in ‘.doc’. There are specific file extensions associated with the native application.
During a computer forensic investigation file headers are extremely valuable because they allow us to locate the contents of deleted files, user activity logs, registry entries, and other relevant artifacts. For example, if I’m investigating a custodian hard drive for evidence that they were working for a competing company I would want to recover their file activity records. A large number of custodian activity records are often already purged or deleted. By scanning a computers hard drive for the signature related to user activity records we often recover relevant artifacts (file access records) up to several years after they were deleted.
To recover deleted files, user activity logs, Internet history, and other potentially relevant custodian information, a ‘physical’ copy or forensic image of the hard drive or other media is required. Creating a physical copy or forensic image preserves the entire contents of the media, and makes it possible to recover deleted files, user activity and other potentially relevant artifacts. Several hardware and software products specifically designed to capture a physical copy or forensic image are available.
A computer forensic examiner needs access to the ‘space’ between the visible files that contains deleted information. This space is referred to as unallocated (slack, free, swap) space and requires a physical copy or forensic image.
Copying files from Windows Explorer skips over the unallocated areas mentioned above. Make sure you request a clone or forensic image of any media where you believe deleted activity and file content might reside. Depending on what remains, your computer forensics examiner will be able to recover the deleted activity.
It often comes as a shock to attorneys and their staff when they hear that electronic discovery processing doesn’t automatically search the entire contents of a custodian’s hard drive. So, it’s worth stating again for emphasis here. Common electronic discovery applications used by service providers and law firms aren’t designed to search the unallocated (swap, free, slack) hard drive space, which is where deleted files and other potentially relevant data will reside.
If you have custodians that need a thorough investigation you may need to dig deeper than the results that EED processing provides. If you suspect that specific custodians may have deleted files or user activity logs, or you need to analyze specific activity taking place on the custodians computer then you’ll need to begin a computer forensic investigation to review the computers unallocated space.
I’m not recommending that every custodian hard drive and server will need to be forensically imaged and analyzed. In fact, the majority of the files identified as being relevant to ESI (Electronically Stored Information) production can be processed and reviewed using off- the- shelf EED software. However, during the course of many cases, an individual or two can be identified as ‘suspects’, requiring a more thorough investigation of the activity on their desktop or laptop computers.
In my last post, I pointed out that in the case of the BTK killer in Kansas, investigators recovered a deleted Microsoft Office document that contained evidence crucial to the case. There are still many litigation support professionals who don’t thoroughly understand what happens to files and user activity logs once the information is deleted or cleared and why it should be found or how it can be recovered. Recovering user activity, work product and correspondence could be crucial to winning your case.
The reason that a file or other data isn’t visible, but can still be recovered is quite simple. If you delete a file, Microsoft Windows removes it from your view; however, at that same point in time, the contents of the file are still stored on your hard drive. In addition to removing the file from your view, Microsoft Windows “flags” the space where the file still resides, as “available”. Depending on whether the space is needed for other files and how much time has passed in the interim determines how much of the original content remains.
One of the primary differences between a computer forensic investigation and electronic discovery processing is the area of the hard drive that is being reviewed for potential evidence. Electronic discovery software will index and search the ‘visible’ or what is referred to as logical files (those still displayed to the user and available in Windows). Computer forensic investigations, on other hand, will review the current files and also the content contained in the deleted information. In order to search through deleted information, however, a forensic image or clone of the suspect media is required. I’ll go into more detail in post (3 of 3).