Computer Evidence Processing

Laboratory Hard Drives - Evidence Issues

We have also learned that some computer manufacturers "recycle" returned computers and hard disk drives. In such cases the hard disk drives are likely reformatted and OEM software is reinstalled. Unfortunately, the reformatting of a hard disk drive does not eliminate data. In fact, a majority of the data remains behind. These situations are isolated but they can cause serious problems for the computer forensics specialists who is relying on new hard disk drives to be clean and free from user created data. You can imagine the problems that would be created if the former computer user had stored hundreds of child pornography images on the hard disk drive before the computer was returned as defective. What if the former computer user had used the computer to store information in the commission of a crime, e.g. illegal drug trafficking? To avoid such remote possibilities the computer forensics specialist is wise to check and scrub data from all computer hard disk drives that will be used in the laboratory processing of computer evidence. The same is true of floppy diskettes, zip disks and jazz cartridges because there are no guarantees that the storage media is data free as it comes out of the box.

NTI recommends that all processing hard disk drives and other storage devices be scanned for anomalies using a DOS utility like Scan Disk to verify that the hard disk drive is not flawed. This may take some time but it guarantees that the hard disk drive is error free and this safety measure may save you from some headaches in the long run. Actually it is prudent to scan for anomalies every time storage media is used for the storage or processing of computer evidence. After the storage media has been verified to be sound, it should be scrubbed of all data. As mentioned previously, the reformatting of storage media does not guarantee the elimination of data. To assist in this process NTI makes two separate products available to its clients. The first is called Disk Scrub and it is used to scrub a logical storage device of all data. The second is called M-Sweep and it is used to eliminate "hidden data" which may lurk in file slack, erased file space, temporary files and or the Windows swap file. Both products are also well suited for use when computers are surplused, computers are reassigned and when floppy diskettes are exchanged between individuals.

Another problem worth mentioning was called to our attention by a law enforcement computer forensics specialist. He was involved a multi-state investigation of a murder. Computer evidence was involved and multiple examinations of the restored mirror image backups of the subject computers were made by two police departments using the same mirror image backups. In the examination one of the law enforcement computer specialists found what he thought was relevant evidence pertaining to the crime. Fortunately for the defendant, the other computer law enforcement forensics specialist was unable to duplicate the results of the first computer forensics examiner when he used a restored image of the subject computer's hard disk drive.

The technical and evidence issues in this case involved the physical search of the hard disk drive using one of the NTI forensics search tools. As it turned out one of the hard disk drives used in restoration of a mirror image backup contained data remnants from the examination of another computer in the case. The first computer hard disk drive was larger than the second and as a result, data bleed almost fooled the computer specialists. Be aware that this situation can occur anytime the restoration is made to a computer hard disk drive that is larger than the original hard disk drive. The problem is eliminated when data scrubbers are used to sanatize laboratory computers.