Today's computers have the potential to store vast amounts of data and this creates problems for the computer forensics investigator. If the case involves just one category of computer files, i.e., GIF, BMP and JPG files, it makes no sense to review the contents of the entire computer. Also, literally hundreds of computer graphics files are stored transparently on computer hard disk drives as a normal process of Internet web browsing. Thus, the computer forensics investigator is faced with finding an electronic needle in a haystack.
In determining if a computer user has been involved with illegal or inappropriate viewing, storage or distribution of pornographic computer images, it makes sense to use computer sampling techniques to determine the nature of stored image files on the subject computer system. Such an analysis is not thorough but it can help determine if a more through examination of the computer is required.
NTI's Graphics File Extractor software can be used to quickly sample the Windows Swap/Page File and help the computer forensics investigator in making a quick determination about possible past Internet computer usage tied to a specific computer. Typically such a sampling can be completed in under one hour using Graphics File Extractor and the output will consist of reconstructed graphic image files. These output files can quickly be reviewed using a graphics file viewer like Firehand Ember. Although there are several graphics file viewing programs, we like Firehand Ember because it is easy to use and it is priced right to fit with limited law enforcement budgets.
If no relevant graphics are found after the sampling, then it may not be prudent to waste additional time processing the subject computer hard disk drive depending upon the importance of the case and time limitations involved. However, if relevant images are identified then a quick decision can be made as to whether or not a more through examination of the subject computer is required.
This sampling technique works for law enforcement computer crime specialists, government computer specialists and corporate investigators. Unfortunately, the viewing of pornography on company time and computers has become a serious problem in recent years. This problem can quickly be identified and rectified through the use of this sampling technique. Be aware though that this is only a sampling technique and the findings are not evidence of wrongdoings. Also, the finding of a few inappropriate graphics images on a specific computer may have no relevance because of the possibility that one or more URLs were unintentionally accessed by the computer user. Thus, the output from NTI's Graphics File Extractor should be treated as a source of investigative leads rather than conclusive evidence of wrongdoing. The leads can become evidence after the graphic images are evaluated along with other evidence and a more detailed examination of subject computer hard disk drive.
The Windows Swap/Page File is a good place to start. However, if you want to use this sampling technique on a larger volume of data and want to obtain better results, you might consider using Graphics File Extractor to sample all of the unallocated storage space on the subject computer. This sampling process will take a bit longer but you will get much more output. This is accomplished by using NTI's GetFree software which will create a file consisting of all of the unallocated storage space on a computer hard disk drive. The resulting files can then be reviewed using Firehand Ember software.
Please Direct E-Mail to info@forensics-intl.com
Copyright © 2004 by New Technologies Armor, Inc. January 22, 2004