3. Usually deleted fi les can be recovered, but it depends on what was done to delete the fi les.

If the fi les
are deleted using the standard delete button on a keyboard or placed into the Recycle Bin, then they can
be recovered fairly easily especially when the time between deletion and recover is short. Such data has
not actually been deleted. The OS has simply designated the deleted data as now a useable space on the
hard drive. The longer the time period between deletion and recovery, the less data can be recovered.
This is due to the OS placing (writing) new data over deleted data in the cluster. There are very
expensive methods that can be used to recover data from electronic media even if the media has been
physically damaged. The best way to completely destroy a hard drive and prevent data recovery is to
completely melt the plastic hard drive into a black ball.

4. Timestamps refer to the date and time an event occurred on a computer. Certain software can be used
to alter timestamps on fi les. One example provided in the chapter is Polaris Stamp. Another example is
called Property Cafe 2.1 (http://www.topshareware.com/Property-Cafe-download-4246.htm).
Additionally by simply opening a fi le, the timestamps on the fi le will be changed.

7. Evidence is no longer admissible in court if it can be shown by opposing counsel that the evidence has
been tainted or accidentally altered in some manner either when it was still on the suspects PC, as it was
removed, or during the forensic examination. To prevent such claims, the suspects PC must not be
powered up or shut off; fi les must not be opened or closed without a forensic expert being present. In
order to prevent claims of data contamination during the examination process, a closely controlled chain
of custody must be maintained over the electronic data. Such a custody trail would show who had control
over the evidence in each step of the examination process, for what reason, and for how long.

12. Examples of data extraction or data mining software are ACL and Data Extraction and Analysis
(IDEA).

15. John the Ripper is an example of software that can be used to crack passwords. There are numerous
free password crackers available for download from the Internet. These crackers will run on various
operating systems.

17. A warrant issued by a judge allows law enforcement offi cers to seize property as evidence of a
crime. A warrant also allows for a search for such property to be exercised.

21. Using HashCal. The answers to this question will vary depending on the digital fi le the students
are using.

22. Right On. Many times the thought processes used to solve a problem are affected by the data that we
are analyzing. Paper documents provide a very linear record of activities. An investigator may decide that
the best way to analyze a situation is by the dates on those paper documents or to analyze the documents
by the path they followed through the organization. Both of these approaches use a linear investigative
approach. Although this method is not incorrect, it must be modified when working with digital
evidence. When digital documents become part of the investigation, they need to be examined in a more
dynamic fashion. For example, only analyzing a document on a computer screen is an incomplete
examination. The analysis must take into account what is shown in a linear view on the screen as well as
other information that is hidden, in surprising areas, within the fi le or within the computer. This
investigative approach represents a more dynamic analysis. The analysis needs to include broken,
purposely hidden, or partially deleted data paths located on various electronic media in order for the
investigator to fully understand the extent of the suspects actions.



25. Delete It and Go Free! Gemstar is an actual case that is ongoing as of April 2007. There are
several ways to approach an answer and a discussion to the question. The first part covers several legal
issues, and then a brief technical explanation of Yuens action is presented.

a. Students can consider the policies that should be in place to prevent the destruction of
subpoenaed electronic documents. This is a somewhat legal argument but one with which the
auditors of Arthur Andersen should have been familiar as they were shredding their Enron
workpapers. Prior to the receipt of a subpoena for Enrons records, auditors at Andersen spent
weeks shredding thousands of paper documents, but the majority of these documents were
available from the auditors confiscated laptops, which had been secured. Consequently,
Andersen was convicted of federal charges of obstruction of justice and tampering with evidence.
For background information about e-document preservation see
http://www.fenwick.com/docstore/Publications/Litigation/ediscovery.pdf and
https://www.lexisnexis.com/applieddiscovery/lawLibrary/
courtRules.asp. The students can consider the policies a company should have in place for
preserving financial documents after receiving a court subpoena. For example, the company
should have IT policies in place to prevent any electronic documentation requested under the
subpoena from being destroyed. Companies need to quickly identify to the court those individuals
who are responsible for the control of electronic information in the company. Companies need to
advise the court of unreasonable costs of collecting such information. Procedures must be in place
to prevent tapes or hard drive storage devices from being re-used to log new data. Logged
information must not be overwritten. Computers and laptops must be removed from employees
use in order to preserve the original form of the data. These procedures need to be applied to all
geographical locations where electronic data is stored, not just on company laptops, thumb drives,
desktops, and other on-site storage devices. All laptops used at employees homes and covered
under a subpoena must be returned for secure storage. All steps executed to meet the conditions
of the subpoena need to be documented.

b. It is possible to demonstrate to the students how easily a financial fi le can be wiped from a
floppy or thumb
drive. It is recommended that you do not do this on your hard drive. Note: To install any software
on a computer, you need administrative access. In conducting this exercise, remember that if a
file is deleted (put in the recycle bin) it is not really deleted.
Steps:
(1) Place a financial fi le (or other fi le) on a floppy (Drive A) or on a thumb drive.
(2) Bring the fi le up on your desktop to show the class.
(3) Use the standard delete feature in Windows to delete it into the Recycle bin.
(4) Look at the floppy or thumb drive to see if the fi le is there; it should not be listed.
(5) Go into the Recycle bin and bring the fi le back to the floppy or thumb drive.
(6) Download a free disk wiper from the Undelete Company. A freeware disk wiper is provided
at http://the-undelete.com/wipe_remove_delete_erase.php. Download the free software and load
it into your PC. Many of these disk wiping programs follow the Department of Defense standard
for data wiping which wipes the drive or fi le more than once to change the magnetic pattern on
the disk. Another free wiper is called Dariks Boot and Nuke at http://dban.sourceforge.net.
(7) Follow the simple instructions for deleting a fi le on your floppy or thumb drive. Make sure
you identify the specific file; otherwise the entire floppy or thumb drive will be wiped clean.
(8) Use the Recycle bin to try to bring back the fi le; it will not work. This is the action taken by
Yuen in wiping his hard drive. It works to destroy electronic evidence so that it cannot be used in
a courtroom setting. Any disgruntled employee can permanently erase vital company data from a
computer at any time. Employees should not automatically be given administrative access
privileges to any companys computer. Without administrative access, it will be more difficult
(not impossible) for them to install disk wiping software on a computer. Without preventive
technical controls and proper evidence collection policies, the company may find they are legally
contributing to the obstruction of justice.


26. Crossword
(1) Hash
(2) slack space
(3) cache
(4) parser
(5) Zipfs
(6) ISO
(7) cluster