by admin-jon | Aug 20, 2008 | Blog, Data Recovery, File Header, Software
Carving files, which can be performed manually or through an automated process, permits the recovery of a portion of a corrupted or deleted file. During a computer investigation, examiners may encounter deleted files that cannot be fully recovered. However, enough of...
by admin-jon | Aug 19, 2008 | Blog, Collection, ESI Collection, Software, Tips & Tricks
If you or a partnering service bureau need to be able to process or review your client’s files from an imaged hard drive, you may be in for a surprise. The results of an imaged hard drive are often stored in a forensic image format or what is referred to as an...
by admin-jon | Aug 13, 2008 | Blog, Metadata, Preservation, Tips & Tricks
The terms, ‘file timestamps’ and ‘file metadata’ are often used interchangeably, however, they can have two completely different meanings. I trust the following will help clarify the differences. 1) There are two separate ‘timestamps’ for office documents and several...
by admin-jon | Aug 12, 2008 | Blog, Data Recovery, File Header, Tips & Tricks
Many file types can be identified by using what’s known as afile header. A file header is a ‘signature’ placed at the beginning of a file, so the operating system and other software know what to do with the following contents. Many electronic discovery applications...
by admin-jon | Aug 5, 2008 | Blog, Data Recovery, Tips & Tricks
To recover deleted files, user activity logs, Internet history, and other potentially relevant custodian information, a ‘physical’ copy or forensic image of the hard drive or other media is required. Creating a physical copy or forensic image preserves the...
by admin-jon | Aug 5, 2008 | Blog, Data Recovery
It often comes as a shock to attorneys and their staff when they hear that electronic discovery processing doesn’t automatically search the entire contents of a custodian’s hard drive. So, it’s worth stating again for emphasis here. Common electronic discovery...
by admin-jon | Aug 5, 2008 | Blog, Data Recovery
In my last post, I pointed out that in the case of the BTK killer in Kansas, investigators recovered a deleted Microsoft Office document that contained evidence crucial to the case. There are still many litigation support professionals who don’t thoroughly...
by admin-jon | Aug 5, 2008 | Blog, Metadata, Software
Many are familiar with Dennis Rader, who became known as the BTK Killer or the BTK Strangler. Ten victims were identified from 1974 through 1991 as having been murdered by Dennis. During this time frame, Dennis provided details related to the murders in letters that...
by admin-jon | Jul 31, 2008 | Tips & Tricks
In my last post, I mentioned there are a couple of ways to identify if files have been stored on an external device. Here they are: 1) Examine the file access history – To be thorough, you need to look at two different user activity areas. 1) User activity logs...
by admin-jon | Jul 31, 2008 | Blog, Uncategorized
A client asked me if it was possible to determine if a custodian did copy files from their server to an external USB flash drive. The USB drive isn’t available, so they wanted to know if Microsoft Windows tracks where files are copied. Now, you would think that...
