CSI: Your Home or Office?

By Brian Steigauf, System Administrator, IU13, GIAC Certified Forensic Examiner

Does “Forensics” conjure images of your favorite CSI episode? Think closer to home, and you might find you need forensics – digital forensics, that is – on a home or office computer to investigate if somebody has been up to no good.

Web-filter reports and email reports can be invaluable tools in an investigation or pending litigation, but they do not always have all the necessary evidence. Where to begin?

Depending on the situation, a full analysis of the computer or device(s) involved may be necessary. Tools for digital forensics are vast and, sometimes, very specific in their function. Full forensic suites exist, and they can often complete several parts of the investigation, but they are expensive and out of the league for a typical K12 institution or small business. Fortunately, there are options and local expertise available through the IU13 Technology Services team.

IU13 Senior Systems Administrator Brian Steigauf walks us through some basics to help you consider the process before you need it.

Why are you being investigated?

An investigation might be performed for a variety of reasons, including an intrusion or data breach, inappropriate use of the Internet, or E-discovery for pending litigation. Your district or business may not have immediate capacity to perform a full forensic investigation, but with some knowledge of different tools and techniques, you can be prepared to handle many types of investigations.

Creating a Forensic Backup

In order to perform a forensically sound investigation, the hard drive of the “suspected computer” should be removed and connected to a hardware write blocker. This will prevent modifying anything on the drive. All analysis will be performed against the image of the suspect hard drive/computer, rather than the actual device.

  • A resource to help? Many tools exist to create a forensic backup of the drive/computer. One of the best (and free) tools for performing this task on a Windows device is FTK Imager.

“Fingerprinting” Your Computer

Depending on the severity of the case, cryptographic hashes of drive/computer images should be obtained. A hash function creates a “fingerprint” for the drive/computer being investigated, which can be compared to show that nothing has been changed on the image. Hashes are used to prove that the evidence is authentic to the original drive/computer.

  • A resource to help?  Click here for to learn more about the Hash Function.

Investigating and Analyzing

Depending on what evidence you are looking for, there are several techniques and tools available. Often an investigation will deal with verifying if certain documents exist, or ever existed, on a particular system. Many users do not realize deleting documents and emptying the Recycle Bin does not actually remove the files. Additionally, the Windows Registry contains a wealth of information about any Windows computer. This Registry database stores configuration settings and options on computers using the Microsoft Windows operating systems. Utilizing specific tools, many conclusions can be drawn based on information in the Registry database, such as “Was an application ever installed?” and “Was an application ever opened by a specific user?”

  • A resource to help? Here’s a more in-depth overview of the Forensic Windows Tools.                             

Seeking support

Understanding the idea of digital forensics isn’t overly cumbersome, but proper handling of the process is essential. That’s when it’s beneficial to contact a local provider for support and/or consultation.

  • A resource to help?  To learn more about the Digital Forensic Services available through IU13, contact our Technology Services team: call 717-606-1675 or email technology@iu13.org.


Note: Many of the techniques discussed in this article may only pertain to a specific version of Windows (XP vs. Vista vs. Win7) and none apply to Mac OS X, thus it’s important to know your Operating System.