Case Study: Seized laptops investigation under time constraint
The
Group-IB
computer forensics and data recovery lab was hired to scrutinize a number of seized
notebook computers with the view to finding mail client and instant messenger histories.
It had to be done in cooperation with a police forensics expert and within a short
period of time. The time constraint made it impossible for the lab staff to use
data recovery techniques and searches by keywords and by using a pre-compiled index
table.
To begin with, the forensic investigator checked if there were any files and catalogs
typical of instant messengers and mail clients. All the mail client profiles and
IM profiles were copied. The problem with such programs is that they do not store
messages in plain form. Another difficulty is that most data retrieval programs
available on the Internet, including those distributed for money, are not capable
of retrieving necessary data. In fact, none of the 6 programs that the lab had downloaded
could handle a 1.5 Gb Outlook mailbox in one of the computers. All the programs
said that message data base was too big to analyze. A brief look at the profiles
available showed that only part of the history of interest had been found. It was
then that the lab decided to use
Belkasoft
Evidence Center, namely, its carving feature, to find deleted messages.
The results of the Belkasoft Evidence Center use were the following:
- Deleted Skype and QIP 2010 messages were restored.
- User profiles for instant messengers were found stored in non-standard catalogs.
- All message histories were retrieved and saved in a readable format.
The latter is extremely important because police officers do not have the special software to read retrieved message histories. Therefore, all the found message histories were converted by Belkasoft Evidence Center into ordinary text files. It was not feasible to print over 6000 pages, so the all the data was available electronically in a compatible and user-friendly format.
