Forensic Mythbusting: Luke ‘CF Guru’ Aaron explores some truths and myths about Digital Forensics.

24 September 2014 by Luke Aaron

I get asked a small number of questions a lot of times, so I thought it useful to explore some of those questions in an expose of the main capabilities and myths of the forensics industry, as well as a few helpful hints.

  1. Can you recover deleted data?

The answer is “yes, usually”. When data is deleted it remains on the drive, but is no longer traceable by the file registry. A good analogy is to think of a lazy librarian, who upon being instructed to remove an unwanted book, instead simply removes the index card but leaves the book on the shelf, the book is still there but no one has any way of knowing where to look. At some point in the future a new book is required to fill “the space” where the old book resides, the librarian now simply pushes the old book to the back of the shelf, now it is slightly harder to find (as it has a new book in front of it) but it is still lurking there on the shelf, if you know where to look.

Of course computers, like shelves, do not have an infinite amount of storage and eventually new data will overwrite old data. So the amount of usage since deletion and how much free space is available on the hard drive are key factors when advising on the likelihood of data being overwritten.

  1. Is it possible to forensically wipe a drive so nothing can be recovered?

Unfortunately yes, it is possible to forensically wipe a drive so that no data is recoverable. When used correctly, there are products available that will completely fill a Hard Drive with a random pattern of “0’s” and “1’s” thus stifling any efforts to recover data. Some wiping tools will even try to self-delete and hide the fact they have been run. By looking at a timeline of the usage on the device since the date of the deletion, we may be able to draw some conclusions as to the type of tool used and the date of deletion. However this shows why it is key to have robust polices on what can be downloaded to a device and how data is backed up and stored.

  1. Can you extract data from a mobile phone?

Whether we can recover data off a mobile phone depends almost solely on the make and model. The forensic industry is constantly playing catch up with new operating systems and proprietary file storage systems on mobile devices. We use a range of tools and techniques to increase the likelihood of extracting the relevant data, however a good initial guide of whether your handset is supported for extraction is freely available at .

  1. Can you crack passwords?

The ability to crack a password depends almost entirely on the password. We can use “Rainbow Tables”, “Dictionary Attacks” and forensic tools to attempt to overcome passwords. However a sufficiently strong password is exceedingly difficult to crack in a reasonable time frame. In the password world, length is key. There are only 10 numerical values and approx. 20 symbols on a keyboard, so adding one to the end of a basic password does little. If a phrase that combines words such as “THEMERRYWIVESOFWINDSOR” or a series of unconnected words “HORSESTAPLEBATTERYGOAL” has been used, it may take hundreds of years of “brute force” processing to crack.

  1. Can you crack encryption and is Truecrypt still safe to use?

The short answer is no. The major encryption algorithms in use today are not possible to crack of themselves. However, most successful attacks are against the security protocol surrounding the encryption (how you exchange or store the encryption key for example).

Having undertaken research on the so-called “demise” of Truecrypt, in our opinion there is no basis to believe that it is suddenly unsafe to use for the transport of data. Scare stories and hearsay aside, there is no reason to suspect that a product used safely and securely for many years since the previous update would become redundant and unsecure overnight. The developers, whose identity remains a mystery, clearly have their reasons for not wishing to continue with the development of Truecrypt and not wishing to pass the baton to a company or the wider internet, but that does not diminish from their previous good work which makes Truecrypt still the most viable encryption solution for the transport of data.

  1. Can you forensically image a hard drive in 5 minutes, using a mobile phone, you know, like Jack Bauer does?

“No, no, no” My message to Jack Bauer, Chloe O’Brien, the rest of the staff at CTU (all 24), Gil Grissom (CSI) and Sir Harry Pearce KBE (Spooks) is to stop making us real forensic folk look bad.

Forensic Imaging and investigation takes time. A forensic image creates an exact replica of the drive, so the fact the drive only has 50GBs of active data is irrelevant, the image captures all the unallocated spaces of the drive as this is where “our lazy librarian” (see point 1) has hidden the deleted data. The amount of time taken to create a forensic image depends on the size of the Hard Drive and the speed of the connection. For reference purposes we would expect to image at a rate of approximately 80GB per hour, so a 1TB Hard Drive could take up to 13 hours to forensically image. Investigations are conducted in accordance with ACPO guidelines and adhere to a strict chain of custody with contemporaneous notes protocol; this ensures that any evidence uncovered can be used in court.

  1. Can you tell me who sent a specific email?

If the email came from an anonymised webmail account (Gmail, Hotmail etc), then almost certainly not. The IP address will merely refer back to the host server (e.g. Google or Microsoft), and the hosts will almost never give up account holder details without a court order. If the email is a corporate email, then it may be possible to trace the source IP address, but it’s pretty rare that this is the position.

  1. Can you tell me when a specific email was sent or received?

Generally a received email will contain some metadata from which we can determine provenance. The email has left the sender’s email server, bounced around the internet and landed in your email server, this path leaves data inside the email that may be analysed. A sent email goes straight from your outbox to your sent items folder, it doesn’t touch any servers and therefore there are no external times/dates that attach to it. So in the absence of a read receipt you will not be able to provide evidence that the email was sent, received or read.

  1. Can you tell me who I should call and when?

Yes, absolutely. You should call us straight away. All of our pre-consultancy services are free of charge, so we will be able to tell you what can be done and how we can help, quickly and at no cost. Simply call 0207 549 9600 and ask to speak with a member of the forensics team.