Into the Shadows

05 March 2014 by Julian Sheppard

Some time ago, we received a request for digital forensic work. The scope of the enquiry was “a network administrator is under investigation and has deleted all of their email from the Exchange server, destroyed the backups, purged the dumpster, deleted their localised Outlook email content and then wiped all of the free space on their laptop. Can you find their email please?” Impossible?  Well, maybe not, because if you look in the darkest recesses of a computer you might get lucky; some data might be lurking in the ‘shadows’.

The Volume Shadow Copy service on Windows based computers (available in Windows Vista through to Windows 7) is ‘on’ by default. It ultimately offers the user the ability to restore previous versions of files or carry out complete restoration of previous configurations that the Windows OS has ‘conveniently’ backed up on the local drive. In Windows 8 this service is still present but is now called ‘File History’.

Whilst these ‘shadows’ are not accessible via normal analysis tools they can be accessed using forensic tools and can include Internet history, pictures, documents and complete email containers (OST’s) that may have been since deleted from the ‘live’ files of a user. Consequently, it was time to get out the forensic toolkit!

After a few hours of analysis, we recovered the complete OST email container of the network administrator that totaled 2.5GB in capacity and held over 3,000 emails that ranged over 2 years. It included the incriminating evidence that the client wanted (and the administrator had tried to hide) which showed that the administrator had been accessing other people’s email accounts in an unauthorized manner, and collating sensitive HR material within their own email account.

In conclusion, when all else fails and you think there is no hope, have someone train a light on the shadows, you might be in luck.