Vogon International - Worldwide
Select your location:

Vogon International's Forensic Bulletin

The Dangers of Working in a Virtual Environmrent


It has been a long established principle that when conducting forensic investigations of computers, the first course of action is to secure a forensically sound image of the computer's hard disk (An image is a bit by bit copy of the entire contents of a hard disk drive).

Once secured the investigator uses tools of his choice to view the contents of the image. These tools will present views into the original files and file structure on the disk, including deleted files, free and slack space.

This process works well for the identification of both pictures and documents, however it can lead to false conclusions being reached particularly if the files are taken out of context.

Take for example a case where a person has been accused of downloading pornography. By using an image and locating those files within it, the suspect was accused of downloading some 200 indecent images. The fact that the images were on the hard disk drive and that they could be readily timed and dated, formed the basis for the allegation. When the files were examined by us in their real context and the surrounding circumstances were reconstructed in a real environment, it was quite clear that these pictures had been downloaded by a JSeeker script running on a web page. This script had caused several redirections to pornographic web sites containing the indecent material, which was automatically downloaded to the suspect's computer.

There are many other examples which could be quoted but all have originated from the premise (using whichever forensic tool) that "I can see these file have been downloaded, therefore he is guilty".

Whilst the taking of an image is fundamental, it is not the be all and end all and any files must be examined in the context of the real world and within the idiosyncrasies of the various flavours of operating system.


Home | Data Recovery | Disk Recovery | Tape Recovery | Data Conversion | Training | Corporate | Emergency

© 2006 Vogon International. All rights reserved. The Data Recovery & Computer Forensics Experts.