SANS Digital Forensics and Incident Response Blog

Why Teaching Matters - A Letter About FORENSICS 508 - Computer Forensic Investigations and Incident Response

This is a really special letter that we thought we would share with the community. Thanks Bob and great work! Letter republished with permission from Bob Elder.

_______________________________________________________________________________________

Just wanted to pass along my accolades for the SANS 508 course. I have been taking this course via the on-demand method and had to stall the course due to a high profile case I was working on. The case involved online file sharing where the target was visited by police for items found in his publicly shared folder. When the search warrant took place, police members found out that the suspect had been discovered by his wife and had removed all the child pornography videos, including the ones that were documented in the investigation.

When I got the computer and imaged the drive, nothing was there except deleted partial video's. Keyword searches discovered that at one time, he had hundreds of video's on the computer in his online file shares and incomplete folders. No external devices were located and found in the registry. We located a number of video artefact's in unallocated space and one in the recycle bin (I guess he forgot about that one). Keyword hits also pointed me to the System Volume Information. Not having done any forensics on this area of Windows Vista, I was at a lost. I put in tons of overtime and work on this file to recover the videos and had no luck.

I returned to the course and got to the the 508.4 and got to the Restore Point and Shadow Forensics section and this set me in the right direction. After following the processes and leads from this course, I went into work on Sunday (Annual Leave) as I wanted to try this right away and see what I could find. Two hours into the process using the leads you document in this course and using Shadow Explorer, I hit on 7 videos of confirmed C.P. that I can now charge the suspect with possession and accessing C.P.. I am guess that the rest are overwritten by the limitation of the Restore Points (15% of the hard drive in Vista) in the OS, unless you have any other ideas how I can recover move videos. In either case, I have enough to charge the suspect.

The perma grin has not left my face since then (OK, it has only been a few hours) and when I informed the investigators, they were equally excited. Thanks for the SANS Forensics training and especially this course (my third so far), it has been a godsend. The course manuals will always be a great reference for me.

Cheers,

Bob

Detective Bob Elder
Computer and Mobile Phone Forensics Unit
Victoria Police Department

3 Comments

Posted August 28, 2010 at 11:36 AM | Permalink | Reply

H. Carvey

Bob,
Excellent post, eloquent and well-written.
I'm curious''having worked a couple of cases similar to yours, one of things I've found that have buttressed the findings within the file system were Registry artifacts demonstrating that the user had viewed the images/videos. Did this play into your examination at all?
Thanks.

Posted August 28, 2010 at 7:57 PM | Permalink | Reply

Mister Reiner

Nice! I always like reading these types of success stories. This is a perfect example of money well spent on forensics training.

Posted August 31, 2010 at 3:29 AM | Permalink | Reply

Bob Elder

Hi Harlan:
On Rob Lee's advice, i will be doing further analysis on the following that might bring me what your discussing:
1. Don't forget to analyze the Registry in the shadows showing recent files and open/save MRU keys (Evidence of Download, Evidence of File Access)
2. Don't forget to analyze the Link Files in Recent folders in the shadows. You will be able to see additional files that you couldn't see before.
Thanks for the kind words Harlan,
Bob Elder