Digital Version of November/December 2014 Print Edition
Computer forensics expert reveals ‘hidden’ source for two vital pieces of computer evidence
Sometimes, when a computer forensics expert is dissecting a suspect’s computer, the most important question to answer is this: “Am I looking at the original hard-drive, with all of its incriminating evidence, or has that drive been swapped out surreptitiously for a new drive, which will not contain the evidence that I’m hoping to find?”
In a significant breakthrough in the world of computer forensics, a small forensics company, CynanLine LLC, has discovered a little-known feature of most major hard-drives -- buried deep within their operating systems -- that can reveal to computer forensic experts the exact number of times that the examined hard-drive has been turned “On,” and the exact number of hours that the specific hard-drive has been used inside the computer.
These two pieces of information can be found in what is known as the Self Monitoring Analysis Reporting Tool, nicknamed SMART, which was developed by hard-drive manufacturers for a completely different purpose -- to help an owner assess the physical “health” of his or her disc drive. In fact, most computer users have no idea that SMART even exists on their hard-drive, and can only access the information it presents if they download and use a separate piece of free software.
Those two vital pieces of forensic data -- how many times has the hard-drive been turned on, and for how many hours has it been used -- which until now have not been readily available to forensic investigators, can help crack a case wide open.
Steven Branigan, a forensic scientist and the president of CyanLine, in an exclusive phone interview with Government Security News on June 13, recalled two instances in which this crucial data about a laptop’s hard-drive turned out to be pivotal.
In one case, CyanLine was working with a private investigation firm that had been retained to examine a laptop computer surrendered under a court order by a man suspected of leaking insider information. The accused was suspected of creating new online identities for himself to disguise the discussions he was conducting over the Internet about specific publicly-traded companies.
The forensic examination of the suspect’s three-year-old laptop revealed there was surprisingly little data on the disc. “It was incredibly clean,” recalled Branigan. However, a check of the SMART feature revealed that while the laptop may have been three years old, the hard-drive itself had only been used for a total of 20 hours. Something was clearly fishy. “It was pretty clear that the owner had swapped out the disc drive,” Branigan told GSN. When first asked to explain the sparsity of information on his laptop, the suspect said, “Oh, I had to do a re-install on my computer before I knew I had to turn it in.” But, when confronted with the undeniable fact that the hard-drive had recently been replaced, the suspected changed his tune. It all went downhill for the suspect after that, said Branigan.
In another instance, CyanLine was involved in peeling back a laptop computer that had been used by a woman involved in a child custody dispute. The court wanted to look at her computer for possible evidence related to various suspected illicit activities. When CyanLine checked the SMART function on the woman’s hard-drive, it revealed that it had been used for less than 10 hours -- far less time than the laptop itself. This important revelation did not help the woman’s case, recalled Branigan.
Of course, the data available on the SMART feature -- which Branigan says he has found on hard-drives manufactured by Western Digital, Hitachi, Fujitsu, Intel, Seagate and others – is not the only data that could enable a forensics investigator to determine the age and usage of a specific drive. In some instances, the manufacturing date or the serial number on the drive itself can help provide this information. But that can often require a conversation with the manufacturer, which can be slow and cumbersome, Branigan explained to GSN.
It is also possible to determine the age of the hard-drive by checking the dates of entries in the Windows file system, but that data can be easily altered by the laptop’s user. “It’s hard to trust any data that a suspect had access to, and could have changed,” advised Branigan.
CyanLine, a small company based in Eatontown, NJ, discovered the data available in the SMART function when it was poking around looking for a faster way to record a laptop’s serial number. Until then, most forensic investigators would find the serial number physically marked on the computer hardware, and transcribe that number into their records. CyanLine instead wanted to find serial numbers for the laptop and the hard-drive electronically. As the company’s forensic experts were diving deeper and deeper into the data available for the hard-drive, they discovered the SMART function. When they dove carefully investigated that tool, they discovered that it presents the exact number of times the drive had been turned on, and the exact number of hours that the drive had been used.
Branigan believes that the news that this important data is available to forensic investigators will not only make his company’s forensic acquisition product, known as the Fast Disk Acquisition System, or FDAS, more popular, but will also help forensic experts everywhere to perform more thorough examinations.