Forensics: Tracing a Hotmail

An email sent via Hotmail automatically traps the IP address of the sending computer.This allows emails sent via HotMail to be traced far more easily, than other email systems.

E.g the IP address in AOL email relates to the AOL server (often based in the US) so does not provide any immediately useful information.

The video below shows how to find the IP address in the Hotmail and how to trace this to a geographic location

Forensics: Dates and the $Standard_Information Attribute

Below is a video showing the $Standard_Information Attribute within the MFT

Forensics: What happens when files are deleted?

The video below shows what happens when files are deleted on an NTFS partition.

When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that file. The clusters that were allocated to the fille are now marked as free, within the $BitMap

This is shown at offset 22 for 2 bytes; i.e. bytes 22 and 23 of the MFT for that entry.

• For an active file the 22nd and 23rd offsets read “01 00″  (in the video its flipped because of the big endian/little endian issue)
• For a deleted file the 22nd and 23rd offsets read “00 00″.

Video Guide: Tor

Below is an Video showing Tor working

Forensics: Wiping a Drive

There is a lot of misleading information on the internet in relation to the deletion and destruction of data. Some of this is due to confusion in language, e.g. the difference between wiping and deletion and some of this is due to urban myth.

Below is a video, taken with the popular computer forensics tool EnCase.This video shows what happens when a single wipe is used on a drive. Not 2, not 8, o32, or any of the other “recommended” number of wipes. Just a single, simple, wipe.