During the last fifteen years or so, computers have revolutionized the work place. They store or can access information required by workers to perform their job functions. However, regardless of the policies, rules, and procedures management puts into place to protect the confidentiality and integrity of their digital information, breaches continually occur. The following scenario describes one such breach:

An employee in a stock investment company informs her manager that several of her coworkers have violated their personal conduct contracts and may also be involved in illegal activities. She states that during the last week she saw two coworkers use their work computers to send e-mails containing insider trader information to their friends, a third coworker copying the company’s proprietary “Stock Market Trends and Analysis” software onto a flash drive, and a fourth coworker printing confidential investment portfolios.

How is management going to handle this situation? A typical approach would be to confront the workers. However, they most likely would deny any wrongdoing and probably try to obfuscate any potential evidence. Probably the best approach would be to covertly triage the live computers and perform post-mortem examinations of their hard drives. Frequently a business or corporation’s IT department members will lack the necessary qualifications or experience to perform these types of forensic examinations. This is not uncommon since IT personnel normally are not trained as forensic examiners. Usually management will have to contract with an external digital forensics consulting firm to provide the services. In today’s world, it has become essential that management have processes in place (i.e. a plan) such that when an intrusion occurs or employee misconduct is alleged, they will have a firm foundation to support and assist with any potential civil or criminal proceedings. Failure to do so can have a detrimental effect upon the business or corporation.

Background
A Windows computer system has several forensically important areas where probative information can be found: in the computer’s RAM (if the system is live), in the Registry, or on the computer’s hard drive. The examination and extraction of probative information from a live computer system involves the use of triage tools which themselves will make changes to those same forensically important areas!Although this violates the “golden rule” of digital forensics, in some circumstances there is no alternative. Presuming that examiners have previously verified the functionality of their triage tools, they should have a fairly good understanding, and be able to document, what changes are made to a live computer system when they use those tools.

Unless they are involved in incident response, examiners are not often confronted with having to image a live system. Normally they would forensically image computer hard drives post-mortem, in a controlled work environment. The image would then be examined for probative information.Most forensic tools incorporate automated, built-in features such as recovering deleted folders, performing keyword searches, carving data from unallocated space, searching directories and files, and so forth. Automated features are a necessity as it would be extremely labor intensive for an examiner to manually search a hard drive. In today’s digital forensics environment, examiners must have specialized training, knowledge, skills, abilities, tools, and experience to ensure reliable and repeatable results when either triaging a live system or examining a computer hard drive post-mortem.

What Is the Windows Registry and What Does It Do?
Early Windows operating systems included a “WIN.INI” file (which controlled the desktop and all applications on the computer system) and a “SYSTEM.INI” file (which controlled the computer’s hardware). They also used the configuration files “config.sys” (which loaded device drivers) and “autoexec.bat” (which ran startup programs and set environment variables). When Windows 3.1 was introduced, it was initially targeted to the corporate work environment.One of the assumptions made was that very few Windows applications would be installed on each computer. This would then limit the number of stored system and application settings. Since program developers still needed to store application specific settings, they used individual “.ini” human readable text files which were linked to the “WIN.INI” file. These were generally organized in groups located in a shared location. However, there were a number of drawbacks to this practice: it did not allow for user-specific settings in a multi-use environment; there were no rules placed upon their storage by the operating system; their proliferation and storage anywhere on the hard drive made it difficult or virtually impossible to manage and optimize their performance; and their size limitations and slow access often hindered system operation.