How Snoops Use Forensic Software
Protect your Privacy by Knowing How Adversaries Can Examine your Computer and Devices
If an adversary is determined to examine your device for trace data, they could use specialized forensic software to thoroughly scan it for hidden trace information as well as long ago deleted items on your storage media.
All manner of devices, whether desktop computers, laptops, tablets, smartphones or removable storage media such as USB memory sticks, are routinely examined by forensic software experts hired for contractual, civil, employment or matrimonial disputes. Sometimes the expert is hired to access your device after hours, acquiring a copy of your storage media and examining it later off-site without you ever knowing.
Learning about how forensic snooping software works will help you to understand why a number of the techniques outlined on this site are so important including clearing trace data, encryption and data wiping.
How Forensic Software Experts Go About their Task
Generally speaking, the forensic software experts first create an exact physical duplicate of the device’s storage media, called a disk image or bitstream. An exact physical duplicate means a bit-for-bit copy and therefore includes not only your original items and data files, but also all the trace data discussed earlier, including deleted files, Registry information, paging and hibernation files, memory dumps, temporary artifacts, hard drive indexes and even its file slack and bad clusters.
More About: Clusters – A cluster refers to the minimum amount of physical space on a storage media device allocated by an operating system. For example, a desktop computer’s hard drive has millions of clusters.
Typically, the forensic software packages are as expensive as they are sophisticated. The packages most used by experts can cost in the thousands of dollars and require professional training on how to use them. The features of expert-level forensic software include disk image creation and the ability to perform powerful searches of internal, external and other storage media, and may also include capabilities such as file decryption, password cracking and steganography detection.
The leading forensic software applications include EnCase and Forensic Recovery of Evidence Device (aka Fred) – see https://www.cogipas.com/forensic-software/.
How to Affordably Examine Your Own Desktop or Laptop Computer
If you wish to get a taste of what it is like to poke around your own desktop computer or laptop to see what can be detected and perhaps recovered, you can try the app Directory Snoop (premium).
Directory Snoop may not be full-fledged forensic analysis software in the purist sense, but it is a powerful utility that lets you analyze your storage media at a detailed, technical level (right down to the cluster level). It might not be quite as powerful as the tools used by the professionals I mentioned above, but it is affordable and allows you to find and examine lots of hidden and trace data. Directory Snoop also gives you the ability to purge (delete) some of this trace data or recover it in the case of deleted items. This is a superb personal product. It is not free but you can use it free for a trial period before deciding whether to purchase a license.
To see how this tool can find sensitive trace information embedded in the clusters of hard drive storage media, see this in-depth illustration.