Alex Helfand, ENCE, Computer Forensic Specialist

One of the biggest trends for companies is ‘going green.’ This trend does extend beyond legitimate businesses and is now being used by more and more criminals. It is a nice gesture on their part, especially from a Digital Forensics standpoint.  According to the FBI, crime rates in America have been declining, and are actually lower than before the recession. However, the FBI has seen cases involving removable media double in the last year alone.

There is a great deal of information to be found on computers, ranging from Internet history and email to reports and invoices. In order to analyze the relevant data, digital forensic specialists like to focus on user-created documents, commonly referred to as e-docs. These documents are files that the user has created after they received the computer and logged in. From a litigation perspective, these files are important because they can associate a person with a file.
For instance, in a court of law it can be difficult to prove that a person sat down at a computer and wrote a threatening email. However, if that computer user accessed a personal bank account, Facebook, and used online chat during the same session, then it could be much easier to identify the user. Let’s focus on a few on the more important and interesting e-docs.

A Picture Can Say a Thousand Facts

Most users know that their digital camera takes pictures in the .jpeg format, and that they can view these pictures on a computer. However, it is not common knowledge that these.jpeg files come with a great deal of hidden information. Most digital cameras add ‘metadata’ to each picture when it is taken. This includes the camera manufacturer, camera model, date, time, and camera settings. It is easy to view this information for a user-created image in Windows:

1.    Right click on a .jpeg image on the computer

2.    Click Properties
3.    Click the Summary tab
There is a lot of information included in this metadata. Some modern cameras even incorporate GPS data into the .jpeg and others even add in the serial number. Any of this information could be a smoking gun, and it is all paperless. In conclusion, the smoking gun could be inside of a computer, but do you know where to look?