John Doe Hard Drive data analysis and Report
iQwest Information Technologies, Inc. has been engaged to report and analyze contents of the computer hard drive data collected by the Government as a result of property seized at the location of business. The hard drives were produced by the Government with standard DD forensic images of the original. This information was extracted by iQwest into standard file structures according to how they were presented on the drives at the time of collection.
The data was collected for the files visible as well as any deleted files that were not overwritten. For the latter, files only in existence at the time of collection are available for analysis. This means that if any size was required on the drives for new files that contained deleted items, these files would have been deleted at any time prior to the collection and during normal computer usage.
iQwest has separated these two types of collections into separate reports to allow for better reporting and analysis. Every effort has been made to eliminate system files from this collection, although due to the nature of the file extension naming anomalies some system files may have found their way into data being presented. The total size of the file types is minimal and can be further investigated upon data review.
The total data for the data collected is 4.3 Terabytes, of which 972 Gigabytes belong to standard hard drive data and 3.3 Terabytes belong to the unallocated space data. As a result of advanced file type detection technologies we have identified different files by reading the document signature rather just relying on the document extension. This has provided us with the capability to eliminate a large portion of the files being detected. The tools used for the file type detection and extraction are outside the basic scope of this project, although we felt necessary to provide reports of what can be extracted that may be relevant. This has also reduced the total data size dramatically. Additional extraction would be necessary to actually extract this data.
As a result of the file type detection the total potentially relevant data size has been reduced to approximately 150.7 Gigabytes, of which 90.5 Gigabytes is related to standard files (excluding the unallocated space) and 60.2 Gigabytes is related to deleted items being potentially relevant that were detected from the unallocated space. Also as a result of the file type detection we have identified many of the files that can be eliminated, based on date ranges and decisions made for elimination of additional file types that may not seem as potentially relevant. We will provide this information in the following reports.