Thank you for sharing!

Your article was successfully shared with the contacts you provided.
While the courts have long recognized that deleted computer files are discoverable, new computer forensic software is enabling investigators to delve even deeper into the recesses of hard drives. There, they find many forms of important but normally invisible duplicate files and other “temporary” data which are systematically generated by the operating system (OS) during normal computer use without the knowledge of the user. Because the OS and not the user generates this information, experts generally refer to this data as “OS artifacts.” OS artifacts invariably have significant evidentiary value, and clearly qualify as “writings” or “recordings” under Federal Rule of Evidence 1001(1) (which includes data stored in “magnetic impulse” or “mechanical or electronic recording” along with traditional paper documents). The court in Armstrong v. Executive Office of The President1 F.3d 1274 (D.C. Cir. 1998), recognized the importance of information related to a computer file that is not readily apparent to the casual user, noting that a “hard copy” paper printout of an electronic document would not “necessarily include all the information held in the computer memory as part of the electronic document.” Many recent litigation matters have been significantly impacted by the recovery of OS artifacts by computer forensic experts. In United States v. Tucker, 150 F.Supp.2d 1263 (D. Utah 2001), for example, a conviction was largely supported by evidence found in the form of deleted Internet cache files (one form of OS artifacts) that the defendant’s OS saved to his hard drive when he viewed them on various Web sites. Fortunately, as noted above, the growing proliferation of these experts and the advancements in the latest generation of computer forensic software has made computer forensics far more cost-effective than in previous years. As such, litigators need to become familiar with the concept of OS artifacts and their important potential as key evidence. The following are just some of the forms of common OS artifacts that have consistently proven to harbor important evidentiary information. THE SWAP FILE The swap file is a little-known but typically large repository of data that is often a boon to computer forensic investigators. Swap files (also known as swap space or, in Windows NT, a pagefile) are located on the computer’s hard disk and are used as the virtual memory extension of a computer’s random access memory (RAM). The swap file enables a computer’s OS to more effectively manage available memory and improve performance. Currently open but less active files can be “swapped out” to a hard disk until they are needed so that the new or more active files can run with more available RAM. For example, if a user has an e-mail document open but is currently working on other applications, the OS will very likely place that e-mail, text and all, on the swap space of the hard drive in order to free up memory for the other, more active applications. Swap files can be quite large, with a 300-megabyte swath of data-laden swap space not uncommon. There is a significant potential for these large areas of a hard drive to contain remnants of word processing documents, e-mail, Internet activity (including Web pages, instant messaging and chat room conversations), and almost any other data created and/or viewed in past work sessions. Notably, even if e-mail or other documents are created on the screen but never saved by the user to storage, such documents or remnants thereof may still be recovered from swap space. Swap files are utilized by all versions of the Windows OS as well as many Unix systems. PRINT SPOOLER FILES Printing in Windows involves a spooling process whereby the OS creates a “temporary” copy of the file to be printed, known as an enhanced metafile (EMF). Windows then sends that temporary file to the printer, allowing the printing process to occur in the background while allowing the user to continue working. The EMF files are then deleted by Windows and are normally invisible to the user. Computer investigators routinely search for these evidentiary treasures and there are even computer forensic software programs (such as Guidance Software’s EnCase) that cull these deleted temporary print spool files from the depths of hard drives in an automated fashion. In addition to recovering the files that were printed, the existence of a file in EMF format suggests the deliberate act of printing, thereby often countering claims of ignorance that a particular file existed on an individual’s computer. EMF files also contain a wealth of metadata that can reveal when a certain file was printed, where it was located on the computer, and other information. In a recent case investigated by the San Diego Regional Computer Forensics Laboratory (RCFL), a bank robber, dubbed the “Gap Toothed Bandit” by the local media, created demand notes in his word processor by printing the demand notes without ever saving them as files onto his computer. However, skilled RCFL examiners recovered the demand notes in the form of deleted EMF files from the suspect’s hard drive. This evidence played an important role in securing the Gap-Toothed Bandit’s conviction. E-MAIL ATTACHMENT FILES When computer files are transmitted over the Internet as e-mail attachments, a process similar to the printing process occurs, where Windows generates duplicate temporary files of the files being transmitted as an attachment. For instance, if a user were to transmit a spreadsheet file he/she created on their computer over the Internet as an e-mail attachment, Windows would create a copy of that file in an encoded format, usually MIME (Multi-Purpose Internet Mail Extensions) or uuencode. Oftentimes, files that have been deleted and overwritten can be found in duplicate in the form of a MIME file. Additionally, recovering MIME files or other encoded duplicates of an encrypted file sent over the Internet can circumvent many forms of encryption. FOLDER ENTRIES AND LINK FILES The Windows 95/98/Me operating systems will create folder entries on a drive whenever a user moves or renames a file. The folder entries that are created and deleted during the moving and renaming processes contain information that the investigator can use to identify the user’s activities, such as determining when a file was created, modified, moved, or renamed, and from what location. In systems utilizing the Windows NT file system, including Windows 2000 and XP, a forensic examination of deleted Master File Table records and index buffers will accomplish many of the same functions. Link files provide similar insight and information about a user’s activity on a computer system. When a user accesses a particular file, Windows creates a temporary link file that points to that accessed file. This enables the user to access recently opened files by clicking on the Start button and selecting Documents, where the OS then displays a list of recently opened data files. The user can select a file from this list, causing the file to be opened by its registered application. These link files are stored in the Windows/Recent folder, where by default fifteen such entries are maintained before being deleted by the OS. However, forensic examiners can often recover hundreds of these files from a hard drive. The recovery of such link files can reveal the identities of data files opened by the user, and can often provide a wealth of information about how the computer system was configured on a given date and even reveal the existence of disks with relevant information that was not produced for examination. In United States v. Dean138 F.Supp.2d 207 (2001 D. Me), a defendant accused of possessing child pornography on various floppy disks denied ever accessing the illegal images in question. However, a forensic examination of the defendant’s hard drive (which the defendant did admit using) by a federal agent revealed several link files pointing to the exact floppy disk image files in question. This information was among other key evidence resulting in the defendant’s conviction. RECYCLE BIN INFO FILES Windows tracks files sent by the user to the Recycle Bin by generating temporary INFO files that, when recovered and assembled by investigators, serve as a compelling history log documenting a user’s file deletion activity. A typical Windows system contains a wealth of important Recycle Bin INFO files data scattered throughout normally hidden areas of a hard drive. An investigator can often determine when a user deleted particular files, the sequence of deletion and other important file metadata, even if those files had long since been emptied from the Recycle Bin. INFO file records invariably tell stories about file histories and the user’s state of mind. As files automatically deleted by the OS do not leave a record in the INFO file, an INFO file record indicates that a user knowingly deleted a file in question. Oftentimes numerous files are deleted during a significant time period, such as when the user felt that suspicion was focused upon him, or the day before a computer is to be produced pursuant to a subpoena or discovery request. A trained computer forensic investigator will be able to recover these INFO files, which are often critical in creating a compelling case. These are only some of the OS artifacts that currently exist on a typical hard drive. Log files, event files, index buffers, registry entries, Internet history files and bitmap files are some other forms of metadata and OS artifacts not discussed here, but are an important part of the newly discovered universe of relevant evidence residing on litigants’ computers. John M. Patzakis is general counsel to Guidance Software, Inc. (www.EnCase.com), the developer of the computer forensic software tool, EnCase. He can be reached at [email protected]. A version of this article originally appeared in the September 2001 edition of Pike & Fischer‘sDigital Discovery & e-Evidence publication.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.