HAYSTACKID’s National Director of Forensics, Alex Gessen, recently identified a significant inconsistency with how popular Forensic Imaging tools capture forensic images. The problem largely relates to the fact that many USB storage devices have more that one embedded serial number. Certain tools such as FTK Imager and command line tools accessed from DOS or PowerShell report the first of two potentially different serial numbers. Guidance Software’s Encase detects and reports a second serial number. The serial number is captured during the forensic imaging process by the tools and is embedded into the Expert Witness format forensic image files, often called “eo1” files. Depending on which tool was used to capture the forensic image, the serial number embedded into the forensic image may vary. This could lead to significant problems and erroneous conclusions by forensic experts reporting to courts on allegations of trade secret theft by recently departed employees.
The problem as Gessen describes both in a recent interview and on his personal blog creates the potential for forensic experts to erroneously report a false conclusion that a drive containing stolen client lists and trade secrets was not connected to a departed employee’s home computer or her new work computer. If the serial number reported by FTK Imager is the first of two uniquely different serial numbers, but the forensic examiner searches for that serial number on the suspect computer now used by the former employee, that serial number will not be found anywhere in the registry of a windows based system. The alternate serial number reported by Guidance Software’s Encase when making the initial forensic image with that tool can be found in the registry if the external USB device had been connected to the former employee’s new computer. Accordingly, it is very important for the forensic expert to understand how the forensic image was originally acquired to avoid making a faulty conclusion based on not finding the serial number reported by FTK Imager during the forensic imaging process, anywhere on the registry of a separate computer being examined for the purpose of determining if the suspect storage device had been connected to the former employee’s new computer.
This is a significant finding that has generated much discussion in the forensic community and might warrant having our experts review any of your current or past cases involving misappropriation of trade secrets by departing employees.
For more technical details on this issue, check out Gessen’s blog at:
Or watch his interview: