This is a really special letter that we thought we would share with the community. Thanks Bob and great work! Letter republished with permission from Bob Elder.
Just wanted to pass along my accolades for the SANS 508 course. I have been taking this course via the on-demand method and had to stall the course due to a high profile case I was working on. The case involved online file sharing where the target was visited by police for items found in his publicly shared folder. When the search warrant took place, police members found out that the suspect had been discovered by his wife and had removed all the child pornography videos, including the ones that were documented in the investigation.
When I got the computer and imaged the drive, nothing was there except deleted partial video's. Keyword searches discovered that at one time, he had hundreds of video's on the computer in his online file shares and incomplete folders. No external devices were located and found in the registry. We located a number of video artefact's in unallocated space and one in the recycle bin (I guess he forgot about that one). Keyword hits also pointed me to the System Volume Information. Not having done any forensics on this area of Windows Vista, I was at a lost. I put in tons of overtime and work on this file to recover the videos and had no luck.
I returned to the course and got to the the 508.4 and got to the Restore Point and Shadow Forensics section and this set me in the right direction. After following the processes and leads from this course, I went into work on Sunday (Annual Leave) as I wanted to try this right away and see what I could find. Two hours into the process using the leads you document in this course and using Shadow Explorer, I hit on 7 videos of confirmed C.P. that I can now charge the suspect with possession and accessing C.P.. I am guess that the rest are overwritten by the limitation of the Restore Points (15% of the hard drive in Vista) in the OS, unless you have any other ideas how I can recover move videos. In either case, I have enough to charge the suspect.
The perma grin has not left my face since then (OK, it has only been a few hours) and when I informed the investigators, they were equally excited. Thanks for the SANS Forensics training and especially this course (my third so far), it has been a godsend. The course manuals will always be a great reference for me.
Cheers,
Bob
Detective Bob Elder
Computer and Mobile Phone Forensics Unit
Victoria Police Department