Disaster Data Recovery and Computer Forensics

DISASTER DATA RECOVERY AND COMPUTER FORENSICS
"The most feared expression in modern times is The Computer is Down" (Norman Ralph Augustine)

Lost e-mail is the most common item calling for data recovery. Documents are frequently backed up, but not many people archive their email folders and files. E-mail is also the most common portal for data destruction. It is important, therefore, to know how to handle e-mail incursions.

E-MAIL TRACING, or establishing an audit or paper trail of e-mail traffic is also the most common type of evidence used in court. In a typical scenario, suspects come to the attention of authorities for reasons other than their e-mail traffic, but then their traffic becomes closely monitored. For example, administrators might have reasons to order security checks on employees who appear disgruntled or have access to sensitive information. Their e-mail logs and network usage may show things like innocent family photos being sent to a Hotmail account, but with no traffic back from that Hotmail account. These innocent photos could be a case of corporate espionage through the use of steganography -- a process in which the digital ones and zeros of digital text or images can be buried inside the pixels of ordinary-looking photographs. Discovering if that employee possessed a copy of a steganography program would become the basis of an interrogation session.

Forensic tracing of e-mail is similar to traditional gumshoe detective work. Checking involves looking at each point through which an e-mail passed, with the detective working step-by-step back to the originating computer, and, eventually, the perpetrator. The process requires knowing how e-mail works.

All e-mail contains HEADERS, and most tracing of external e-mail begins by looking at this message-header information. A message header is text at the top of an e-mail that travels through the Internet. It contains the source of an e-mail in the "From" line, while in the "Received" lines, the header lists every point the e-mail passed through on its journey, along with the date and time. The message header provides an audit trail of every machine an e-mail has passed through.

Some places the e-mail has traveled will be unfamiliar machine names outside the company network. In these cases, sleuthing tools such as Whois or BetterWhois, may be needed to do further tracking. These services search databases of registrars that record online users and their Internet Protocol (IP) addresses (numerical identifiers for computers on a network, the virtual equivalent of a street address). For example, running a Whois search on a domain name such as XYZ.com will identify the name and address of the domain name's holder, administrative and technical points of contact, and the domain name servers responsible for the domain. In other cases, a more sophisticated online yet free tracing tool like Webtracer may be needed.

If the address is not faked, it becomes a matter of determining who used the machine at the time the suspect message was sent. For example, if a school or library computer was used to send a bomb threat through a commercial e-mail account, it becomes a matter of checking log-on times in the school or library's sign-on logs.

More sophisticated suspects will fake their e-mails, however. Some of them will use e-mail programs that strip the message header from the message before delivering it to the recipient or bury the message header within the e-mail program. In other cases, the "From" line in a message header is faked. Other offenders will have stolen someone else's e-mail account or set one up temporarily using bogus address information when they registered.

There are several ways of FAKING E-MAIL. These include Spoofing, Remailing, Relaying, Spamming, Stealing, and Bogus accounts.

Forensic E-Mail Tracing relies on computer logs. A computer log is a record of each e-mail message that passes through a computer in a network. For evidence purposes, an investigator needs to prove that a certain e-mail originating address traveled through a machine by verifying the message ID on a log of e-mail transactions together with the date and time the address was recorded. Sometimes, this is not easily done. Legal limits and jurisdictional issues create tough challenges.

Many Internet service providers (ISPs) do not log e-mail. Smaller ISPs don't turn on their logging functions either because they have inadequately trained staff or because they don't want the responsibility of turning over information. Some only keep partial data, such as log-ins or FTP (file transfer protocol) transfers. ISPs vary in their willingness to assist with a private investigation. Some readily produce computer logs to help, while others refuse to give up logs without a court order or subpoena. They are legitimately concerned about finding themselves in court for violating the privacy rights of users. If an official, public law enforcement officer contacts the ISP and informs them that a certain user is being investigated, the ISP is obligated by law to preserve any information they would have normally logged or collected, giving investigators the time to seek the legal authority to seize the relevant information. ISPs are not required to escalate their monitoring activities, however. If they were not keeping a log to begin with, they are under no obligation to start doing so. Foreign jurisdictions are notoriously uncooperative, even when the investigation has the backing of the U.S. State Department.

Once the physical presence of the perpetrator's PC has been located, it is confiscated, of course, and the forensic analyst makes exact copies (called image copies) of the computer's hard drives. Any analysis on a piece of media should always be conducted from an image copy to avoid tainting the original evidence. The forensic analyst looks for file fragments or portions of any e-mails that contain specific references to the offending message. For example, if the user was using the public e-mail service Hotmail, investigators will check the image copy of the browser's Internet cache showing where the user has been online. It will contain copies of any e-mails created, sent, or received via Hotmail. Even if the user has emptied the cache, there are ways to undelete and recover this information.

There are worrisome trends that suggest e-mail tracing will become more difficult in the future. For example, some new products coming on the market strip e-mail headers, encrypt the message, and then destroy it after a period of time. There are also fairly thorough window washer delete utilities. Smart programmers are always looking for ways to get around the audit trail, and investigators always seem to be playing catch-up when tracing e-mail. Nevertheless, E-mail tracing will likely remain an essential part of computer forensics.

A SAMPLE FAKE EMAIL MESSAGE

From A@b.c.d Sat Nov 11 13:16 EST 1995 Received: from wavenet.com (wavenet.com [198.147.118.131]) by ddi.digital.net (8.6.11/8.6.9) with ESMTP id NAA04656 for <gandalf@ddi.digital.net>; Sat, 11 Nov 1995 13:16:03 -0500 Received: from ddi.digital.net (ddi.digital.net [198.69.104.2]) by wavenet.com (8.6.12/8.6.9) with SMTP id KAA27279 for gandalf@ddi.digital.net; Sat, 11 Nov 1995 10:27:52 -0800 Received: from wavenet.com (wavenet.com [198.147.118.131]) by ddi.digital.net (8.6.11/8.6.9) with ESMTP id OAA18017 for <gandalf@ddi.digital.net>; Tue, 24 Oct 1995 14:09:46 -0400 Received: from inetlis.wavenet.com (port16.wavenet.com [198.147.118.209]) by wavenet.com (8.6.12/8.6.9) with SMTP id LAA02685 for <gandalf@ddi.digital.net>; Tue, 24 Oct 1995 11:21:12 -0700

The faked parts are the "from wavenet.com" sections. It looks like the message originated from inetlis.wavenet.com when in reality it came from ddi.digital.net. The date and time tell you something is wrong by reading the headers from the bottom to the top, which traces sites the message has gone through. An Nslookup on the IP addresses would verify 198.147.118.131 is wavenet.com, but the IP doesn't jive with the name of the IP address of the e- mail faker (A@b.c.d). Port16.wavenet.com is 198.147.118.209; wavenet.com is 198.147.118.131; and ddi.digital.net is 198.69.104.2.

The problem of SPAM (junk email) defies easy solution. On the server end, an administrator can try keyword filters or IP database block lists. The keyword approach will simply have to be creative enough to keep up with all the creative ways a spammer can spell "VI@Gra" for example. Attempting to "blacklist" or block spam by specific IP addresses may not work as good as blocking a whole IP address block. Any spammer can spoof a <sent from> but they can't hide from that part of the IP domain which indicates the block of IP addresses they are using for a relay. The drawback of this is that "innocent" relay points and mail servers are being punished even though they don't know they're being used to send spam. Alternatively, a server administrator can try white lists, which only allow email from known and trusted senders, but this is a drastic solution that defies the purpose of email in the first place. Congress has been trying for years to crack down on spam, but the problem is a technological one, and will probably not go away no matter how much legislation is passed. Ultimately, until changes are made in email and related protocols (IMAP, POP3, SMTP, and HTTP), there will probably always be spam. In the meantime, techniques like greylisting hold some promise in cutting down on about 90% or more of spam. Greylisting is a method of protecting users from spam emails by temporarily rejecting senders the server system does not recognize. Most people run into a greylisted server when they get messages saying their message didn't go thru but the system is "trying again in about 24 hours....," and what's happening here is that multiple email servers are communicating with one another to require messages to be re-sent or re-transmitted later. Since spam originates from places which don't usually recognize a re-send or re-transmit later request, this eliminates much spam.

A computer forensic crime scene investigation should begin with the development of a plan to approach and secure the crime scene, the capability to document scene activity, and to engage in discovery and identification of evidence or potential evidence, collect and retrieve such material, and process or analysis it as evidence of potential value to a successful prosecution. Computer evidence is frequently challenged in court. Some judges accept it with little question because they want to crack down on computer criminals, and others reject it because they hold to a fairly technophobic view of the 4th Amendment. There's also some confusion over the legal classification of computer evidence -- is it documentary evidence (which would require reams of printout under the best evidence rule) or is it demonstrative evidence (which would require a true-to-life sample of the reconstructed evidence)? Then, there's the problem of establishing the expertise of cyberforensic experts who testify. The complexity of the criminal law means that the overwhelming majority of cases do not make it to civil or criminal court, but should. This lecture deals with translating law into practice, and provides an academic discussion of the law and evolving best practices in computer forensics.

Computer search and seizure law is in the process of evolving, and it may be important to begin with a discussion of that since there are certain similarities and differences between digital searches and traditional 4th Amendment searches of a home (Kerr 2005). Network surveillance law is also important, but that topic usually triggers a discussion of surveillance, which is best left for another time to talk about. Computer forensics analysis is typically performed pursuant to a search warrant by a specially trained government analyst at a government laboratory. Weeks or months may be involved before all the evidence is finally collected. In most cases, the computer and associated hardware will be seized, and then the police will look through the computer files back at the police station or at a laboratory. This process is particularly true in the context of federal investigations. State and local investigations may vary, and are likely to involve less seizure of equipment (a copy-and-scan approach may be taken) and the conduct of analysis at the police station. In civil cases, the litigants typically hire private companies to perform forensic analysis.

One of the first questions that can be asked in computer seizure law is when exactly does the search occur? The 4th Amendment was set up to handle actually entering a home, physically. With digital forensics, computers are not exactly "entered" nor physically "observed" (all you would see are zeroes and ones) nor is anything physically moved inside of them. Secondly, computers in the home typically involve a complex status of ownership and possession; e.g., the home computer may very well be the "family" computer with several users in constructive possession or control. This privacy complexity aside, a computer forensic analyst usually works from a bitstream copy of the hard drive, so again, it's not the actual computer that is being searched, only a copy of the actual. The search occurs on government property, not private property.

Then, there's the issue of expert recovery of "deleted" files, easy to do for a computer expert, but the question becomes whether the user's attempt to delete things constitutes an attempt at privacy or an attempt at coverup. Hidden files, files with renamed extensions, and encrypted files generally trigger extra law enforcement effort. All these things raise questions about 4th Amendment rules; i.e., is it looking for evidence in the form of a needle in a haystack? The common law principle of de minimis non curat lex (the law does not concern itself with trifles) may apply, but it should be further noted that under current 4th Amendment interpretation, copying something does not constitute seizing anything (a rule or doctrine well-established in Arizona v. Hicks 480 US 321 1987 but perhaps not as broadly applicable to support "sneak-and-peek" warrants as Rule 41 of the Federal Rules of Criminal Procedure would allow). The notion of seizure is tied to the concepts of physicality and invasiveness, and digital information become physical when when it can be readily observed by ordinary human perception (see U.S. v. Karo 710 F.2d 1433 10th Cir. 1983 and Kyllo v. U.S. 533 US 27 2001). Likewise, law enforcement analysts cannot go on any "fishing expedition" where, for example, they being by looking for evidence of drug sales, but find an image of child pornography, and then proceed to abandon the original search and begin looking for more evidence of child pornography (see U.S. v. Carey 172 F.3d 1268 10th Cir. 1999). Plain view doctrine, on the other hand, allows police to follow up on things when the incriminating nature of the evidence discovered is immediately apparent. Lots of other cases exist as precedent (e.g., the husband and wife case of U.S. v. Runyon 275 F.3rd 449 5th Cir. 2001), but suffice it to say that it is increasingly difficult with computers to determine when one search ends and another begins, and this is simply because of the vast amount of information they hold.

There are three criminal evidence rules to gain admissibility -- (1) authentication, (2) the best evidence rule, and (3) exceptions to the hearsay rule. Authentication means showing a true copy of the original, best evidence means presenting the original, and the allowable exceptions are when a confession, business, or official records are involved. Authentication appears to be the most commonly used rule, but experts disagree over what is the most essential, or most correct, element of this in practice. Some say documentation (of what has been done); others say preservation (or integrity of the original); and still others say authenticity (the evidence being what you say it is). Good arguments could be made for the centrality of each, or all, as the standard in computer forensic law.

If your DOCUMENTATION is poor, it will look like your processing procedures were poor, and when you testify in court, you will be made to look ridiculous since you have no good written record to refresh your memory. Problems in the documentation area arise when you try to take shortcuts, or make do with less than adequate time, equipment, and resources. In general, the condition of all evidence has to be documented. It has to be photographed, weighed, and sketched, for example. Then, the laboratory worker (forensic scientist or criminalist) figures out what tests are appropriate, decides on what part of the evidence to examine first, dissects or copies the part to be tested (specimen = dissection; exemplar = copying), and prepares the testing ground, all the while documenting each decision step. Only then does any testing begin, and that's heavily documented with bench notes which are subject to discovery and review by experts from the other side.

If your PRESERVATION is poor, it becomes fairly evident that your collection and transportation of evidence gives rise to numerous possibilities for error in the form of destruction, mishandling, and contamination. Problems in the preservation area have implications for the integrity of law enforcement and crime labs. The basic chain of custody, for example, involves at least three initial sources of error. Evidence has to be discovered (police), it has to be collected (crime scene technician), and then it has to be packaged, labeled, and transported (police supervisor). Once it gets to the lab, it has to be logged in, assigned an identification number, placed in storage, and kept from intermingling with other evidence. All workplaces must be clean and contamination free. Some workplaces are required to meet the standards of professional accrediting organizations. Written policies have to be in place. The quality assurance policy, for example, must act as a check on quality control. Some employee job titles must be held by those with college degrees in the appropriate field.

If your AUTHENTICITY is poor, then you, your agency, and the prosecutor will look like inexperienced rookies, not so much foolish, but like rank amateurs who can't explain, for example, how a "MD5 Hash algorithm" works. Computer evidence, like computer simulations, haven't fared all that well under the more rigorous standards of admissibility for scientific evidence. The old common law standard is oculis subjecta fidelibus, as it is for any piece of demonstrative evidence (like a plaster cast model -- if the scale is 1:10, an average person ought to be able to visualize the larger thing to scale). Case law, however, varies by jurisdiction. Only the Marx standard resembles the old common law standard, and it's only found in a handful of jurisdictions. Here's a list of all the scientific evidence standards:

The federal courts were the first to recognize that files on computers were similar, but unlike, files kept on paper. The best evidence rule has also, in recent years, seen the growth of a standard known as representational accuracy, which means you don't have to present ALL the originals. Therefore, a modern clause exists in the Federal Rules of Evidence (FRE 1001-3) which states:

"If data are stored by computer or similar device, any printout or other output
readable by sight, shown to reflect the data accurately, is an original."

This exception to the best evidence rule has found a mostly welcome reception in state courts, and I would argue that it's more appropriate to consider digital evidence as demonstrative than documentary. The history of computers in the courtroom ties in with demonstrative standards, and computer forensics, after all, is about reconstructing the crime, or criminalistics. We see how apparent this is once we realize that investigators and technicians always work from a copy, duplicate, mirror, replica, or EXEMPLAR of the original evidence. Digital evidence is the most easily lost evidence. There's nothing in criminal justice more easily damaged, corrupted, or erased. You need to be able to demonstrate that the evidence is what you say it is, came from where you say it did, and has not been modified in any way since you obtained it. How you go about that depends on the circumstances and the computer systems you're dealing with. It's futile to talk about any one correct way to do it, or any perfect printout. There's no "silver bullet" standardized checklist, and there's no "magic" software to produce the perfect printout.

The role of first responders:
1. Identifying the crime scene
2. Protecting the crime scene
3. Preserving temporary and fragile evidence
The role of investigators:
1. Establishing the chain of command
2. Conducting the crime scene search
3. Maintaining integrity of the evidence
The role of the crime scene technicians:
1. Preserving volatile evidence and duplicating disks
2. Shutting down the systems for transport
3. Tagging and logging the evidence
4. Packaging the evidence
5. Transporting the evidence
6. Processing the evidence

The investigation from a forensic standpoint:
1. Point one is assuming that the forensic lab is well established, exceeds the minimum housing requirements, and appropriate Standard Operating Procedures are documented and tried.
2. Point two assuming that minimum hardware requirements are present within your section.
3. Point three assuming that minimum software requirements are present within your section.
4. Point four is assuming that you have a robust library that contains literature and documents for references available.
5. A forensic investigation tool kit for the investigation is on hand. The tool kit should include items such as a digital camera, labels for marking, and adequate items for marking, tagging and documenting found evidence.
6. Pre-search activities accomplished to include preparing for warrant preparation, intelligence gathering, assembling an execution team, planning the search, and assigning responsibilities.
7. Establish a dumpster diving team to search for items such as packing material, discarded media, system reports, software manuals, post-its, social facts for password cracking, etc.
8. Ensure that the warrant preparation is given importance. Conduct a check with specialist in the field and legal experts while preparing the warrant. You should also check with the magistrate, inform him of the situation and ask about any specific that might need added to the warrant.
9. You must ensure to clearly articulate orally and written the probable cause.
10. In evaluating the situation and getting guidance from subject matter experts you must address to what degree you need to seize equipment, will you need to take all associated equipment to include disk, monitor, printer, and computer. The more detailed the request in the warrant the more you have documented approval. You will be able to seize items through fruits of the crime, criminal contraband and items criminally possessed but the more documented the less apt they are to be questioned by defense attorneys in court.
11. The type of warrant also must be considered, such as a regular warrant or a No-Knock warrant. You may also want to consider a secondary warrant, which are common in computer related investigations. This additional warrant will also assist you in examination from the defense attorney if additional information is found.
12. Ensure you have the right number, not too many and not in excess, to accomplish the job. These individuals will include an on-scene personnel, case supervisor, arrest team, scene security, interview and interrogation team, sketch and photo team, physical search team, and seizure team.

Let's look at some of the emerging principles of digital evidence collection and handling, which many regard as the skillset of computer forensics. We'll start with some general tips that rely heavily upon the suggestions of Michael Anderson, pioneer "cybercop" and head of a cyberforensics consulting firm. Because differences of opinion exist, we'll also consider the ideas of Kevin Mandia, from Foundstone, Inc., another consulting firm, and Eoghan Casey, associated with Knowledge Solutions, Inc. There are many others we have extracted ideas from, and not all are as acknowledged as they probably deserve.

1. When seizing computer equipment, make sure you follow proper shutdown procedures, and photograph the screen before pulling the plug from the wall (or leaving it on - there are two schools of thought - leaving it on would protect volatile data in RAM). Photograph the system setup, wiring, and area. Tag and bag all cables, cords, and peripheral devices. Write protect all storage media. When transporting, make sure you are grounded and place everything in anti-static bags. Do not expose the items to any heat above 75 degrees, nor let any magnetic fields (such as police radios) come near the equipment. Gentle handling is important. Record the names of individuals who occupy or have access to the area.

*The Two Schools of Thought on Volatile Data*
Volatile data consist of running processes on a live computer. A computer's system state changes constantly even if no applications are running. Power cycles, timed backups, and login processes are always running in the background, for example. If the computer is hooked up to a network, more processes are running. Some types of Internet attacks require leaving the computer on for long periods of time. With ongoing attacks, you definitely don't want to shut down the computer right away. If the computer is on, the following constitute volatile data: (1) CPU cache and register contents - which have no forensic value; (2) RAM memory dump - which is important to get, but you change the contents by doing so; (3) State of network connections - which is very important and easily obtained from tables in kernel memory; and (4) state of running processes - which is also important and in kernel memory.
The Live Analysis school of thought recommends attaching a SCSI device or using an open network connection to get results for the following commands:
Establish a new shell Record system date/time Determine logon Record open sockets List socket processes List running processes List systems connected Record system time Record steps taken	cmd.exe (Windows) date, time loggedon netstat fport pslist nbtstat date, time doskey	bash (UNIX) w w netstat -anp lsof ps netstat w script, vi, history
The Safe Shutdown school of thought recommends the following procedures:
MS DOS 1. Photograph screen 2. Pull power cord from wall UNIX 1. Photograph screen 2. Right click to menu, choose Console 3. If root user prompt (#) not present, change user by typing su - 4. If password available, use it and type sync;sync;halt 5. If no password, pull power cord from wall MAC 1. Photograph screen 2. Click Special 3. Click Shutdown 4. Pull power cord from wall WINDOWS 1. Photograph screen 2. Determine if self-destruct program running 3. Pull power cord from wall

2. NEVER turn the specimen computer back on again. ALWAYS work from a backup, duplicate, copy, or image of the hard drive. It is easily possible to rig the startup sequence to destroy data, content or files in several ways. Don't trust the perpetrator if they reveal the password, nor anything found on slips of paper near the machine. These could also contain booby traps. If you are dealing with servers, the best you may be able to do is a logical backup, which contains system and application logs. If you are dealing with someone who has RAID devices (many hard drives installed) and backup tapes, you're going to be spending a lot of time doing FORENSIC DUPLICATION.

The Emerging Totality of Circumstances Test

With large hard drives becoming cheaper and more popular, at some point, a trade-off needs to take place between the resources of law enforcement and the need to duplicate everything. The totality of circumstances must be considered, and this includes the suspect's intelligence, how high-profile or harmful the incident is, and whether a low-impact search of the hard drive might do instead of a high-impact search which looks for file slack and the like. A sample of inculpatory data might suffice with minor offenders. Consider if your jurisdiction, judge, or the other side demand a printout of everything, an 80 GB hard drive will yield a mountain of paperwork 500 feet high. If the case is going to be handled administratively instead of criminally, then why bother.

There are different approaches to take: (1) remove the hard drive and attach it to a forensic workstation; (2) attach a hard drive to the specimen computer and use it as your imaging system; (3) use another computer in the office area as your imaging system; or (4) use a crossover cable or Ethernet connector to send the contents to another network computer or your hooked-up forensic workstation. Whatever approach you take depends upon the resources available and whether your equipment is compatible with the specimen's network system.

3. When you are done making your backup copy, you need to validate that it is an exact MIRROR copy. There are programs such as CRCHECK (Cyclic Redundancy Checker) and CRC32 available to do this, but with large storage devices, you're going to need a mathematical algorithm, like the "fingerprint checker" MD5, to estimate the probabilities of match and error. These are all programs that use a checksum or hashing algorithm that holds up in court when you say you've got an accurate and reliable (repeatable by a third party) copy. The larger the number of files, the more you need to make mathematical computations, and the more read errors you get, the more you need a program that uses conventional-style placeholders. Probability theory plays a vital part in the admissibility of most modern forms of evidence, like DNA, forensic psychology, social science, and computer forensics. That's one reason why students should pay attention during Math, Statistics, and Research Methods courses. Progress is being made, however, with point-and-click tools (Click on any of the hyperlinks in this paragraph to review this kind of software). MD5 is emerging as the de facto standard in law enforcement, and was developed by RSA Data Security, Inc. It wouldn't hurt to familiarize yourself with companies like this and vendors in the crypto-security business.

4. Make sure your copy of the hard drive is a bit stream backup, using programs such as Encase, SafeBack, or Code Blue (for remote diagnostics). Norton Ghost also has some switches and options that can be used for this purpose, and the UNIX dd (data dumper) utility is sometimes used. A bit stream backup is the recording of every bit of data that signaled a storage device. It is the electronic version of the RF stream that a radio receiver picks up. This ensures that you have copied not only working files that a conventional backup utility would find, but hidden, erased, fragmented, corrupted, temporary, and special attribute files. These are not as easily hidden on floppies, but a hard drive will be full of them. A temporary file, in particular, will contain data from a document that was worked on but never saved to disk. Safeback is widely used in law enforcement, but Encase is moving up in popularity. Encase technically produces evidence files, but for all practical purposes, are the same as complete and accurate duplicate files.

A Comparison of Safeback and Encase

Safeback was originally created by Chuck Guzis, the world's first cybercop, and his software, marketed by Sydex, was later sold it to New Technologies, Inc. It duplicates anything attached to where the big ribbons go (controllers) on a computer motherboard, and can even handle removable devices if you have the appropriate drivers. Built-in utilities can scan ports for other devices. Remote.exe is the imaging program which you put on a boot floppy to boot the specimen computer, having a crossover parallel cable connection to your forensic workstation. Backup, Restore, Verify (checksum), and Copy (both Backup and Restore) commands are then available to you. The program makes its own audit file which serves as your investigator's bench note. Everything imaged is saved in compressed file format on your forensic workstation to save space. The process takes a few minutes to several hours.

EnCase uses a Windows interface and has a number of features, focusing on hard drive contents. The specimen hard drive is added as HDD1 or 2 to a forensic workstation, and this Windows Explorer-like program does the rest, with Preview, Save, and Output functions. Graphics files are displayed in thumbnail format, and you can even do string searches for text in Preview mode. Imaged files can be compressed or not, but anything saved is in proprietary (read-only) format so it is tamper-proof. You can control the size of the (representationally accurate) evidence files so they write to CD-ROM for presentation in court, along with any comments and password protection you've added.

A Short Primer on Boot or Startup Files

If you've never made a system diskette, or bootable floppy, before, the correct procedure is to insert a blank floppy and at the c:\ prompt, type format a:\ /s which writes the system files, and only the system files, to the floppy.

COMMAND.COM stands for Command Interpreter. It allows you to use DOS commands as if you had a mini-version of DOS to work with.

AUTOEXEC.BAT (which you'll often need to edit with EDIT.COM) is a batch file (batch meaning run first) that handles drivers for all the devices hooked up to your controllers and ports (controllers being the big ribbons running to the motherboard and ports being the slots behind the machine that also snap into the motherboard). One of the things you'll quickly discover quickly is that no CD-ROM device will run unless the file MSCDEX is present and referenced in your autoexec file. Computers auto-detect everything but CD-ROMs for some reason.

CONFIG.SYS is another batch file, despite its extension, which starts up your TSRs (Terminate and Stay Resident programs). These are all the little icons that show up in the lower right corner of your monitor when your machine is on. They are the visible processes running in the background, eating up memory and consuming system resources.

IO.SYS is a code file first processed by the computer. It is what initializes the system, loads MSDOS.SYS (if present) or the Command Interpreter, and tests and resets the hardware by looking for and installing device drivers.

DRVSPACE.BIN is a driver file for the compression software DriveSpace. A similar program is DoubleSpace. These are used much like HIMEM, EMM, and other programs to set up virtual memory space if the user is low on RAM, but operate by setting up part of the hard drive as a compressed file storage area. You can get some idea of how the hard drive is partitioned by keying in FDISK and displaying the information. From a forensic standpoint, you generally don't want drvspace and similar programs to run because they will change the time/date stamps. You may therefore have to learn how to use a Hex Editor to go into IO.SYS and change any references to the word "space" with equivalent nonsense symbols. For even greater safety, use an Interrupt Blocker like PDBlock to disable any possibility of writing to the hard drive (all computers write to hard drives on IRQ 13 and 21).

6. Verify the time and data stamp stored in the CMOS chip of the specimen computer. Without such information, it would be impossible to backdate the times and dates of other computer files. Many clock settings that record file date are inaccurate, but the CMOS stamp will help with estimation, and may very well make the all-important connection with ownership and the start of operation. Computers don't commit computer crime; people do, so start paying attention to dates, times, and alibis.

8. Before you run any type of diagnostic program or software, you need to ensure (to the courts) that you have not inadvertently introduced any computer virus into the specimen computer. Therefore, make sure that you can document all law enforcement software has been regularly and recently scanned by a virus utility, preferably two of them. You can virus scan the specimen computer and any floppy disks, and again, at the discretion of your expert, you can remove any viruses found. Take into account that viruses can hide in compressed files.

9. Start listing and cataloging all files with their dates and times of creation, update, and last access. Your investigative leads are going to come out of cross-referencing these dates and times with other files on the same computer or files on a different computer.

10. Document that the forensic tools you are using consist of properly purchased, licensed software. Stay away from freeware, shareware, and the trivial, no matter how useful you think it is. Some courts even take a dim view of anything purchased at a discount. Be sure your software is registered with the publisher, and that you can document your upgrade or update history.

PRINTED RESOURCES
Anderson, Michael. (1998). Founder/President New Technologies, Inc., Gresham, OR.
Blum, Richard. (2001). Open source e-mail Security. Indianapolis: Sams Publishing.
Branigan, S. (2004). High tech crimes revealed. NY: Addison Wesley.
Casey, Eoghan. (2000). Digital evidence and computer crime. NY: Academic Press.
Donofrio, A. (2002). "Computer forensics and analogies." Law Enforcement Technology (Jan): 64-69.
Gaines, L., & Miller, R. (Eds.). (2005). Criminal justice in action. California: Thomson Wadsworth.
Gilster, Ron. (2001.) PC technician black book. NY: Coriolos Group [sample pages]
Keightley, R. (2002). EnCase version 3.0 user manual. Pasadena: Guidance Software.
Kerr, O. (2005). "Searches and seizures in a digital world." 119 Harvard Law Review 531-585. [pdf online]
Kerr, O. (2005). "Digital evidence and the new criminal procedure." Columbia Law Review, Available at SSRN: http://ssrn.com/abstract=594101.
Mandia, Kevin & Chris Prosise. (2001). Incident response. NY: Osborne.
Mueller, Scott. (2001). Upgrading and repairing PCs. NY: Que.
Riddle, Kelly & Ralph Thomas. (1997). A guide to the Internet and e-mail for investigators. Austin: Thomas Investigative Publishing.
Rosch, Winn. (1999). The Winn L. Rosch hardware bible. NY: Que [sample pages][website]
Schneier, Bruce. (1995). E-mail security. NY: John Wiley & Sons.
Shinder, D. And Tittel, E. (Eds.). (2002). Scene of the cybercrime. Syngress Publishing: Massechusetts.
Siegel, L. (1995). Criminology. Minnesota: West Publishing Company.
Wood, David & Mark Stone. (1999). Programming Internet e-mail. NY: O'Reilly and Associates. (Sample pages online)
Zaenglein, Norbert. (1998). Disk detective: Secrets you must know to recover information from a computer. CO: Paladin Press.
Zittrain, J. (2005). "Searches and seizures in a networked world." 119 Harvard Law Review 83-94. [pdf online]

Last updated: Dec. 21, 2008
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T. (Date of Last Update at bottom of page). In Part of web cited (Windows name for file at top of browser), MegaLinks in Criminal Justice. Retrieved from http://www.apsu.edu/oconnort/rest of URL accessed on today's date.