Disaster Data Recovery and Computer Forensics

DISASTER DATA RECOVERY AND COMPUTER FORENSICS
"The most feared expression in modern times is The Computer is Down" (Norman Ralph Augustine)

E-MAIL is a common security vulnerability. It is a virtual door that leads directly into the network and indirectly into every desktop. It can be used by hackers to sneak into, or by staff to sneak secrets out of. It can also be used as a portal for data destruction. It is important to know how to handle e-mail incursions.

E-MAIL TRACING is probably the most common duty of cybercrime investigators, and an audit or paper trail of e-mail traffic is the most common type of evidence used in court. In a typical scenario, suspects come to the attention of authorities for reasons other than their e-mail traffic, but then their traffic becomes closely monitored. For example, administrators might have reasons to order security checks on employees who appear disgruntled or have access to sensitive information. Their e-mail logs and network usage may show things like innocent family photos being sent to a Hotmail account, but with no traffic back from that Hotmail account. These innocent photos could be a case of corporate espionage through the use of steganography -- a process in which the digital ones and zeros of digital text or images can be buried inside the pixels of ordinary-looking photographs. Discovering if that employee possessed a copy of a steganography program would become the basis of an interrogation session.

Forensic tracing of e-mail is similar to traditional gumshoe detective work. Checking involves looking at each point through which an e-mail passed, with the detective working step-by-step back to the originating computer, and, eventually, the perpetrator. The process requires knowing how e-mail works.

All e-mail contains HEADERS, and most tracing of external e-mail begins by looking at this message-header information. A message header is text at the top of an e-mail that travels through the Internet. It contains the source of an e-mail in the "From" line, while in the "Received" lines, the header lists every point the e-mail passed through on its journey, along with the date and time. The message header provides an audit trail of every machine an e-mail has passed through.

Some places the e-mail has traveled will be unfamiliar machine names outside the company network. In these cases, sleuthing tools such as Whois or BetterWhois, may be needed to do further tracking. These services search databases of registrars that record online users and their Internet Protocol (IP) addresses (numerical identifiers for computers on a network, the virtual equivalent of a street address). For example, running a Whois search on a domain name such as XYZ.com will identify the name and address of the domain name's holder, administrative and technical points of contact, and the domain name servers responsible for the domain. In other cases, a more sophisticated online yet free tracing tool like Webtracer may be needed.

If the address is not faked, it becomes a matter of determining who used the machine at the time the suspect message was sent. For example, if a school or library computer was used to send a bomb threat through a commercial e-mail account, it becomes a matter of checking log-on times in the school or library's sign-on logs.

More sophisticated suspects will fake their e-mails, however. Some of them will use e-mail programs that strip the message header from the message before delivering it to the recipient or bury the message header within the e-mail program. In other cases, the "From" line in a message header is faked. Other offenders will have stolen someone else's e-mail account or set one up temporarily using bogus address information when they registered.

There are several ways of FAKING E-MAIL. These include Spoofing, Remailing, Relaying, Spamming, Stealing, and Bogus accounts.

Forensic E-Mail Tracing relies on computer logs. A computer log is a record of each e-mail message that passes through a computer in a network. For evidence purposes, an investigator needs to prove that a certain e-mail originating address traveled through a machine by verifying the message ID on a log of e-mail transactions together with the date and time the address was recorded. Sometimes, this is not easily done. Legal limits and jurisdictional issues create tough challenges.

Many Internet service providers (ISPs) do not log e-mail. Smaller ISPs don't turn on their logging functions either because they have inadequately trained staff or because they don't want the responsibility of turning over information. Some only keep partial data, such as log-ins or FTP (file transfer protocol) transfers. ISPs vary in their willingness to assist with a private investigation. Some readily produce computer logs to help, while others refuse to give up logs without a court order or subpoena. They are legitimately concerned about finding themselves in court for violating the privacy rights of users. If an official, public law enforcement officer contacts the ISP and informs them that a certain user is being investigated, the ISP is obligated by law to preserve any information they would have normally logged or collected, giving investigators the time to seek the legal authority to seize the relevant information. ISPs are not required to escalate their monitoring activities, however. If they were not keeping a log to begin with, they are under no obligation to start doing so. Foreign jurisdictions are notoriously uncooperative, even when the investigation has the backing of the U.S. State Department.

Once the physical presence of the perpetrator's PC has been located, it is confiscated, of course, and the forensic analyst makes exact copies (called image copies) of the computer's hard drives. Any analysis on a piece of media should always be conducted from an image copy to avoid tainting the original evidence. The forensic analyst looks for file fragments or portions of any e-mails that contain specific references to the offending message. For example, if the user was using the public e-mail service Hotmail, investigators will check the image copy of the browser's Internet cache showing where the user has been online. It will contain copies of any e-mails created, sent, or received via Hotmail. Even if the user has emptied the cache, there are ways to undelete and recover this information.

There are worrisome trends that suggest e-mail tracing will become more difficult in the future. For example, some new products coming on the market strip e-mail headers, encrypt the message, and then destroy it after a period of time. There are also fairly thorough window washer delete utilities. Smart programmers are always looking for ways to get around the audit trail, and investigators always seem to be playing catch-up when tracing e-mail. Nevertheless, E-mail tracing will likely remain an essential part of computer forensics.

A SAMPLE FAKE EMAIL MESSAGE

From A@b.c.d Sat Nov 11 13:16 EST 1995 Received: from wavenet.com (wavenet.com [198.147.118.131]) by ddi.digital.net (8.6.11/8.6.9) with ESMTP id NAA04656 for <gandalf@ddi.digital.net>; Sat, 11 Nov 1995 13:16:03 -0500 Received: from ddi.digital.net (ddi.digital.net [198.69.104.2]) by wavenet.com (8.6.12/8.6.9) with SMTP id KAA27279 for gandalf@ddi.digital.net; Sat, 11 Nov 1995 10:27:52 -0800 Received: from wavenet.com (wavenet.com [198.147.118.131]) by ddi.digital.net (8.6.11/8.6.9) with ESMTP id OAA18017 for <gandalf@ddi.digital.net>; Tue, 24 Oct 1995 14:09:46 -0400 Received: from inetlis.wavenet.com (port16.wavenet.com [198.147.118.209]) by wavenet.com (8.6.12/8.6.9) with SMTP id LAA02685 for <gandalf@ddi.digital.net>; Tue, 24 Oct 1995 11:21:12 -0700

The faked parts are the "from wavenet.com" sections. It looks like the message originated from inetlis.wavenet.com when in reality it came from ddi.digital.net. The date and time tell you something is wrong by reading the headers from the bottom to the top, which traces sites the message has gone through. An Nslookup on the IP addresses would verify 198.147.118.131 is wavenet.com, but the IP doesn't jive with the name of the IP address of the e- mail faker (A@b.c.d). Port16.wavenet.com is 198.147.118.209; wavenet.com is 198.147.118.131; and ddi.digital.net is 198.69.104.2.

The problem of SPAM (junk email) defies easy solution. On the server end, an administrator can try keyword filters or IP database block lists. The keyword approach will simply have to be creative enough to keep up with all the creative ways a spammer can spell "VI@Gra" for example. Attempting to "blacklist" or block spam by specific IP addresses may not work as good as blocking a whole IP address block. Any spammer can spoof a <sent from> but they can't hide from that part of the IP domain which indicates the block of IP addresses they are using for a relay. The drawback of this is that "innocent" relay points and mail servers are being punished even though they don't know they're being used to send spam. Alternatively, a server administrator can try white lists, which only allow email from known and trusted senders, but this is a drastic solution that defies the purpose of email in the first place. Congress has been trying for years to crack down on spam, but the problem is a technological one, and will probably not go away no matter how much legislation is passed. Ultimately, until changes are made in email and related protocols (IMAP, POP3, SMTP, and HTTP), there will probably always be spam. In the meantime, techniques like greylisting hold some promise in cutting down on about 90% or more of spam. Greylisting is a method of protecting users from spam emails by temporarily rejecting senders the server system does not recognize. Most people run into a greylisted server when they get messages saying their message didn't go thru but the system is "trying again in about 24 hours....," and what's happening here is that multiple email servers are communicating with one another to require messages to be re-sent or re-transmitted later. Since spam originates from places which don't usually recognize a re-send or re-transmit later request, this eliminates much spam.

A computer forensic crime scene investigation should begin with the development of a plan to approach and secure the crime scene, the capability to document scene activity, and to engage in discovery and identification of evidence or potential evidence, collect and retrieve such material, and process or analysis it as evidence of potential value to a successful prosecution. Computer evidence is frequently challenged in court. Some judges accept it with little question because they want to crack down on computer criminals, and others reject it because they hold to a fairly technophobic view of the 4th Amendment. There's also some confusion over the legal classification of computer evidence -- is it documentary evidence (which would require reams of printout under the best evidence rule) or is it demonstrative evidence (which would require a true-to-life sample of the reconstructed evidence)? Then, there's the problem of establishing the expertise of cyberforensic experts who testify. The complexity of the criminal law means that the overwhelming majority of cases do not make it to civil or criminal court, but should. This lecture deals with translating law into practice, and provides an academic discussion of the law and evolving best practices in computer forensics.

Computer search and seizure law is in the process of evolving, and it may be important to begin with a discussion of that since there are certain similarities and differences between digital searches and traditional 4th Amendment searches of a home (Kerr 2005). Network surveillance law is also important, but that topic usually triggers a discussion of surveillance, which is best left for another time to talk about. Computer forensics analysis is typically performed pursuant to a search warrant by a specially trained government analyst at a government laboratory. Weeks or months may be involved before all the evidence is finally collected. In most cases, the computer and associated hardware will be seized, and then the police will look through the computer files back at the police station or at a laboratory. This process is particularly true in the context of federal investigations. State and local investigations may vary, and are likely to involve less seizure of equipment (a copy-and-scan approach may be taken) and the conduct of analysis at the police station. In civil cases, the litigants typically hire private companies to perform forensic analysis.

One of the first questions that can be asked in computer seizure law is when exactly does the search occur? The 4th Amendment was set up to handle actually entering a home, physically. With digital forensics, computers are not exactly "entered" nor physically "observed" (all you would see are zeroes and ones) nor is anything physically moved inside of them. Secondly, computers in the home typically involve a complex status of ownership and possession; e.g., the home computer may very well be the "family" computer with several users in constructive possession or control. This privacy complexity aside, a computer forensic analyst usually works from a bitstream copy of the hard drive, so again, it's not the actual computer that is being searched, only a copy of the actual. The search occurs on government property, not private property.

Then, there's the issue of expert recovery of "deleted" files, easy to do for a computer expert, but the question becomes whether the user's attempt to delete things constitutes an attempt at privacy or an attempt at coverup. Hidden files, files with renamed extensions, and encrypted files generally trigger extra law enforcement effort. All these things raise questions about 4th Amendment rules; i.e., is it looking for evidence in the form of a needle in a haystack? The common law principle of de minimis non curat lex (the law does not concern itself with trifles) may apply, but it should be further noted that under current 4th Amendment interpretation, copying something does not constitute seizing anything (a rule or doctrine well-established in Arizona v. Hicks 480 US 321 1987 but perhaps not as broadly applicable to support "sneak-and-peek" warrants as Rule 41 of the Federal Rules of Criminal Procedure would allow). The notion of seizure is tied to the concepts of physicality and invasiveness, and digital information become physical when when it can be readily observed by ordinary human perception (see U.S. v. Karo 710 F.2d 1433 10th Cir. 1983 and Kyllo v. U.S. 533 US 27 2001). Likewise, law enforcement analysts cannot go on any "fishing expedition" where, for example, they being by looking for evidence of drug sales, but find an image of child pornography, and then proceed to abandon the original search and begin looking for more evidence of child pornography (see U.S. v. Carey 172 F.3d 1268 10th Cir. 1999). Plain view doctrine, on the other hand, allows police to follow up on things when the incriminating nature of the evidence discovered is immediately apparent. Lots of other cases exist as precedent (e.g., the husband and wife case of U.S. v. Runyon 275 F.3rd 449 5th Cir. 2001), but suffice it to say that it is increasingly difficult with computers to determine when one search ends and another begins, and this is simply because of the vast amount of information they hold.

There are three criminal evidence rules to gain admissibility -- (1) authentication, (2) the best evidence rule, and (3) exceptions to the hearsay rule. Authentication means showing a true copy of the original, best evidence means presenting the original, and the allowable exceptions are when a confession, business, or official records are involved. Authentication appears to be the most commonly used rule, but experts disagree over what is the most essential, or most correct, element of this in practice. Some say documentation (of what has been done); others say preservation (or integrity of the original); and still others say authenticity (the evidence being what you say it is). Good arguments could be made for the centrality of each, or all, as the standard in computer forensic law.

If your DOCUMENTATION is poor, it will look like your processing procedures were poor, and when you testify in court, you will be made to look ridiculous since you have no good written record to refresh your memory. Problems in the documentation area arise when you try to take shortcuts, or make do with less than adequate time, equipment, and resources. In general, the condition of all evidence has to be documented. It has to be photographed, weighed, and sketched, for example. Then, the laboratory worker (forensic scientist or criminalist) figures out what tests are appropriate, decides on what part of the evidence to examine first, dissects or copies the part to be tested (specimen = dissection; exemplar = copying), and prepares the testing ground, all the while documenting each decision step. Only then does any testing begin, and that's heavily documented with bench notes which are subject to discovery and review by experts from the other side.

If your PRESERVATION is poor, it becomes fairly evident that your collection and transportation of evidence gives rise to numerous possibilities for error in the form of destruction, mishandling, and contamination. Problems in the preservation area have implications for the integrity of law enforcement and crime labs. The basic chain of custody, for example, involves at least three initial sources of error. Evidence has to be discovered (police), it has to be collected (crime scene technician), and then it has to be packaged, labeled, and transported (police supervisor). Once it gets to the lab, it has to be logged in, assigned an identification number, placed in storage, and kept from intermingling with other evidence. All workplaces must be clean and contamination free. Some workplaces are required to meet the standards of professional accrediting organizations. Written policies have to be in place. The quality assurance policy, for example, must act as a check on quality control. Some employee job titles must be held by those with college degrees in the appropriate field.

If your AUTHENTICITY is poor, then you, your agency, and the prosecutor will look like inexperienced rookies, not so much foolish, but like rank amateurs who can't explain, for example, how a "MD5 Hash algorithm" works. Computer evidence, like computer simulations, haven't fared all that well under the more rigorous standards of admissibility for scientific evidence. The old common law standard is oculis subjecta fidelibus, as it is for any piece of demonstrative evidence (like a plaster cast model -- if the scale is 1:10, an average person ought to be able to visualize the larger thing to scale). Case law, however, varies by jurisdiction. Only the Marx standard resembles the old common law standard, and it's only found in a handful of jurisdictions. Here's a list of all the scientific evidence standards:

The federal courts were the first to recognize that files on computers were similar, but unlike, files kept on paper. The best evidence rule has also, in recent years, seen the growth of a standard known as representational accuracy, which means you don't have to present ALL the originals. Therefore, a modern clause exists in the Federal Rules of Evidence (FRE 1001-3) which states:

"If data are stored by computer or similar device, any printout or other output
readable by sight, shown to reflect the data accurately, is an original."

This exception to the best evidence rule has found a mostly welcome reception in state courts, and I would argue that it's more appropriate to consider digital evidence as demonstrative than documentary. The history of computers in the courtroom ties in with demonstrative standards, and computer forensics, after all, is about reconstructing the crime, or criminalistics. We see how apparent this is once we realize that investigators and technicians always work from a copy, duplicate, mirror, replica, or EXEMPLAR of the original evidence. Digital evidence is the most easily lost evidence. There's nothing in criminal justice more easily damaged, corrupted, or erased. You need to be able to demonstrate that the evidence is what you say it is, came from where you say it did, and has not been modified in any way since you obtained it. How you go about that depends on the circumstances and the computer systems you're dealing with. It's futile to talk about any one correct way to do it, or any perfect printout. There's no "silver bullet" standardized checklist, and there's no "magic" software to produce the perfect printout.

The role of first responders:
1. Identifying the crime scene
2. Protecting the crime scene
3. Preserving temporary and fragile evidence
The role of investigators:
1. Establishing the chain of command
2. Conducting the crime scene search
3. Maintaining integrity of the evidence
The role of the crime scene technicians:
1. Preserving volatile evidence and duplicating disks
2. Shutting down the systems for transport
3. Tagging and logging the evidence
4. Packaging the evidence
5. Transporting the evidence
6. Processing the evidence

The investigation from a forensic standpoint:
1. Point one is assuming that the forensic lab is well established, exceeds the minimum housing requirements, and appropriate Standard Operating Procedures are documented and tried.
2. Point two assuming that minimum hardware requirements are present within your section.
3. Point three assuming that minimum software requirements are present within your section.
4. Point four is assuming that you have a robust library that contains literature and documents for references available.
5. A forensic investigation tool kit for the investigation is on hand. The tool kit should include items such as a digital camera, labels for marking, and adequate items for marking, tagging and documenting found evidence.
6. Pre-search activities accomplished to include preparing for warrant preparation, intelligence gathering, assembling an execution team, planning the search, and assigning responsibilities.
7. Establish a dumpster diving team to search for items such as packing material, discarded media, system reports, software manuals, post-its, social facts for password cracking, etc.
8. Ensure that the warrant preparation is given importance. Conduct a check with specialist in the field and legal experts while preparing the warrant. You should also check with the magistrate, inform him of the situation and ask about any specific that might need added to the warrant.
9. You must ensure to clearly articulate orally and written the probable cause.
10. In evaluating the situation and getting guidance from subject matter experts you must address to what degree you need to seize equipment, will you need to take all associated equipment to include disk, monitor, printer, and computer. The more detailed the request in the warrant the more you have documented approval. You will be able to seize items through fruits of the crime, criminal contraband and items criminally possessed but the more documented the less apt they are to be questioned by defense attorneys in court.
11. The type of warrant also must be considered, such as a regular warrant or a No-Knock warrant. You may also want to consider a secondary warrant, which are common in computer related investigations. This additional warrant will also assist you in examination from the defense attorney if additional information is found.
12. Ensure you have the right number, not too many and not in excess, to accomplish the job. These individuals will include an on-scene personnel, case supervisor, arrest team, scene security, interview and interrogation team, sketch and photo team, physical search team, and seizure team.

Let's look at some of the emerging principles of digital evidence collection and handling, which many regard as the skillset of computer forensics. We'll start with some general tips that rely heavily upon the suggestions of Michael Anderson, pioneer "cybercop" and head of a cyberforensics consulting firm. Because differences of opinion exist, we'll also consider the ideas of Kevin Mandia, from Foundstone, Inc., another consulting firm, and Eoghan Casey, associated with Knowledge Solutions, Inc. There are many others we have extracted ideas from, and not all are as acknowledged as they probably deserve.

1. When seizing computer equipment, make sure you follow proper shutdown procedures, and photograph the screen before pulling the plug from the wall (or leaving it on - there are two schools of thought - leaving it on would protect volatile data in RAM). Photograph the system setup, wiring, and area. Tag and bag all cables, cords, and peripheral devices. Write protect all storage media. When transporting, make sure you are grounded and place everything in anti-static bags. Do not expose the items to any heat above 75 degrees, nor let any magnetic fields (such as police radios) come near the equipment. Gentle handling is important. Record the names of individuals who occupy or have access to the area.

*The Two Schools of Thought on Volatile Data*
Volatile data consist of running processes on a live computer. A computer's system state changes constantly even if no applications are running. Power cycles, timed backups, and login processes are always running in the background, for example. If the computer is hooked up to a network, more processes are running. Some types of Internet attacks require leaving the computer on for long periods of time. With ongoing attacks, you definitely don't want to shut down the computer right away. If the computer is on, the following constitute volatile data: (1) CPU cache and register contents - which have no forensic value; (2) RAM memory dump - which is important to get, but you change the contents by doing so; (3) State of network connections - which is very important and easily obtained from tables in kernel memory; and (4) state of running processes - which is also important and in kernel memory.
The Live Analysis school of thought recommends attaching a SCSI device or using an open network connection to get results for the following commands:
Establish a new shell Record system date/time Determine logon Record open sockets List socket processes List running processes List systems connected Record system time Record steps taken	cmd.exe (Windows) date, time loggedon netstat fport pslist nbtstat date, time doskey	bash (UNIX) w w netstat -anp lsof ps netstat w script, vi, history
The Safe Shutdown school of thought recommends the following procedures:
MS DOS 1. Photograph screen 2. Pull power cord from wall UNIX 1. Photograph screen 2. Right click to menu, choose Console 3. If root user prompt (#) not present, change user by typing su - 4. If password available, use it and type sync;sync;halt 5. If no password, pull power cord from wall MAC 1. Photograph screen 2. Click Special 3. Click Shutdown 4. Pull power cord from wall WINDOWS 1. Photograph screen 2. Determine if self-destruct program running 3. Pull power cord from wall

2. NEVER turn the specimen computer back on again. ALWAYS work from a backup, duplicate, copy, or image of the hard drive. It is easily possible to rig the startup sequence to destroy data, content or files in several ways. Don't trust the perpetrator if they reveal the password, nor anything found on slips of paper near the machine. These could also contain booby traps. If you are dealing with servers, the best you may be able to do is a logical backup, which contains system and application logs. If you are dealing with someone who has RAID devices (many hard drives installed) and backup tapes, you're going to be spending a lot of time doing FORENSIC DUPLICATION.

The Emerging Totality of Circumstances Test

With large hard drives becoming cheaper and more popular, at some point, a trade-off needs to take place between the resources of law enforcement and the need to duplicate everything. The totality of circumstances must be considered, and this includes the suspect's intelligence, how high-profile or harmful the incident is, and whether a low-impact search of the hard drive might do instead of a high-impact search which looks for file slack and the like. A sample of inculpatory data might suffice with minor offenders. Consider if your jurisdiction, judge, or the other side demand a printout of everything, an 80 GB hard drive will yield a mountain of paperwork 500 feet high. If the case is going to be handled administratively instead of criminally, then why bother.

There are different approaches to take: (1) remove the hard drive and attach it to a forensic workstation; (2) attach a hard drive to the specimen computer and use it as your imaging system; (3) use another computer in the office area as your imaging system; or (4) use a crossover cable or Ethernet connector to send the contents to another network computer or your hooked-up forensic workstation. Whatever approach you take depends upon the resources available and whether your equipment is compatible with the specimen's network system.

3. When you are done making your backup copy, you need to validate that it is an exact MIRROR copy. There are programs such as CRCHECK (Cyclic Redundancy Checker) and CRC32 available to do this, but with large storage devices, you're going to need a mathematical algorithm, like the "fingerprint checker" MD5, to estimate the probabilities of match and error. These are all programs that use a checksum or hashing algorithm that holds up in court when you say you've got an accurate and reliable (repeatable by a third party) copy. The larger the number of files, the more you need to make mathematical computations, and the more read errors you get, the more you need a program that uses conventional-style placeholders. Probability theory plays a vital part in the admissibility of most modern forms of evidence, like DNA, forensic psychology, social science, and computer forensics. That's one reason why students should pay attention during Math, Statistics, and Research Methods courses. Progress is being made, however, with point-and-click tools (Click on any of the hyperlinks in this paragraph to review this kind of software). MD5 is emerging as the de facto standard in law enforcement, and was developed by RSA Data Security, Inc. It wouldn't hurt to familiarize yourself with companies like this and vendors in the crypto-security business.

4. Make sure your copy of the hard drive is a bit stream backup, using programs such as Encase, SafeBack, or Code Blue (for remote diagnostics). Norton Ghost also has some switches and options that can be used for this purpose, and the UNIX dd (data dumper) utility is sometimes used. A bit stream backup is the recording of every bit of data that signaled a storage device. It is the electronic version of the RF stream that a radio receiver picks up. This ensures that you have copied not only working files that a conventional backup utility would find, but hidden, erased, fragmented, corrupted, temporary, and special attribute files. These are not as easily hidden on floppies, but a hard drive will be full of them. A temporary file, in particular, will contain data from a document that was worked on but never saved to disk. Safeback is widely used in law enforcement, but Encase is moving up in popularity. Encase technically produces evidence files, but for all practical purposes, are the same as complete and accurate duplicate files.

A Comparison of Safeback and Encase

Safeback was originally created by Chuck Guzis, the world's first cybercop, and his software, marketed by Sydex, was later sold it to New Technologies, Inc. It duplicates anything attached to where the big ribbons go (controllers) on a computer motherboard, and can even handle removable devices if you have the appropriate drivers. Built-in utilities can scan ports for other devices. Remote.exe is the imaging program which you put on a boot floppy to boot the specimen computer, having a crossover parallel cable connection to your forensic workstation. Backup, Restore, Verify (checksum), and Copy (both Backup and Restore) commands are then available to you. The program makes its own audit file which serves as your investigator's bench note. Everything imaged is saved in compressed file format on your forensic workstation to save space. The process takes a few minutes to several hours.

EnCase uses a Windows interface and has a number of features, focusing on hard drive contents. The specimen hard drive is added as HDD1 or 2 to a forensic workstation, and this Windows Explorer-like program does the rest, with Preview, Save, and Output functions. Graphics files are displayed in thumbnail format, and you can even do string searches for text in Preview mode. Imaged files can be compressed or not, but anything saved is in proprietary (read-only) format so it is tamper-proof. You can control the size of the (representationally accurate) evidence files so they write to CD-ROM for presentation in court, along with any comments and password protection you've added.

A Short Primer on Boot or Startup Files

If you've never made a system diskette, or bootable floppy, before, the correct procedure is to insert a blank floppy and at the c:\ prompt, type format a:\ /s which writes the system files, and only the system files, to the floppy.

COMMAND.COM stands for Command Interpreter. It allows you to use DOS commands as if you had a mini-version of DOS to work with.

AUTOEXEC.BAT (which you'll often need to edit with EDIT.COM) is a batch file (batch meaning run first) that handles drivers for all the devices hooked up to your controllers and ports (controllers being the big ribbons running to the motherboard and ports being the slots behind the machine that also snap into the motherboard). One of the things you'll quickly discover quickly is that no CD-ROM device will run unless the file MSCDEX is present and referenced in your autoexec file. Computers auto-detect everything but CD-ROMs for some reason.

CONFIG.SYS is another batch file, despite its extension, which starts up your TSRs (Terminate and Stay Resident programs). These are all the little icons that show up in the lower right corner of your monitor when your machine is on. They are the visible processes running in the background, eating up memory and consuming system resources.

IO.SYS is a code file first processed by the computer. It is what initializes the system, loads MSDOS.SYS (if present) or the Command Interpreter, and tests and resets the hardware by looking for and installing device drivers.

DRVSPACE.BIN is a driver file for the compression software DriveSpace. A similar program is DoubleSpace. These are used much like HIMEM, EMM, and other programs to set up virtual memory space if the user is low on RAM, but operate by setting up part of the hard drive as a compressed file storage area. You can get some idea of how the hard drive is partitioned by keying in FDISK and displaying the information. From a forensic standpoint, you generally don't want drvspace and similar programs to run because they will change the time/date stamps. You may therefore have to learn how to use a Hex Editor to go into IO.SYS and change any references to the word "space" with equivalent nonsense symbols. For even greater safety, use an Interrupt Blocker like PDBlock to disable any possibility of writing to the hard drive (all computers write to hard drives on IRQ 13 and 21).

6. Verify the time and data stamp stored in the CMOS chip of the specimen computer. Without such information, it would be impossible to backdate the times and dates of other computer files. Many clock settings that record file date are inaccurate, but the CMOS stamp will help with estimation, and may very well make the all-important connection with ownership and the start of operation. Computers don't commit computer crime; people do, so start paying attention to dates, times, and alibis.

8. Before you run any type of diagnostic program or software, you need to ensure (to the courts) that you have not inadvertently introduced any computer virus into the specimen computer. Therefore, make sure that you can document all law enforcement software has been regularly and recently scanned by a virus utility, preferably two of them. You can virus scan the specimen computer and any floppy disks, and again, at the discretion of your expert, you can remove any viruses found. Take into account that viruses can hide in compressed files.

9. Start listing and cataloging all files with their dates and times of creation, update, and last access. Your investigative leads are going to come out of cross-referencing these dates and times with other files on the same computer or files on a different computer.

10. Document that the forensic tools you are using consist of properly purchased, licensed software. Stay away from freeware, shareware, and the trivial, no matter how useful you think it is. Some courts even take a dim view of anything purchased at a discount. Be sure your software is registered with the publisher, and that you can document your upgrade or update history.

Up to now, all we've discussed are general preparations involved in the initial seizing, duplicating, and finding of digital evidence. There's much more to learn, especially about extracting incriminating, or inculpatory information from data. Actually, we've covered one of the three techniques of forensic analysis already -- live analysis, which is the recording of any ongoing network processes. The remaining two are: (1) physical analysis, and (2) logical analysis, which both deal with hard drive structures and file formats. Physical analysis is defined as offline analysis conducted on an evidence disk or forensic duplicate after booting from a floppy or another system. Logical analysis is when the native operating system, on the evidence disk or a forensic duplicate, is used to peruse the data. Put another way, physical analysis is when you are looking for things that may have been overlooked, or are invisible, to the user. Logical analysis is when you look for things that are visible, known about, and possibly controlled by the user. There is some overlap, as the following table indicates:

PHYSICAL ANALYSIS: Two of the easiest things to extract are a list of all Web site URLs and a list of all e-mail addresses on the computer. The user may have attempted to delete these, but they can be reconstructed from various places on the hard drive. Next, you want to start indexing the different kinds of file formats. Depending upon the type of case, you might want to start with graphics file formats or document formats (if a pornography or forgery case, for example). There are lots of other file formats -- multimedia, archive, binary, database, font, game, and Internet-related. Computers generally save things in file formats beyond the control of the user. To learn all about the different file formats, visit Paul Oliver's File Format Glossary or File Extensions. If pornography is your concern, then you should know that all graphics files come with header information attached. Collectors of pornography usually don't go thru the trouble of removing this header information, so it's an easy matter of finding, say, one graphic's header at the beginning of a JPEG file, and doing a string search (hex or alpha) for all other graphics of that type. Examination of sectors and partitions will be discussed in Logical Analysis.

FILE RESIDUE is the broader term for a number of other things, such as ambient data (another broad term), file slack, free space, and shadow data. Ambient data describes data stored in non-traditional computer storage areas and formats. It is often used to describe data stored in the swap file, unallocated (free) space, and/or file slack. Each of these will be defined in turn.

The swap file (WIN386.SWP) is the most important type of ambient data. Swap files are found in all Windows operating systems because Windows utilizes one on each system as a "scratch pad" to write data when additional random access memory is needed. Swap files are a virtual memory extension of RAM. In Windows NT and 2000, they are called page files, but are the same thing. Most computer users are unaware of their existence. Their size can range from 20 million bytes to over 200 million bytes, and they contain remnants of word processing, email, Internet browsing activity, database entries and almost any other work that has occurred during past Windows sessions. Swap Files can be temporary or permanent, depending on what version of Windows is used and settings selected by the computer user. Permanent swap files are of more forensic value because they hold larger amounts of information for longer periods of time. However, temporary, or dynamic, swap files are more common, and they shrink and expand as necessary (Windows manages the virtual memory). When a dynamic swap file reduces its size close to zero, it sometimes releases the file's content to unallocated space, which can also be forensically examined.

Unallocated (free) space is the area of a hard drive that has never been allocated for file storage, or the leftover area (before Defrag) that the computer regards as unallocated after file deletion. It's where the hard disk will often send fragments of files when files are deleted or removed. The only way to clean this space is with cleansing devices known as sweepers or scrubbers, but few commercial products scrub free space to DOD standards (30 or 40 formats). The fragments of old files in free space can be anywhere on the disk, even on a different partition. Indeed, most savvy computer criminals will attempt to hide things behind hidden partitions where a Pandora's box of direct evidence is likely to be found. Such evidence will usually be found right next to partition headers, file allocation tables, and on the last sectors of a cluster. It is not necessary for a jury to understand the technical details of partitioning hard drives, and simply explaining that it's like setting up drawers in a filing cabinet should suffice. Sectors, clusters, and blocks are a little more complicated and will be explained shortly. Backing up the direct evidence found in hidden partitions are corroborative evidence usually found in file slack and unallocated space.

Unallocated space often contains intact files, remnants of files and subdirectories and temporary files which were transparently created and deleted by computer applications or the operating system. Unallocated space often contains information when someone tried to save something to a floppy that is too large for the floppy, recently sent something to a printer, tried to repartition or reformat a hard drive, or when their system crashed while working on a file. The most common reason why something would be found in unallocated space, however, is because in order for a computer to operate more efficiently and quickly, it automatically stores session data (RAM data) into the part of a hard drive that isn't being used (in order to recall that data later when the need arises). Such data may be partially deleted by turning the computer off between sessions, but portions of this data will always be there usually marked as "deleted but available (not overwritten). It may read like "junk" but will contain, for example, such nuggets as remnants of chat conversations and the coding used to display web pages visited. The reason for this has to do with the way files are deleted in the Windows environment. When a file is deleted, the first character of the file's name is replaced by the Greek character, sigma, and is only invisible via conventional methods. The space the file utilized is available, if needed, but most if not all of the file is still there and recoverable using file recovery methods, or often by simply replacing the first character of the filename with something other than sigma (which makes the file viewable again).

File slack is the empty space attached to every file. Some people call it slack space, but file slack is the larger term and slack space is technically different, referring to what occurs when chunks of data fail to fill a minimum block size. In order to understand file slack, one must understand that all DOS and Windows programs store files in fixed length blocks called clusters. Rarely do file sizes exactly match the size of these clusters perfectly, and this is important -- the extra space from the end of the file to the end of the cluster is called residual slack. There are many different kinds of slack (explained later), but residual slack is the most important. Residual slack will contain the remnants of edited files. For example, suppose somebody wrote a message like "I plan to kill my boss" but in order to cover their tracks, they edited it to say "I love my boss." The residual slack (which has to be read at the bit level) will show a line which reads "I love/plan to kill my boss" with the original message often in italics or some font different from the edited change.

Clusters vary in length depending on the operating system and size of the partition. Larger cluster sizes have more forensic value. With normal 512 byte sectors, if there is not enough data in the file to fill the last sector in the cluster, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers. When this happens (often with a rather unsophisticated criminal or on an older machine), the file slack to look for is something called RAM slack that potentially contains information from previous work sessions as well as whole, complete sentences in their original wording. If the computer has been left on for several days, the file slack areas will contain a tremendous amount of information. RAM slack technically refers to the last sector of a file, but that is only because of the way borrowing from memory works in this case. When a computer realizes it doesn't have enough RAM, it draws upon additional sectors to round out the block size for the last cluster, and then, another type of slack is created -- drive slack. Unlike RAM slack which comes from memory, drive slack may very well contain what was stored on the computer long before, not just from previous work sessions. If you are looking for things on a computer from a previous owner, drive slack is where to look.

Swap files, unallocated space, and file slack contain mostly binary information which is very tedious to look at. Slack, in particular, is random in nature, so you might find a logon name or password, or you might just find fragments of messages and documents. Analysis can be time consuming. On large hard disk drives, file slack can involve as much as 700 megabytes of data. Slack also can be found on floppy disks, Zip disks and other storage media. Computer applications that use fuzzy logic or artificial intelligence to analyze slack are available (to law enforcement only). EnCase has some capabilities for it, but programs like Net Threat Analyzer, Forensic Toolkit, Silent Runner, and SmartWatch are also used.

Shadow data is fringe data that remains on the physical track of storage media after deletion, sweeping, or scrubbing. Regardless of the storage medium -- floppy diskette, zip disk, hard disk or tape -- a mechanical device called a head is used to write the data, and it is stored electronically in magnetic patterns of ones and zeros. The patterns are in the form of sectors which are written consecutively in concentric rings called tracks. However, head alignment is just a little bit different each time an attempt is made to erase data, and data remnants sometimes bleed over the tracks. This is the reason why government agencies require multiple scrubs or burning, because there is no guarantee of complete elimination of fringe, or shadow, data. The recovery of shadow data is no easy task. Specialized equipment (such as that possessed by certain undisclosed agencies) are needed, and from a computer forensics standpoint, shadow data has yet to become a source of reliable digital evidence.

LOGICAL ANALYSIS: The examination of logical file and directory structure is an attempt to reconstruct what the user was doing with their computer. Very rarely will you run across a signed confession in the My Documents folder. The perpetrators are a little smarter than that. They will have typically used encryption (PGP), steganography (hiding data in graphics), metadata (combining different file formats into one format), and unusual file paths that make it difficult, if not impossible, for anyone but themselves to figure out what they've been doing. And then, you can expect lots of deleted, professionally scrubbed, data. Your hope is to trace the uses the computer has been set up for, and use its native operating system to do it. Certain types of criminals optimize their system for different uses -- a programmer for speed; a pornographer for storage; a stalker for messaging. Simply knowing how to use point-and-click software to extract digital evidence does not make one a computer forensics analyst.

The proper technique is to go about logical analysis very methodically. Divide the data on the hard drive into layers (similar to the OSI networking model), and try to find evidentiary information on each layer. Look for peculiarities on each layer. Then, choose the right extraction tool. The location of evidence on each layer is portrayed below:

Starting at the Physical layer, look for how the hard drive is setup to read and write in blocks and sectors. Intel chips allow the user to adjust the cylinder/head/sector (C/H/S) settings through the BIOS. Anything different from the standard default 512-byte absolute sector size means that the machine is setup to buffer large amounts of data to and from the hard drive. Certain types of hackers do this.

At the Data classification layer, look at the partition tables. Partitions are a way of splitting up the hard drive into separate areas, usually for different operating systems. Windows assigns separate drive letters and tables to FAT and NTFS partitions, but UNIX uses hybrid tables that represent all partitions. This is because UNIX is more flexible, and integrates with other operating systems. Evidence could easily be hidden in the UNIX tables.

The Blocking format layer contains customizations that only the sysadmin (in UNIX) and administrator (in Windows) can make. More sophisticated users will optimize their block sizes for the size of their disk or partition. This is so the machine doesn't have to search thousands of allocation units each time a file is written or updated. Other users want to have lots of allocation units per block, and it's these people who will have lots of wasted space and slack to examine.

The Storage space allocation layer is the FAT system, where the allocation tables are located. There are at least two FATs per partition, located at the starting sector of each partition. There are sometimes hundreds of allocation tables, especially in UNIX, and they are located throughout the drive. Computer systems automatically run validity checks on these tables all the time, but many of them are corrupted, and they can be rebuilt (to their original state) by simple recovery tools in Norton Utilities. You may be able to recreate what the computer looked like in years past.

The Information classification and Application storage layers contain both active and deleted files. Every file system has a method for chaining together lists of files, but sometimes, the more unlinked the file, the more important it is. File date/time stamps will be your most valuable pieces of information as you go about reconstructing who accessed what, when, and where.

EnCase is a commercial software product made by Guidance Software, Inc. out of Pasadena, CA. It is probably safe to say EnCase is a leading product in the law enforcement community, although in some circles, Maresware and Forensic Toolkit by AccessData Corporation are more popular. Since 1998, Encase has helped with thousands of computer crime investigations, and currently is in its third version (EnCase for Windows 3.0). The software design and operating procedures are a lesson in how criminal justice software should be made and used. It should be noted that this particular lecture note may or may not be up to date with the latest version of the software and its capabilities since software companies are always coming out with new versions and new features. With that in mind, let's examine some of what you'll likely encounter.

EnCase will not run without either a USB or parallel port dongle attached. A dongle is a plastic-encased, thumb-sized EPROM chip, which affords perhaps the best measure of copyright protection. Guidance Software originally used dongle devices and drivers from Rainbow Technologies but have mostly phased those out (during 2005) in favor of security dongles from Aladdin Knowledge Systems (www.aladdin.com) and the second edition (HASP HL) of their dongle at that. Anyone with hopes of trying to obtain a pirated or bootleg copy of Encase is likely to be very frustrated unless they have a dongle. [Footnote: It should be mentioned here that law enforcement agencies ought to stay away as much as possible from bootleg, pirated, public domain, or "copied" software in any form. Of course, the argument could be made that "starting out" on limited funds necessitates such things, and in some cases, people in some places have put together "good enough" systems "by hand" in such ways. However, the fact remains that this smacks of impropriety and will seriously discredit an investigation if defense counsel finds ANY improprieties in software licensing, copyright, etc.]

EnCase also used to require creation of an EnCase boot disk, which is in DOS. The boot disk is not currently required, but it's a recommended method of acquisition for error checking or balancing of the investigations. This is because Windows will write and taint evidence on files (such as last accessed time and date stamps). Therefore, DOS is used since it does not rewrite to files. The program is not in DOS, but the boot-up procedure is. Using the disk essentially changes system file references from C:\ to A:\. EnCase also has developed a method of acquisition with Linux machines or "Linen" (EnCase for Linux), and the interface is similar to that of EnCase for DOS but of course the process is completely different from EnCase for DOS.

The next piece of equipment you'll need is a parallel-port lap-link (if using a laptop) or cross-over network cable (if using a desktop). On laptops, this is a null-modem connection. The SUBJECT computer is the one being investigated, and the STORAGE computer is the one running EnCase for Windows. The procedure involves booting the subject computer with the EnCase boot disk, and booting your storage computer into Windows. By launching the Encase program and activating the Preview function, you'll see an exact image of the drive down to the sector layer. Because it's a preview function, saving your work at this point is not possible. The purpose of Preview is to establish probable cause or make efficient use of time. PREVIEW has lots of different scanning options.

The cross-over acquisition method is the most popular method, although some people have resorted to additional hardware write blocking devices, such as EnCase's FastBloc Field Edition (FE) or a product called "Tableau" available from www.forensic-computers.com. Encase is developing a software write block capability as well as other modules; e.g., (1) the Virtual File System (VFS) which could mount an evidence file as a virtual share folder on your drive, or allow others to connect to it depending on license; (2) the Encryption Decryption Suite (EDS) which would decrypt Windows encrypted files and folders; and (3) the Physical Disk Emulator (PDE) which would allow mounting of the evidence files as physical disks in your system, which can then be used in conjunction with different software. For more information about available modules, one should visit Guidance Software's website.

To ACQUIRE, or image, a hard drive after you found incriminating evidence, the acquire function is used. There are several ways to do this. If you have created a forensic workstation with a hot swappable drive bay, you can simply remove the subject HD and place it in your drive bay, letting it share your IDE ribbon cable. This method requires booting from DOS. Another method is to leave the two computers connected, boot the subject PC from DOS, and at the A:\> prompt, type EN /S, which puts the computer in server mode. Your storage computer launches Encase for Windows, and then you hit the Acquire button. A third method involves network connectivity via a 10/100-BaseT cross-over cable. It doesn't work over a LAN, WAN, or the internet, and you must add the appropriate network card drivers to your DOS disk. Mac and Unix machines have to be acquired with the first method.

RAID: Redundant Array of Inexpensive Disks

Many suspects have large hard drive storage needs, so they set up a RAID array of multiple hard drives on their computer. There is a hardware and software way to do this. The hardware method involves buying a RAID controller, and setting up a series of hard drives to be seen by the BIOS as one hard drive. The software method uses the OS, not the BIOS, to create the RAID. With the hardware configuration, EnCase acquires the RAID as if it were one single drive. With the software configuration, each drive is acquired individually.

After acquisition, important steps to take are write-blocking the evidence file, password-protecting it, and changing the evidence file's compression. These steps protect the investigator from charges of tampering, ensure authenticity, and save storage space. Using compression during acquisition will slow down the acquisition process. The standard size of a compressed evidence file is 640MB, which is burned on a CD-ROM. Each file acquired will also have an MD5 checksum that is kept in the hash library of Encase.

To ANALYZE the evidence file, you can start working with images or begin by doing text string searches. After each file is viewed, the investigator "bookmarks" it into his or her own filing system, making up their own folder names, like "porno", "forgeries", "break-ins", or "fakeIds." There are additional ways to view the evidence: Gallery (or thumbnail) views for images; Timeline views (for looking at patterns of file creation, editing, last accessed); and Report views (which make a court-admissible record of files viewed).

It is possible to run searches on the evidence and perform signature analysis at the same time. Signature analysis computes if there are any hash value discrepancies between a file's extension and the file's header (what programs created and opened it). This allows recognition of the type of file regardless of the file extension, and makes for interesting analysis of file origins. Searching for text strings is the main way to find digital evidence, however. EnCase supports case-sensitive searches, GREP searches, Unicode searches, and multi-term searches.

Review of the Registry files is important because the investigator wants to find out what programs have been installed, what devices have been loaded, and user information. Win9x systems have one registry file, called system.dat while NT/2000 systems have multiple registry files. Add-in functions allow running scripts to see how different processes found in the Registry execute.

Once evidence has been analyzed, it should be organized into a Final Report, which will consist of bookmarked folder structures, text fragments, documents, and pictures. The investigator might want to consider an additional category for e-mail messages, but it depends upon if they've been read or not. Comments can then be added to each file, such as "This is document on growing psychedelic mushrooms" or "This is a picture of a pre-teen having sex." Reports are customizable, but they essentially contain the following type of information in an enumerated list of all files used in evidence:

PRINTED RESOURCES
Anderson, Michael. (1998). Founder/President New Technologies, Inc., Gresham, OR.
Blum, Richard. (2001). Open source e-mail Security. Indianapolis: Sams Publishing.
Branigan, S. (2004). High tech crimes revealed. NY: Addison Wesley.
Casey, Eoghan. (2000). Digital evidence and computer crime. NY: Academic Press.
Donofrio, A. (2002). "Computer forensics and analogies." Law Enforcement Technology (Jan): 64-69.
Gaines, L., & Miller, R. (Eds.). (2005). Criminal justice in action. California: Thomson Wadsworth.
Gilster, Ron. (2001.) PC technician black book. NY: Coriolos Group [sample pages]
Keightley, R. (2002). EnCase version 3.0 user manual. Pasadena: Guidance Software.
Kerr, O. (2005). "Searches and seizures in a digital world." 119 Harvard Law Review 531-585. [pdf online]
Kerr, O. (2005). "Digital evidence and the new criminal procedure." Columbia Law Review, Available at SSRN: http://ssrn.com/abstract=594101.
Mandia, Kevin & Chris Prosise. (2001). Incident response. NY: Osborne.
Mueller, Scott. (2001). Upgrading and repairing PCs. NY: Que.
Riddle, Kelly & Ralph Thomas. (1997). A guide to the Internet and e-mail for investigators. Austin: Thomas Investigative Publishing.
Rosch, Winn. (1999). The Winn L. Rosch hardware bible. NY: Que [sample pages][website]
Schneier, Bruce. (1995). E-mail security. NY: John Wiley & Sons.
Shinder, D. And Tittel, E. (Eds.). (2002). Scene of the cybercrime. Syngress Publishing: Massechusetts.
Siegel, L. (1995). Criminology. Minnesota: West Publishing Company.
Wood, David & Mark Stone. (1999). Programming Internet e-mail. NY: O'Reilly and Associates. (Sample pages online)
Zaenglein, Norbert. (1998). Disk detective: Secrets you must know to recover information from a computer. CO: Paladin Press.
Zittrain, J. (2005). "Searches and seizures in a networked world." 119 Harvard Law Review 83-94. [pdf online]

Last updated: Aug 16, 2007
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T. (Date of Last Update at bottom of page). In Part of web cited (Windows name for file at top of browser), MegaLinks in Criminal Justice. Retrieved from http://www.apsu.edu/oconnort/rest of URL accessed on today's date.

*Physical and Logical Analysis*
Physical	Overlap	Logical
URLs; email addresses file formats Damaged sectors Data outside partitions	File residue Ambient data	Partitions File metadata Context of data File paths

*Logical Analysis Layers of Evidence*
Application storage	Files (Windows)	Files (UNIX)
Information classification	Directories and folders	Directories
Storage space allocation	FAT	Inode and data bitmaps
Blocking format	Clusters	Blocks
Data classification	Partitions	Partitions
Physical	Absolute sectors	Absolute sectors