Electronic Fingerprints
Computer Evidence Comes Of Age
by Michael R. Anderson
Like it or not, computers have taken over. If you don't believe me, just try to buy a brand new typewriter. You will look long and hard because most correspondence and report writing today is done with personal computers. Personal and business finances are now tracked using computer spreadsheets and most address lists are maintained in computer databases. Thanks to computer technology, hours of research in the library has transitioned into just a few minutes of research browsing the Internet. We truly live in the information age. Unfortunately, so do criminals!
Personal computers have become an inexpensive and yet powerful tool that can be used in the furtherance of almost any criminal activity. Criminal acts can easily be coordinated worldwide using the Internet and criminal communications can be encrypted and thus secreted from law enforcement officials. Bomb making recipes and other tools of terror can be shared world wide over the Internet. Perverted minds can mingle and share images of child pornography over the Internet. Some call the Internet the 'crooks' dream and a law enforcement nightmare.
Pretty bleak picture for law enforcement, you might say........ That really isn't the case. Actually, the use of personal computers by the criminal element can create a wealth of valuable evidence that might not otherwise be available to investigators. The use of a computer to create and store information leaves behind 'electronic fingerprints' that can actually make or break a criminal case. Fortunately for law enforcement computer evidence specialists, personal computers were never designed to be secure. As a result, sensitive data, passwords, time and date stamps and other potentially valuable information is written to bizarre locations on computer hard disk drives and floppy diskettes as part of the normal operating process. For corporate and government computer users, this can be the source of serious computer security concerns. But to an experienced cyber cop, such information can be a dream come true. Interestingly, most computers are unaware that such information even exists.
I remember my first testimony as an expert witness in a federal computer evidence case. It was back in 1985 and it pertained to the defendants use of a computer system that by todays standards would be considered a toy. We have come a long way since then and we have made substantial progress since we created the first computer evidence courses at the Federal Law Enforcement Training Center (FLETC) back in 1989. With the help of seasoned software developers like Chuck Guzis, Steve Choy and Bill Haynes, New Technologies, Inc. has created automated forensic tools that automate the evidence processing of large computer hard disk drives. The 'electronic crime scene' can now be preserved with programs like SafeBack developed by Sydex Corporation. Obscure data segments containing binary (non readable) data can now be intelligently filtered making the contents easy to view or print. Internet usage can be automatically determined on a given computer within a matter of minutes using specialized software. Most importantly, new training courses have been spawned to deal with the demand for law enforcement and military forensic computer science training. Just recently the University of New Haven in West Haven, Connecticut created a Forensic Technology Institute which is dedicated to such training. Also, a Training and Research Institute was recently created at the National White Collar Crime Center to deal with law enforcement computer evidence training issues. Because of the demand, these much needed institutions are welcomed and supplement the training courses already offered at FLETC and by Search Group and IACIS.
It is important that you understand that computer evidence is very fragile and can easily and unintentionally be altered or destroyed. Therefore, it is important that only properly trained computer evidence specialists process computer evidence. The processing of such evidence for use in trial by an individual without proper training is like a first aid technician performing brain surgery with a pocket knife. Back in 'the good old days', we could get away with almost anything and trial attorneys didn't know enough about computer evidence to ask the right questions. We knew very little and the attorneys and judges knew even less. However, times have changed. Computer evidence processing procedures have evolved into standards and procedures that must be followed. Furthermore, the expenses associated with the processing of computer evidence need to be included in law enforcement budgets. Computers are here to stay and the processing of computer evidence can be expensive. Short cuts invite serious evidence problems and should be avoided at all costs.
Obviously, a complete training course in forensic computer science is outside the scope of this article. However, I have listed some of the common mistakes that are made and some tips that may be helpful in the processing of computer evidence tied to DOS/WINDOWS based computer systems.
Mistake #1 - Run The Computer: The first rule is to NEVER run any programs on the computer in question without taking precautions, e.g. write protection or by making a backup. Also, you should not boot or run the computer using the operating system on the computer in question. It is relatively easy for criminals to rig their computers to destroy hard disk drive content or specific files by planting decoy programs or through the modification of the operating system. By way of example, the simple DIR instruction which is used to display the directory of a disk can easily be rigged to reformat the hard disk drive. After the data and destructive program has been destroyed, who is to say that the computer was rigged or that you were negligent in processing of the computer evidence? This is one of the first points we illustrate when training law enforcement or corporate computer investigators.
Mistake # 2 - Get Help From The Computer Owner: It is potentially a serious mistake to allow the owner of the computer to help you operate the computer in question. I like to equate this to asking some thug to help you unload the 9mm you just found under his car seat. Don't do it. I recall one case a few years ago........ The defendant was asked to answer questions about the computer evidence and was allowed access to the seized computer in the process. He later bragged to his buddies that he had encrypted relevant files 'right under the noses of the cops' without their knowledge. The good news is that the computer specialists had made a bit stream backup of the computer before giving the defendant access to it. As a result, his destructive act became another nail in the coffin at trial.
Mistake #3 - Don't Check For Computer Viruses: You can imagine how credible your testimony might be as the expert witness for the government, if you were the one that infected the computer evidence with a computer virus. It might get even worse, if you carry that a step farther and infect several of the computers in the police department in the process. ALWAYS use fresh diskettes and check all diskettes and hard disk drives with good quality virus scanning software before you fall into this trap.
Mistake #4 - Don't Take Any Precautions In The Transport of Computer Evidence Computer evidence is very fragile. Heat and magnetic fields can destroy or alter it in a very short period of time. The heat of summer in a car trunk or the magnetic field created by an operating police radio in the trunk of a squad car can ruin computer evidence. If a good defense attorney can show that you were negligent in storing or transporting the computer equipment, your case may be in jeopardy and you may spend some time in civil court defending your agency against a law suit. Use good judgement and this issue won't be a problems.
Mistake #5 - Run Windows To View Graphic Files and To Examine Files: The Windows swap file can be a valuable source of data fragments, passwords and network logons. The running of Windows by the computer specialist can destroy evidence that exists in the swap file. Furthermore, running NetScape or other Internet browsers can destroy or modify evidence stored in the form of bookmarks, graphic files and/or cache files. Many times Windows is needed to review specific graphic files and other file types. However, the running of Windows should not take place until a bit stream backup has been made and the Windows swap file has been processed and analyzed for potential evidence in the form of data fragments.
Tip #1 - Bit Stream Backups: Normally computer evidence is preserved by making an exact copy of the original evidence before any analysis is performed. It is not enough to just make copies of computer files using a conventional backup program. Valuable evidence may exist in the form of erased files and the data associated with these files can only be preserved through a bit stream backup. Specialized software is available to law enforcement agencies that performs this task, e.g. SafeBack. Regarding floppy diskettes, the DOS DISKCOPY program will suffice. A bit stream backup of the evidence provides a level of insurance should things 'go bump in the night. It is always a good idea to make a bit stream backup before processing computer evidence.
Tip #2 - Temporary Files: Word processing programs and database programs create temporary files a byproduct of the normal operation of the software. Most computer users are unaware of the creation of these files because they are usually erased by the program at the end of the work session. However, the data contained within these erased files can prove to be most valuable from an evidence standpoint. This is particularly true when the source file has been encrypted or the word processing document was printed but never saved to disk. Like magic, these files can be recovered.
Tip #3 - Windows Swap File: The popularity of MicroSoft Windows has brought with it some added benefits for computer investigators in their quest for new sources of computer evidence. The Windows swap file acts as a huge data buffer and many times fragments of data or even an entire word processing document may end up in this file. As a result, careful analysis of the swap file can result in the discovery of valuable evidence when Windows is involved. New Technologies, Inc. has developed software that automates the analysis of the Windows swap file. With this software a 40 meg swap file can be processed and evaluated in just a few hours. Using traditional methods and tools, such analysis used to take several days.
Tip #4 - Document Comparisons: Many times duplicate word processing files may be found on computer hard disk drives and/or floppy diskettes. Some times subtle changes or differences between versions of the same document have evidentiary value. These differences can easily be identified through the use of the redline and compare features of most modern word processing programs. The use of this trick alone can save countless hours of time that could be wasted making manual comparisons from one document to another. Because the resulting file is modified by the wordprocessor, be sure to work from copies when using this tip. Automated forensic tools created by New Technologies, Inc. can also be used to help expedite the process. Such tools are particularly helpful when multiple computers are involved.
The popularity of computers in society today has changed the evidence rules a bit but this technology has provided investigators with potential sources of evidence and information that did not exist previously. I hope the information provided helps you understand the benefits of this new source of evidence. It is hard to cover all aspects of computer evidence processing in this article. For that reason, it is strongly suggested that you get proper training if you anticipate that you will be involved in the processing of computer evidence.
