Computer Evidence Processing

The Third Step
Preserve the Electronic Crime Scene

by Michael R. Anderson

Computer evidence is odd, to say the least. It lurks on computer hard disk drives, zip disks and floppy diskettes at three different levels: two of these levels are not visible to the computer user. Such evidence is fragile and it can easily be destroyed through something as simple as the normal operation of the computer. Electromagnets and planted destructive Trojan horse programs are other hazzards that can permanently destroy computer evidence in seconds. I cannot think of any other type of evidence that presents the investigator with as many potential problems and challenges. In the old days defense lawyers didn't know much about computer evidence. As a result, cross examination by the defense went pretty easy a few years ago. However, things are changing because lawyers are becoming educated due to the current popularity of electronic document discovery in the legal community. Times have changed and it is all the more important to do things by the book.

The computer investigator not only needs to be worried about destructive process and devices being planted by the computer owner. He or she also needs to be concerned about the operating system of the computer and applications. Evidence is easily found in typical storage areas, e.g., spreadsheet, database and word processing files. Unfortunately potential evidence can also reside in file slack, erased files and the Windows swap file. Such evidence is usually in the form of data fragments and it can be easily overwritten by something as simple as the booting of the computer and/or the running Microsoft Windows. When Windows starts, it potentially creates new files and opens existing ones as a normal process. This situation can cause erased files to be overwritten and data previously stored in the Windows swap file can be altered or destroyed. Furthermore, Windows 95 has a habit of updating directory entries for files as a normal operating process. As you can imagine, file dates are very important from an evidence standpoint.

Another concern of the computer investigator, is the running of any programs on the subject computer. Criminals can easily modify the operating system to destroy evidence when standard operating systems commands are executed. In the training courses that I teach, I have the students modify the operating system such that the execution of the DIR command destroys simulated evidence. Standard program names and familiar Windows program icons can also be altered and tied to destructive processes by a crafty high tech criminal.

Even trusted word processing programs like Microsoft Word and WordPerfect can become the enemy of the cyber cop. It works this way: When word processing files are opened and viewed, temporary files are created by the word processing program. These files overwrite the temporary files that existed previously and potential evidence stored in those files can be lost forever. I hope I am starting to make my point. Computer evidence processing is risky business and is fraught with potential problems. Of course, any loss of crucial evidence or exculpatory material falls on the shoulders of the computer investigator. What will your answer be, if the defense attorney claims the data you destroyed proved the innocense of his client? You better have a good answer.

Many inherent problems associated with computer evidence processing vanish when tried and proven processing procedures are followed. My objective in writing this article is to keep Murphy's law from ruining your case. When it comes to computer evidence processing, Murphy is always looking over your shoulder. He stands ready to strike at just the wrong moment.

Your very first objective, after securing the computer, should be to make a complete bit stream backup of all computer data before it is reviewed or processed. This should normally be done before the computer is operated. Preservation of evidence is the primary element of all criminal investigations and computer evidence is certainly no exception. This basic rules of evidence never changes. Even rookies know that evidence must be preserved at all costs. As stated previously, evidence can reside at multiple levels and in bizarre storage locations. These levels include allocated files, file slack and erased files. It is not enough to do a standard backup of a hard disk drive. To do so would eliminate the back up of file slack and erased file space. Without backing up evidence in these unique areas, the evidence is susceptible to damage and/or modification by the computer investigator. Bit stream backups are much more thorough than standard backups. They involve the copying of every bit of data on a storage device and I usually recommend that two such copies be made of the original when hard disk drives are involved. Any processing should be performed on one of the backup copies. As I stressed before, the original evidence should be preserved at all costs. After all, it is the 'best evidence'.

The need for forensic bit stream image backups was identified by a group of us back in late 1989 during the creation of the first computer forensic science training courses at the Federal Law Enforcement Training Center. The very first program created to perform this task was named IMDUMP and it was developed by Michael White who was employed by Paul Mace Software. That program proved to be helpful until approximately 1991 when most of the Paul Mace utilities were sold to another software company. Lacking the continued support for IMDUMP, we went to Chuck Guzis at Sydex, Inc. in Eugene, Oregon and presented him with our dilemma. Chuck had been a friend of law enforcement computer specialists for years and our begging paid off. He agreed to develop a specialized program that would meet our bit stream backup needs from an evidence standpoint. I like to think of Chuck as the father of electronic crime scene preservation and the resulting program, SafeBack, has become a law enforcement standard. In addition, it is used by numerous government intelligence agencies, military agencies and law enforcement agencies world wide. Unlike normal backup programs, SafeBack copies and preserves all data contained on the hard disk. It even goes so far as to circumvent attempts made to hide data in bad clusters and even sectors with invalid CRCs. I am not aware of any other backup programs that have these features and they were added to specifically help law enforcement deal with such issues.

Another bit stream backup program called SnapBack is also available and is used by some law enforcement agencies primarily because of its ease of use. It is priced several hundreds of dollars higher than SafeBack and its original design was not for evidence processing. It was designed as a network backup utility for use by system administrators. SafeBack was designed from the ground up as an evidence processing tool and is priced to fit law enforcement budgets. It has error checking built into every phase of the evidence backup and restoration process. I prefer SafeBack and it was purchased from Sydex in March 2000 by NTI for sale to its clients and for use in the development of other NTI products tied to computer network forensic issues.

The important thing is to make a bit stream backup of all computer data before you begin processing. SafeBack and SnapBack seem to be the answer concerning computer hard disk drives.

I can't stress the importance of bit stream image backups enough. To process a computer hard disk drive for evidence without one is like playing with fire in a gas station. The basic rule is that only on rare occasion should you process computer evidence without making an image backup first. The hard disk drive should be imaged using a specialized bit stream backup product and the floppy diskettes can be imaged using the standard DOS DISKCOPY program. Directions should be followed exactly regarding the use of the bit stream backup software. When DOS DISKCOPY is used, it is recommended that MS DOS Version 6.22 be used and the /V (data verification) switch should be invoked from the command line. To avoid getting too technical for the purposes of this article, I will avoid going into the specifics regarding the uses of these backup programs. However, instruction manuals should be studied throughly before you attempt to process computer evidence. Ideally, you should conduct tests on your own computers before hand and compare the results with the original. Being comfortable with the software you use is an important part of computer evidence processing. One of the original computer evidence masters, Stephen Choy, puts it nicely when he says, "Know your tools". Practice using all of your forensic software tools before you ever use them in the processing of computer evidence. You may only get one chance to do it right.