Computer Forensics

Computer Forensics:
Tools & Methodology

Critical Review & Technology
Assessment Report
Computer Forensics:
Tools & Methodology
Critical Review & Technology
Assessment Report
Authors:
Michael Noblett
Adam Feldman
Book and Cover Design:

Ahnie Senft
About the Authors
Mr. Michael Noblett has twenty-five years of investigative and pro-
fessional science experience with the FBI as a Supervisory Special Agent.
As the Unit Chief for the FBI’s Computer Analysis and Response Team
(CART) he developed the policy guidelines, technical standards, and
evaluation criteria for CART, all of which have become the de facto stan-
dards in the forensic community.
He currently teaches a graduate level course entitled “Computer
Crime and Computer Forensics” at George Washington University, in
Washington, DC. He has been a board member on the Department of
Justice Advisory Board for Encryption Matters (1994-1997) and the FBI
Internet and Intellectual Property Advisory Board (1993-1997); and has
been a member of the American Academy of Forensic Sciences
(Member), International Organization for Computer Examination
(Charter Member), International Journal of Forensic Computing
(Member of Editorial Board). Mr. Noblett has presented testimony at
more than 100 Federal, State, and local trials.
Mr.Noblett has written and published numerous articles related to com-
puter forensics. The articles are directed toward law enforcement executives
and prosecutors as well as technical audiences. These articles include:
1997 Computer Crime Scene Procedures. International Journal of Forensic Computing (1):3-4
1996 Role of the Microcomputer as a Criminal Instrument. United States Attorneys’ Bulletin 44(3):12-15
1995 Report of the Federal Bureau of Investigation on the Development of Forensic Tools and Examinations for
Data Recovery from Computer Evidence.In Proceeding of the 11th INTERPOL Forensic Science Symposium,
vi Lyon, France. The Forensic Sciences Foundation Press, Boulder, CO
1993 Computer: High Tech Instrument of Crime. FBI Law Enforcement Bulletin 62(6):7-9
1992 Computer Analysis and Response Team (CART): The Microcomputer as Evidence. Crime Laboratory
Digest 19(1):10-15.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Mr.Adam Feldman has fourteen years of professional experience in
computer engineering, information security, computer forensics, and
program management. Specifically, Mr. Feldman has extensive experi-
ence in architecting and implementing automated information systems
that address a variety of InfoSec and communications requirements.
Previously, Mr. Feldman helped architect and implement the ACES sys-
tem within the FBI Laboratory.
Mr.Feldman has managed numerous InfoSec related projects including
the Automated Computer Examination System (ACES) (1995-1998) and
software engineering for a systems integration project to develop a series of
LAN and WAN-based real-time network traffic monitoring systems.
In addition, Mr. Feldman has managed many software engineering
projects to develop a set of security utilities for Microsoft Windows NT,
Windows 3.1, MS-DOS,OS/2, and Sun Solaris to address several issues,
such as object reuse and other inherent information security vulnerabil-
ities and general purpose encryption applications using DES CBC and
RSA algorithms.
Mr. Feldman has a B.S. in Computer Engineering from Case Western
Reserve University (1985).
vii
IATAC • Information Assurance Technology Analysis Center

viii
About IATAC
The Information Assurance Technology Analysis Center (IATAC) pro-
vides the Department of Defense (DoD) with emerging scientific and
technical information in support of Defensive Information Operations.
IATAC’s mission is to provide a DoD central point of access for informa-
tion on Information Assurance (IA) emerging technologies. These tech-
nologies include system vulnerabilities, research and development, mod-
els, and analysis to support the effective defense against Information
Warfare attacks. IATAC focuses on all defensive activities related to the
use of information, information-based processes and information sys-
tems. One of thirteen DoD-sponsored Information Analysis Centers
(IACs),IATAC is managed by the Defense Technical Information Center
(DTIC), Defense Information Systems Agency (DISA).
IATAC basic services provide the infrastructure to support Defensive
Information Operations. Basic services include the collection, analysis,
and dissemination of IA scientific and technical information; support
for user inquiries; database operations; current awareness activities
(e.g., IATAC newsletter); and the development of critical review and
technology assessment and state-of-the-art reports.
Critical review and technology assessments (CR/TA's) are reports that
evaluate and synthesize the latest information resulting from research
and development activities, or they may be comparative assessments of
technologies and/or methodologies based on specific technical charac-
teristics. Topic areas for CR/TA reports are solicited from the IA
Community to ensure applicability to emerging warfighter requirements.
Inquiries about IATAC capabilities, products and services may be ix
addressed to:
Robert P. Thompson
Director, Information Assurance Technology Analysis Center
3190 Fairview Park Drive
Falls Church, VA 22042
Phone: (703) 289-5454
Fax: (703) 289-5467
E-mail: iatac@dtic.mil
URL: http://www.iatac.dtic.mil

x
Table of Contents
xiii List of Figures
xv Tool & Manufacturer
1 I.Introduction
4 II.Forensic Science
5 III.Legal Issues
8 IV.Computer Forensic Science
11 V.Operations
19 VI.The Computer Crime Scene—
Recommended Procedures
22 VII.Computer Forensic Tools
31 Evidence Preservation and Collection Tools
Write-Protection Software Tools
Disk Imaging Software
53 Analysis Tools
Recovery of Deleted Files
Recovery of Unallocated/Stack Data
Recovery of Protected/Encrypted Data
String Pattern Matching
File & File-Type Identification
File Listing or Cataloging
xi
Integrated Forensic Systems
99 Mis c . Tools
107 Case Management Tools
113 Bibliography
115 Appendix
115 DoD Points of Contact
116 Product Information (GOTS & COTS)
119 List of Related URLs

xii
List of Figures
Figure 1: Creating an Image Copy 37
Figure 2: Deleted Files on a Computer Disk 54
Figure 3: Unallocated Data on a Computer Disk 63
Figure 4: File Type Signatures 81
Figure 5: Individual File Signatures 81
Figure 6: Known File Filter (KFF) from ACES 82
xiii

xiv
Page Tool and Manufacturer
(First occurrence only)
35 Automated Computer Examination
System (ACES)
Federal Bureau of Investigation
101 Disk Editor
Symantec
45 DriveCopy
PowerQuest Corporation
47 Drive Image Professional 2.0
PowerQuest Corporation
77 DtSearch
DT Software, Inc.
33 Expert Witness
ASR Data Acquisition & Analysis
51 EZ-Copy
Micro House International, Inc.
89 FILELIST
New Technologies, Inc.
69 GetFree
New Technologies, Inc.(NTI)
49 ImageCast IC3
Micro House International, Inc.
41 Norton Ghost
Symantec
71 Password Recovery Toolkit
Access Data xv
103 QuickView Plus
INSO Corporation
39 SafeBack 2.0
Sydex, Inc.
73 Steganos
DEMCOM
55 Undelete for Windows NT
Executive Software
57 Unerase
Symantec, Inc.

xvi
I. Introduction
Forensic science is the application of science to legal issues. It encom-
passes every scientific discipline and numerous specialities within those
disciplines. Traditionally, forensic science consisted of fingerprint com-
parison, toxicology, serology, trace evidence, questioned document
examination, and firearms/toolmarks. This list has been expanded in
recent years to include DNA analysis, explosive device analysis, haz-
ardous materials analysis, and audio/video media analysis. These disci-
plines were added as technical capabilities were developed, as was the
case with DNA analysis, or as law enforcement needs were identified, as
was the case with explosive device and hazardous materials analysis.
Law enforcement has now identified an additional and pressing need:
analysis of computer evidence. The forensic science community has
responded to that need with computer forensic science or, more simply,
computer forensics. The primary focus of this report is the evaluation of
software tools available for this type of analysis. However, these tools will
be used to examine evidence in a legal and procedurally driven environ-
ment. Understanding the technology and understanding the rules are
equally important. The goal of any forensic examination is to provide
valid and reliable information to both the investigator and the court.
Forensic science by its nature is more reactive than proactive. It con-
cerns the examination and evaluation of evidence which, by definition,
does not appear until a crime has been committed. The introduction of
the computer as a target of crime, an instrument of crime, or a reposito-
ry of evidence of crime does not change the basic relationship of inves-
tigation followed by collection of evidence followed by forensic exami- 1
nation of that evidence.
This relationship, however,does not mean that specific forensic expert-
ise cannot help solve investigative problems. For example, forensic scien-
tists routinely participate in crime scene search operations and train law
enforcement in collecting and preserving of evidence. In these examples,
forensic science is used to identify and safeguard fragile evidence.
Although the crime scene is still commanded by the investigators, they are
assisted by a professional scientist with specific knowledge of evidence.
In its broadest reach, forensic science addresses not only the analysis
of evidence but all aspects of acquiring, handling, storing, and examin-
ing materials seized as the result of a criminal investigation. Forensic

science extends from the crime scene investigation to the testimony of
expert witnesses. As such, it is a process as much as it is a technology.
Objectives
This report provides a comparative assessment of technologies used
in the forensic examination of computers. The purpose of these exami-
nations is to recover data from computers seized as evidence and pres-
ent it to law enforcement for investigative use and to prosecutors for use
at trial. It is intended to give an overview of the legal background under
which computer forensic science operates as well as the policies and pro-
cedures that must be in place to satisfy the science, the courts, and the
law enforcement community. It is also intended to provide a comprehen-
sive review of commercial-off-the-shelf and government-off-the-shelf
software tools written especially for computer forensic science.
Background
Federal, state, and local government agencies of all sizes and juris-
dictional responsibilities are increasingly finding critical investigative
information and evidence stored on computers. These computers range
in size from microcomputers to mainframes and in complexity from
simple stand-alone desktop computers to complex networked systems
with data distributed worldwide. In any criminal,civil, or administrative
investigation of a subject who has access to a computer, there is an
increasing probability that information crucial to the investigation will
be stored in some form of magnetic or optical media.A new branch of
forensic science is emerging to deal with the technical and procedural
issues associated with this type of evidence—computer forensic sci-
2 ence. Computer forensic science is the discipline of acquiring, preserv-
ing, retrieving, and presenting data from computer evidence.
As law enforcement entities within Department of Defense (DoD),
other federal agencies, and state and local agencies assess their ability to
recover information from these complex and often interconnected crim-
inal enterprise systems, gaps quickly appear. Often, resources that are
able to quickly address the hard technological problems do not have an
understanding of the legal framework associated with evidence in what
will likely become a criminal matter. Just as often, law enforcement,
which does understand evidence and investigative procedure, is limited
by both a severe lack of funding and technical capability.
Computer forensics must serve two masters. First, it must be techni-
cally robust to address questions of complete recovery of probative
information without altering the original material. Second, it must meet
the legal requirement of conducting these examinations in a manner
that is entirely consistent with the rules of evidence. In criminal matters,
there may be specific limits on information that may be recovered (i.e.,
privileged communications and E-mail) and who may be party to the
information (i.e., grand jury material). As computer evidence becomes
more common in court, issues such as these become more significant.
An informal and ad hoc approach to computer forensics will not likely
meet the mandates of the judicial system.
Organization
This report contains five main sections in addition to the
Introduction. Section 2 provides background on the development of
modern forensic science and its history. Section 3 presents legal issues
that determine the boundaries within which forensic science operates.
Section 4 describes a unique subset of forensic science: computer foren-
sic science. Section 5 describes computer forensic science operations,
including the acquisition and examination of computer evidence, and
utilization of the results of this examination process. Section 6 describes
suggested actions to take after discovering that a “computer crime” has
occurred. The report concludes with an appendix that lists points of con-
tact for computer forensics within Department of Defense and the
Federal Bureau of Investigation, product information, and related URL’s.
Section 7 describes specific software tools.
Methodology 3
Much of the information presented in this report was based on the
authors’ experience. Research materials consisted of books,journal arti-
cles, conference proceedings, and manufacturer’s literature,which is pri-
marily available through their web sites. Formal contacts were made
with Department of Defense computer forensic laboratories and the
Federal Bureau of Investigation laboratory and their comments and
advise have been included.

“Experience has shown that in order to promote simplici-
ty in procedure, just determination of litigation and
the elimination of unjustifiable expense and delay, it
is essential that the operation and effect of the
Federal rules of practice and procedure should be the
subject of continuous study…”
II. Forensic Science

Courts have a long tradition of using science to assist them in deter-
mining the truth. References can be found to“legal medicine” as early as
the sixth century, and the medical profession began to provide routine
assistance to the courts during the 16th century. However, the origins of
“modern” forensic science trace back only as far as the mid 1800s.
Some of the early efforts that have defined forensic science include:
• In 1844, Dr. Mathieu J.B. Orfila, considered the father of toxicology,

published a scientific treatise on detecting poisons and their
effects on animals.
• In 1855, Dr. Bergeret d’Arbois used insect infestation to estimate
time of death.
• In the 1890s,Edward Henry’s and Francis Galton’s pioneering work
led to methods to classify and sort fingerprints.
• In the early 1900s, Edmond Locard studied the probability of
matching bullets, hairs, and blood spatter patterns and proved that
a criminal could be connected to a crime scene by dust particles
4 carried away from the scene.
• In 1914, Leone Lattes developed methods to determine blood
types from dried blood stains.
• In the 1920s, Calvin Goddard refined the techniques necessary to
determine whether a bullet was fired from a suspect weapon.
Locard went on to establish t he first cr ime laboratory in Europe in

1910. The United States followed Locard’s lead, and crime laboratories
were established in California in the early 1920s. The Federal Bureau of
Investigation established its laboratory in 1932 and in that same year
testified in the Lindburgh kidnapping case. In 1923, the Federal Court in
the United States recognized the importance of forensic science and
established legal standards designed to eliminate the results of “junk sci- Note:
Since the publishing
ence” being admitted as evidence.1 of this report, there
Forensic science continues to expand in both scope and ability. It has have been changes
often built upon the development of techniques and instrumentation and deletions of
products and URL’s,
used in analytical and clinical laboratories in the commercial and aca- which are reflected in
demic world. In other instances, such as fingerprint visualization, ques- this pdf file.
tioned document examination, and firearms examination, which have
no private sector counterpart, forensic science has developed its own
capabilities. Today, there are more than 300 forensic laboratories in the
public sector serving more than 16,000 federal, state, and local police
jurisdictions. The largest of these, the FBI Laboratory with more than
1,000 employees, conducts more than 2 million examinations each year.
Professional organizations, such as the American Academy of Forensic
Sciences http://www.aafs.org/ and the International Association of
Forensic Sciences http://www.criminalistics.com/IAFS-
1999/default.htm, provide scientific forums for discussion and peer-
reviewed scientific journals to advance the state-of-the-art.
While forensic laboratories often resemble their analytical and clin-
ical models, they apply their science differently. Forensic science is
much more narrowly focused and operates cooperatively with and
within limits set by law. These limits provide forensic science with
unique and well-defined goals, which are generally determined by the
facts of the investigation and the circumstances of acquiring the evi-
dence. If forensic science and its practitioners exceed these limits, the
court has ample means to punish by either not admitting the evidence
or by holding individual examiners liable.
III. Legal Issues 5
The first attempt by the U.S.Federal Courts to establish standards for

forensic science was in 1923 in Frye vs.U.S.[6]. That decision concerned
the admissibility of evidence introduced by James Alphonzo Frye in his
murder trial in the District of Columbia. The evidence Mr. Frye wanted
to introduce was derived from a systolic blood pressure deception test, a
crude precursor to the polygraph machine. That test “proved” that Mr.
Frye was telling the truth when he denied committing the murder. The
judge ruled against admitting this evidence and his decision was upheld
on appeal. In the eyes of the court, the polygraph had not reached the

level of science and its results could not be admitted as evidence. The
Frye court then identified two conditions that must be met in order for
the results of scientific examination to be admitted.
• The science should be well recognized within the relevant scientific

community
• Published in scientific (peer-reviewed) journals.
This simple test, referred to as the Frye Rule, remained the standard
for forensic science for the next 50 years.
In 1960, the Supreme Court began a comprehensive study of the rules
of practice and procedure in the Federal courts. In announcing this study,
Chief Justice Earl Warren said, “Experience has shown that in order to
promote simplicity in procedure, just determination of litigation and the
elimination of unjustifiable expense and delay, it is essential that the
operation and effect of the Federal rules of practice and procedure should
be the subject of continuous study…” [1]. Among other issues studied
was the role of forensic science and the testimony of its experts.
The study resulted in the 1975 publication of the Federal Rules of
Criminal Procedure. In this publication, the Frye Rule was replaced by a
much simpler requirement that the scientist’s results be admitted if the
testimony would assist the judge and jury to understand the evidence.
Even though this rule was published, the courts largely ignored the new
rule and continued to rely on the long-established Frye Rule.
The determination of whether this new rule for forensic science
would become controlling was not made until 1990 when Daubert vs.
Merrell Dow Pharmaceuticals was tried in federal district court. In this
6 case, the parents of two children born with serious birth defects alleged
that those birth defects had been caused by the mother’s taking
Bendectin, a prescription anti-nausea drug marketed by Merrell Dow
Pharmaceuticals. Merrell Dow’s well-qualified experts on the risk of
exposure to various chemical substances had reviewed and published
many studies of Bendectin which concluded that the maternal use of
Bendectin, during the first trimester of pregnancy had not been shown
to be a risk factor for human birth defects.
A review by the plaintiff ’s equally well-qualified experts offered a dif-
ferent interpretation of the same epidemiological data. The plaintiff ’s
experts, however, were not permitted to testify in the trial because Merell
Dow had previously published its studies and conclusions in a peer-
“The FBI established a Computer Analysis and Response Team
(CART) and charged it with the responsibility of forensic
examination of computer evidence. Although CART is unique
to the FBI, its function and general organization have been
duplicated in many other law enforcement agencies in the
United States and foreign countries. In 1998, CART examined
computer evidence in more than 2,500 FBI investigations.”
reviewed scientific journal. The plaintiff’s experts had neither published

their results nor subjected them to peer review. Their testimony was not
allowed under the Frye Rule. The court found in favor of Merrell Dow.
The decision was appealed and in 1991 the appellate court upheld the
decision of the trial judge.
The Supreme Court heard the case in 1993 [5] and decided that the
Frye Rule had been completely replaced in 1975 and that Frye no longer
applied. The original court should have allowed the plaintiff ’s experts to
testify because it would have assisted the judge to understand the evi-
dence. This new standard for admitting forensic evidence is generally
referred to as the Daubert Rule. The Supreme Court recognized that its
ruling placed federal judges in what might be an uncomfortable gate-
keeper role for introduction of scientific testimony. To assist federal
judges in this new role, the court’s ruling also included guidelines for rel-
evant and reliable scientific testimony. Daubert is interpreted as requir-
ing that forensic science—
• Can be (or has been) tested

• Has had error rates established 7
• Has been subject to peer review and publication
• Is generally accepted in the scientific community.
Since that 1993 decision, forensic science laboratories have begun to

reassess their methods and documentation to bring then into compli-
ance with Daubert requirements. The result is forensic laboratories that,
now more than ever, are driven by standards and protocols describing
how examinations should be conducted and evidence handled. In addi-
tion, professional organizations, such as the American Society of Crime
Laboratory Directors (ASCLD) http://www.ascld.org/, have developed
standards for certifying laboratories, as well as general requirements for

practitioners. Other professional organizations, such as the American
Board of Criminalists, American Board of Forensic Document
Examiners,American Board of Forensic Toxicology, and others, attempt
to ensure the competency of forensic scientists. The courts have looked
favorably on ASCLD and other professional boards in their efforts to
promote professionalism in forensic laboratories and ensure examiner’s
proficiency.
IV. Computer Forensic Science

Computer forensic science is the most recent discipline to be intro-
duced into this varied mix that comprises forensic science. It was creat-
ed to address the specific and articulated need of law enforcement to
recover and exploit electronic evidence. It quickly evolved into the sci-
ence of acquiring, preserving, retrieving, and presenting data that
has been processed electronically and stored on computer media.
As a forensic discipline, none since DNA technology has the same poten-
tial impact on both investigations and prosecutions.
As individuals and businesses store data in electronic formats, com-
puter forensics represents the best, and perhaps the only, technique
available to law enforcement to recover data in white collar crimes and
similar investigations. Without this data law enforcement cannot gener-
ate investigative leads and prosecutors don’t have evidence to bring
before the court. Where DNA and its ability to identify a person from
minute tissue samples found at crime scenes has revolutionized investi-
gations of crimes of violence, computer forensics has the same potential
8 for investigating crimes of finance and commerce.
Law enforcement at all levels—federal, state, and local—is strug-
gling daily to keep up with advances in technology. This struggle is
extraordinarily acute in matters of computer science and information
technology. Traditional crimes, especially those of finance and com-
merce are being automated. Yesterday’s paper trails are today’s electron-
ic trails. New crimes and schemes associated with the theft and manip-
ulation of data are being uncovered daily. Business records that were
once written on paper and locked in a safe are now written to a disk and
encrypted. Crimes of violence are not immune from the information age
either. A terrorist attack may be as likely to come from the Internet as
from a truck bomb. The diary of a serial killer may be found on a floppy
disk. Just as the workforce is converting from manufacturing goods to
processing information,crime is, to a large extent, also converting from
a physical dimension where evidence and investigations are described in
tangible terms to a cyber dimension where evidence exists only elec-
tronically and investigations are conducted on-line.
In addition to facilitating traditional crimes, computers and infor-
mation technology have provided the technical basis for new crimes.
Money can be stolen while in electronic transit. The Internet can allow
criminals to enter a business and steal its secrets or corrupt its data with
complete anonymity. If a more dramatic effect is sought, the same crim-
inal can effectively cripple that business by flooding its servers and
denying access to legitimate customers.
Law enforcement recognized its technological shortfalls in this new
environment but had very limited ability to remedy them. Among the
problems faced were meager equipment budgets, a work force trained
for and steeped in the traditions of street rather than high technology
investigations, and salaries that could not compete with the private sec-
tor for talented computer scientists. To remedy the situation, state and
local law enforcement initially looked to their b etter funded a nd more
technically staffed federal counterparts. In many cases they found that
the federal sector was struggling with the same issues. Law enforcement
also coordinated to establish a pool of expertise to address common
issues. Organizations such as the High Technology Criminal
Investigation Association (HTCIA) http://htcia.org/index.html began to
address law enforcement’s needs and identify resources that could help
meet those needs.
As early as 1984, the FBI Laboratory and others saw these emerging
trends and began programs to examine computer ev idence. They real- 9
ized that a controlled and programmatic response would be necessary to
address both the growing demands of investigators and prosecutors and
the increase in the volume and complexity of the computer evidence.
The FBI established a Computer Analysis and Response Team (CART)
and charged it with the responsibility of forensic examination of com-
puter evidence. Although CART is unique to the FBI, its function and
general organization have been duplicated in many other law enforce-
ment agencies in the United States and foreign countries. In 1998,CART
examined computer evidence in more than 2,500 FBI investigations.
In a survey conducted in 1995 by the United States Secret Service, law
enforcement agencies were asked to describe how they were organized to

perform computer forensics. Of those reporting, 48 percent of the agen-
cies had computer forensic laboratories and routinely forwarded seized
computer evidence to the experts in those laboratories. As encouraging
as these statistics are, the same survey reported that 70 percent of these
same law enforcement agencies were doing the work without a written
procedural manual [2].
There are ongoing efforts to develop examination standards and pro-
vide structure to computer forensic examinations. As early as 1991, a
group of six foreign law enforcement agencies met with several U.S.fed-
eral law enforcement agencies in Charleston, SC, to discuss computer
forensic science and the need for a standardized approach to examina-
tions. In 1993, the FBI hosted an International Law Enforcement
Conference on Computer Evidence attended by 70 representatives of var-
ious U.S. federal, state, and local law enforcement and 20 international
law enforcement agencies. All participants agreed that standards for
computer forensic science were both lacking and necessary. This confer-
ence met again in Baltimore in 1995, Australia in 1996, and the
Netherlands in 1997, ultimately creating the International Organization
on Computer Evidence. In addition, a Technical Working Group on
Digital Evidence ( TWGDE) was formed in 1998 to address these same
issues among federal law enforcement agencies.
The United States Department of Justice created the Computer Crimes
and Intellectual Property Section (CCIPS) http://www.usdoj.gov/
criminal/cybercrime/index.html within its Criminal Division in 1991 to
address legal issues associated with both computer investigations and
computer forensics. In 1994, this section published guidelines for search
and seizure of computer evidence ,w h ich have become de facto standards.
10 This document has been revised regularly to address both new technolo-
gy and new law. This document was created from the efforts of a working
group that included DoD representatives. It reflects the policies of both
civilian and DoD investigative agencies. Future plans include a similar set
of guidelines for computer investigations. In addition, CCIPS has provid-
ed training for Assistant United States Attorneys in this complex legal
area and established a Computer and Telecommunications Coordinator
(CTC) in each of the 93 United States Attorneys offices. In this complex
and fluid legal environment,CCIPS assists and advises to both federal law
enforcement agents and their DoD counterparts.
“For this reason, computer forensic science is most effec-
tive when probative facts and details of the investigation
are provided to the computer forensic examiner. From this
information, the examiner can create a list of key words
to be used to cull specific, probative, case-related
information from this extremely large sample.”
V. Operations
This report previously identified three roles in which a computer can
play in a criminal enterprise. In its first role, the computer can be the tar-
get of an attack. In this role, it may contain information such as times
and locations of the attack and may also contain programs left by the
intruder to facilitate reentry.A second role for the computer is the instru-
mentality used to conduct the attack. In this role, it may contain hacker
software and scripts, log files, and telephone numbers associated with
the attack, and other evidence of criminal activity. In its third role, the
computer may be a repository of evidence of a crime or criminal enter-
prise. In this role, it may contain text, databases, spreadsheets, images,
and other data connected to a cr ime. In some instances, the same com-
puter may play multiple roles.
Computer intrusion investigations have typically focused on the
computer's first two roles and traditional criminal investigations, espe-
cially white collar crime investigations, the last. There can be no doubt
that computer intrusion and its effects on nationwide critical infrastruc-
tures pose a grave and growing threat and deserve intense investigative
attention. However, in sheer numbers, the role played by computers as 11
huge complex filing cabinets dwarfs intrusion investigations. In 1997,
the FBI reported that it conducted forensic computer examinations in
more than 2,500 traditional criminal cases compared with a reported
408 computer intrusion investigations. In this report emphasis is placed
on concerns within the last category—the computer as a repository of
evidence. In this role, the forensic examiner will recover data stored in
the computer in a manner that will provide information to not only the
investigator for use in generating investigative leads,but also the prose-
cutor for use at trial.
With this general background, the computer forensic process can be
described as existing in three phases—acquisition, examination, and

utilization. Each will require a different skill set, as well as unique soft-
ware tools to effectively address problems.
Acquisition Examination Utilization

The first step in the computer forensic process is acquiring the evi-
dence. In a basic model, such as an investigation of child pornography,
this may be as simple as unplugging the suspect’s microcomputer and
transporting it to a laboratory for examination. More typical, however, is
a scenario that involves a complex financial fraud where evidence of the
fraud is located on a local area network (LAN) or wide area network
(WAN) and distributed throughout an entire business. In both these
cases, it is likely that evidence will be seized as the result of executing a
search warrant. This seizure will likely occur near the conclusion of the
investigation, which will add pressure for a timely report of forensic
examination results as the prosecutor begins trial preparation.
Developing the probable cause necessary for this search warrant is
clearly the responsibility of the investigator and the prosecuting attor-
ney. However, the computer forensic scientist can offer valuable assis-
tance. The U.S.Constitution requires that the search warrant be specific.
The items (or information) to be seized must be carefully and precisely
described. The physical location of these items must also be identified.
Describing where information is physically located on a LAN or WAN
may be problematic at best but consultation with a computer forensic
scientist may provide the best description possible. Likewise,a technical
review of the search warrant and supporting affidavit may identify flaws
12 such as failing to include both networked and stand-alone computers,
backup media, operations manuals, and similar items. If the search war-
rant fails to identify an item, it probably cannot be legally searched.
The next decision is whether the investigator should take just the
information or the equipment as well. The computer forensic scientist
and the investigator must understand the rationale behind the process of
seizing latent information versus seizing overt information. In a tradi-
tional search warrant executed on a business or residence, law enforce-
ment can usually recognize those items of evidence that have been iden-
tified in the warrant and single them out for seizure. The search is con-
ducted until the evidence is found (or determined not to be present), the
evidence is seized by law enforcement, and the subject given a receipt.
Contrast this with the activity in a typical computer search and seizure
where data and equipment are taken under the assumption that the data
includes the evidence described in the warrant. Both the investigator
and the forensic examiner must realize that when they remove the com-
puter to a laboratory they are merely continuing the search at another
location where extensive technical assets are available to facilitate data
recovery under controlled conditions. Although this may seem a subtle
difference, it has broad implications on issues such as how long the
seized items may be kept and who may have access to the information
contained in the seized material. Every attempt should be made to limit
the amount of material seized on site based on the descriptions con-
tained in the warrant.
In some instances, such as health care fraud investigations, the equip-
ment is considered part of the health care delivery system and cannot be
seized. In other instances, such as large enterprise wide networks, it is not
practical to seize the equipment. The forensic laboratory in either case
must be prepared to recover the needed data using its own resources.
Another concern is the sheer volume of data contained in most com-
puter systems. If the information rather than the equipment is to be
seized, the ability to quickly copy systems become critical. If the com-
puter forensic scientist is faced with transferring 14 gigabytes of data
from a suspect’s computer and has a software tool that transfers 1 giga-
byte per hour, it will take 14 hours to copy that one computer.
The computer forensic scientist is responsible for developing a tech-
nical search plan. Part of this plan includes identifying needed
resources. The plan must include the identity of sufficient personnel who
have both the expertise and equipment to execute the warrant in a pro-
fessional and competent manner within a reasonable time period. 13
Intelligence such as size of storage media, operating systems in use, net-
work topology, and other technical specifications of the system are cru-
cial to develop an effective and efficient search plan.
Assuming that information rather than equipment will be taken, this
acquisition phase of computer forensics will require software tools that can—
• Identify data on the basis of specific criteria

• Produce image copies of data
• Assure data integrity
• Operate quickly and efficiently.

The acquisition phase of the process is critical to the success of any
investigation. It is likely that there will be only one opportunity to seize
this information. The chance of recovery from mistakes made at this
point is remote.
There is an additional consideration at this cr itical acquisition stage
that cannot be controlled by law enforcement. The first person to realize
than an intrusion has taken place or a crime has b een committed w ill
probably be the system administrator. The initial steps taken by the sys-
tem administrator at that point may determine how effectively law
enforcement will be able to investigate and what limitations prosecutors
may face regarding evidence as they take the case to trial.
The initial responsibility of the system administrator will be to
“secure the crime scene.” Section 6 describes the importance of this
effort and lists specific steps that will assist in the subsequent investiga-
tion. In general, these steps are logical and common sense ones, but they
are often ignored in the initial confusion of discovering an intruder or a
crime. A clearly defined policy statement that identifies personnel and
their roles following discovery of an intrusion or crime will bring order
to an often chaotic situation.
One of the most important steps the system administrator can take is
to assure that there is a banner in place that warns everyone that they are
subject to monitoring and have no expectation of privacy from this
monitoring. Although this is generally understood in systems belonging
to the government, the warning must still be prominently displayed to
allow law enforcement to conduct an effective investigation. There
should also be policy in place well in advance to address how the agency
will coordinate with law enforcement upon discovery of an intrusion or
14 crime.This policy should include threshold levels for reporting incidents
to law enforcement and should identify an incident management team.
The system administrator’s ability to manage the initial hours fol-
lowing the discovery of an intrusion or crime will likely affect what evi-
dence has been preserved, what log files and audit trails have been main-
tained or turned on, etc. These actions will provide the investigator with
crucial information that would otherwise be lost. They will also preserve
evidence for trial.2
Forensic science dramatically affects investigations and provides
compelling testimony. To enhance objectivity and minimize the percep-
tion of bias toward law enforcement, forensic science has traditionally
kept itself at arms length from the actual investigation. It uses only those
specific details from the investigation that are necessary for the exami-
nation, such as possible sources of contamination at the crime scene or
fingerprints of non-subjects who have touched the evidence. Forensic
science depends on the ability of the forensic scientists to produce a
report based on the objective results of a scientific examination in which
circumstances of the case play little or no part in the process. For exam-
ple,a DNA examination in a rape case can be conducted without know-
ing the names of the victim or the subject, or the specific circumstances
of the crime.
However, in order to be effective, computer forensic science must be
driven by information uncovered during the investigation. With the
average storage capacity in a personally owned microcomputer
approaching 3 gigabytes [3], and systems readily available with 12 giga-
byte storage capacity, it will soon be impractical to completely and
exhaustively examine every file stored on a seized computer system. In
addition, because computers serve such wide and varied uses within
organizations, there may be legal prohibitions against searching every
file. Attorneys’ and doctors’ computers may contain evidence of fraud,
but they also probably contain client and patient information that is
privileged. Data centrally stored on a computer server may contain
incriminating e-mail prepared by the subject, as well as e-mail of inno- 15
cent third parties who are clearly entitled to privacy.
As difficult as it would be to examine every file, it would be equally
difficult for law enforcement to read and digest this amount of informa-
tion—12 gigabytes of printed text data would create a stack of paper 24
stories tall. For this reason, computer forensic science is most effective
when probative facts and details of the investigation are provided to the
computer forensic examiner. From this information, the exami ner can
create a list of key words to be used to cull specific, probative, case-relat-
ed information from this extremely large sample. Even though the exam-
iner may have the right to search every file, time and legal constraints

may not allow it.The examination will likely be limited to well-identified
probative information.
Forensic science strives to produce results that are both valid and reli-
able. DNA analysis, for example, attempts to develop specific identifying
information relative to an individual. To support their conclusions, foren-
sic scientists have gathered extensive statistical data on both the tech-
niques used and the DNA genetic profiles of the populations they will use
to reach their conclusions. Computer forensic science, by contrast, pro-
duces information rather than reaching conclusions. The purpose of the
examination is to find information related to the case. To support the
results of a computer forensic examination, robust procedures need to be
in place to ensure that the information is in fact on the computer storage
media and was not altered by the examination process. Unlike the DNA
examination model, computer forensic science makes no interpretive
statement as to the truth or significance of that information.
To recover this probative information, computer forensic scientists
must have software tools that can effectively and efficiently—
• Image data
• Create comprehensive file listings
• Identify and recover text located anywhere on the storage media
(i.e., deleted files and files hidden in unallocated and slack space)
• View text and image files
• Assure that recovery methods do not unnecessarily contaminate
the data or produce artifacts
• Identify compressed data and decompress it
• Identify encrypted files
16 • Assure data integrity.
The availability of software utilities necessary to conduct examina-

tions and recover data, however, is not the only requirement for a suc-
cessful forensic laboratory. Documented protocols and procedures for
each software tool and procedure must be written and available.
Training programs for examiners must be established, and all examiners
must participate in them. Proficiency examinations must be adminis-
tered periodically, and the laboratory itself must periodically review its
administrative procedures for handling, storing, and tracking evidence.
The examination phase of the computer forensic process is the most
controllable. Courts will expect that every effort has been taken to ensure
that the results are warranted,based on the evidence examined. Computer
forensic science must be able to demonstrate to the court that all legal and
“good laboratory practice” requirements have been met. The results must
be valid and reliable and the product of detailed, documented, peer-
reviewed, state-of-the-art procedures and protocols that are accepted by
the relevant scientific community [4]. These results will be presented and
defended in a courtroom in adversarial and sometimes confrontational
proceedings. The protocols that define the policies and procedures for
examinations and the tools used for examination must be sufficiently
robust to withstand challenges to both the results and methodology.

Finally, the results of the forensic examination must be used. These
results, in the form of a report or similar document, are typically returned
to the contributor of the original evidence along with the evidence. In
many cases it will be practical to include a copy of relevant text and image
files on some convenient media for the investigator and prosecutor (and
possibly defense attorneys and their experts) to review. From this review,
and based on their detailed knowledge of the case, investigators may be
able to set out additional investigative leads, and the prosecutor will
determine how (or if) this information will be used in trial.
The process so far has been a series of events from acquisition
through examination. Each event has been documented. As part of gen-
eral laboratory procedures, clear definitions have been established as to
the form in which this documentation must be maintained. Opposing
council may request all documents related to a case through the legal 17
process of discovery. This request may extend beyond documents spe-
cific to the case and include examination protocols, training records, and
possibly proficiency examination scores. In federal court, attorneys may
request that the personnel files of forensic examiners be reviewed for
information that may bear on their ability to conduct a competent and
impartial examination. Discovery issues are well understood in the legal
community. It is unlikely that any laboratory will prevail in an argument
to deny providing this documentation. Therefore, careful consideration
must be made in the choice of software utilities so as not to compromise
either classified techniques or the case.

If called to testify, the computer forensic examiner must be prepared
to explain and defend both the scientific and administrative procedures
in place in the laboratory, including—
• Chain-of-custody
• Security of the evidence while in the laboratory
• Scientific protocols and procedures in place in the laboratory
• Rationale for choice of specific software tools.
Chain-of-custody logs identify everyone who handled the evidence

as it progressed through the laboratory. They should include not only
examiners but also technicians and administrative personnel who trans-
port items from one place to another within the laboratory. Failure to
maintain these records may render the evidence inadmissible.
All evidence must be protected from the possibility of contamination
and of inadvertent disclosure to others in the laboratory. It is likely that
the examiner will be required to testify as to what security precautions
are routinely taken in the laboratory and if this particular case was han-
dled differently.
The examiner must be able to state that protocols are in place and
that the examination was conducted according to those protocols.
The examiner must also be able to logically and clearly describe the
examination process and the results it produced. This description will
likely include an explanation of items in the examiner's bench notes and
final report.
Finally, the examiner is responsible for convincing the jury that every
step in the examination process was logical, necessary, and produced
18 valid results. The examiner is presenting the results of a scientific and
complex examination to an audience that is unlikely to be technically lit-
erate. The ability to explain effectively these technical matters in layman's
terms may be as important as the technical conduct of the examination.
Each of these topics represents issues that will determine what
weight the jury places on the testimony of the expert. The depth and
breadth of the possible testimony is limited only by the creativity of the
attorney’s cross examination and the patience of the judge.
Computer Crime Scene -
VI. Recommended Procedures
The most recent statistics, compiled in 1997, in a joint Computer
Security Institute/FBI Computer Crime Survey document the fact that
more that 60 percent of networked systems (in both the public and pri-
vate sectors) have no policy regarding intrusions and response to crim-
inal activity. More than 50 percent have no identified team to respond to
intrusions and more than 50 percent have no policy for preserving evi-
dence. This section lists some of the logical steps to take when you dis-
cover an intruder in your system or that you are the victim of a crime.
As important as these steps are, however, they should be preceded by
a written document identifying your agency policy for responding to
these incidents. The importance of this policy document cannot be over-
stated. Decisions, especially those regarding response and notification,
should be made well in advance, and all employees should understand
both the policy and their individual roles during an incident.
In almost all cases, general confusion initially surrounds any crime
scene. This is true in crimes of violence and in crimes of commerce.Your
discovery of an intruder in your system or that you are the victim of a
crime will likely generate similar confusion within your organization.
This is not the atmosphere in which to be making crucial decisions. It is
the time to respond in a logical and measured manner and to take steps
to preserve the scene and notify law enforcement. Your agencies’ policy
should include the following:
19
• Your threshold for notifying law enforcement (or your internal
investigators) of an incident
• Identity of an incident management team and technical specialists
who will respond to the event
• Roles and responsibilities of those managers and specialists during
the incident
• Recovery plans.
The following steps should be taken as soon as possible after you dis-
cover an incident. By following them, you will take control of the crime

scene and begin the process of information gathering, which will be cru-
cial to both the investigator and the prosecutor.
1. Contact law enforcement

2. Turn on audit trails
3. Begin keystroke monitoring
4. Assemble the incident management team
5. Designate an evidence custodian
6. Make backups and print log files
7. Begin recording costs necessary to recover from the incident
8. Document your activity
9. Theorize.
1 Contact Law Enforcement

Your intrusion policy document should identify the appropriate law
enforcement agency to contact. It should also identify those specific cir-
cumstances that will be handled internally and those that warrant referral
to an outside agency.Valuable investigative information and evidence could
be lost if there is a significant delay between discovery and reporting.
2 Turn on Audit Trails

This simple step will enable logins and related activity to be record-
ed. Audit trails should be turned on and maintained as a normal course
of business. However, if this has not been the case, they should be turned
on at this point. The investigator will need to know if the audit trails were
turned on after discovery of the incident because the audit trail may
alter the evidence.
3 Begin Keystroke Monitoring

Keystroke monitoring can provide a valuable record of activity on the
system. However, it can also be a violation of privacy rights unless users
are advised that it may be part of your security operations. The system
administrator must ensure that the banner clearly allows you to legally
perform this monitoring. Research the authority for this monitoring
thoroughly and make it part of your policy document. There is genuine
disagreement in the computing and legal communities as to what the
appropriate response should be. If you are unsure of the legality of this
operation, seek advice. As with audit trails, key stroke monitoring may
alter or add artifacts to the evidence. If it is turned on after the incident
is discovered, advise the investigator.
4 Assemble the Incident Management Team

Your plans should identify everyone on the incident management team
and define their roles and responsibilities.A typical team consists of—
• Manager—Leads the team and has ultimate responsibility for doc-

umenting efforts
• System Administrator—Subject matter expert for system issues
and questions
• Auditor—Determines economic impact of the crime or intrusion.
5 Designate an Evidence Custodian

During this event, you will likely collect a lot of information. Much
of it will be turned over to law enforcement. Some of it will assist in your
recovery efforts and in determining the impact of the crime. One per-
son should be in charge of all evidence recovered at this stage. This per-
son will be responsible for the information’s security and for docu-
menting its origin (e. g. ,w ho recovered it ,w hen and where it was recov-
ered). This person will maintain the “chain-of-custody” and will receive
the evidence you have gathered, as well as the documentation associat-
ed with your initial efforts after discovering the incident. This same
person will be a point of contact for law enforcement officials as they
begin their investigation.
6 Make Backups and Print Log Files

This is the beginning of your evidence collection efforts within your 21
compromised system. The best evidence will be an image of the system. If
this is impractical ,m ake a logical copy. Do not copy the backup or the log
files onto the compromised system.The investigator will also need the most
recent routine backup.
7 Begin Recording Costs Necessary to Recover from

the Incident
In criminal prosecutions, the value of your time and effort, as well as
direct costs for restoring the system, may be admissible during the
penalty phase of a t rial. Loss means more than just loss of equipment

and software. You should place appropriate value on information that
may have been stolen, lost, or damaged, productive time lost on the sys-
tem; costs of alternate systems necessary for day-to-day operations
while the investigation is proceeding, etc.
8 Document Your Activity

Keep track of everything you do. This will not only assist the investi-
gator, but may be crucial for the prosecutor during trial. The general rule
is,“if you didn’t record it, it didn’t happen.”
9 Theorize
The system administrator and the team assembled to manage this
event know more about the system than anyone else. Try to reconstruct
the crime, being as open and candid as possible. Investigators will need
your technical expertise and your ideas about issues, such as:
• Your theory on how the intruder got in

• Attacks on the system in the past
(both successful and unsuccessful)
• Unusual patterns of activity on the system
• General system vulnerabilities.
VII. Computer Forensic Tools

The forensic examination of computer related evidence, primarily
22 computer media, is performed using a wide variety of techniques and
tools. Although ASCLD and similar groups have established standards
for laboratory certification and examiner proficiency, they have not
identified standards at the level of specific forensic disciplines. ASCLD
has not endorsed any particular suite of software for computer forensic
examinations. In fact, there are few established industry standards in
either the private or public sector that specify a common set of tools that
should be utilized. The result is that many different organizations
employ many different tools and techniques to assist in the computer
forensics process.
The majority of tools employed in Department of Defense and asso-
ciated armed forces laboratories, federal law enforcement laboratories,
and commercial computer forensics labs are software applications and
utilities. These products come from a variety of sources. Many of them
are commercial-off-the-shelf (COTS) products,while others are govern-
ment-off-the-shelf (GOTS) or home-grown. The latter set of tools
includes those developed in-house to satisfy a specific or unique
requirement for an individual case.
Many COTS software products in use in computer forensics laborato-
ries were not developed specifically for the computer forensics market.
In fact, the majority of the most popular software tools used by many
computer forensics laboratories were developed for other applications,
including system administration (primarily system back-up and
restore),data recovery, and diagnostic applications. Although these tools
may not have been developed for computer forensic applications, they do
offer several advantages:
• Technical support and maintenance is more likely to be provided

because these products are often manufactured by large, reputable
software companies.
• Documentation, both technical and user, is often more complete
and professional because of the typically larger distribution of
these products than GOTS or home-grown applications.
• Higher standards of quality assurance (QA) and in-house testing
during a product’s development can be expected, primarily
because of the typically larger distribution of these products.
The commercially available products may also have the following

disadvantages: 23
• Access to source code, design documentation, or other information
that may be useful to validate or accredit a product may be propri-
etary or otherwise unavailable.
• The manufacturer may be less receptive than the developer of a
GOTS or in-house application to provide change-requests or prod-
uct modifications that would better suit the needs of a forensics
application.
• Licensing and distribution rights may place more restrictions on a
COTS product than on a GOTS or in-house application.

Commercially available hardware or hardware-assist products that
automate parts of the computer forensics examination process are also
available. Several of the hardware-based products that have applicability
to the computer forensics process provide a disk-duplication function.
Such products usually perform disk duplication much faster than com-
parable software-only products. However, these products are generally
proprietary, less versatile, and better suited for laboratory-only environ-
ments, as opposed to mobile or fly-away kit applications.
Computer forensic software products described in this report are
divided by their function into one or more of the following primary cat-
egories:
• Evidence preservation and collection tools. The primary func-

tion of these tools is to prevent the accidental or deliberate modifi-
cation of computer-related evidence (primarily, computer media)
and to perform a logical or physical copy of data that is stored on
evidentiary computer media.
• Analysis tools. This broad set of tools provide data recovery and
discovery functions.
• Case management tools. These applications assist the computer
forensics process by adding automation and improved efficiency.
The following discussion describes both commercial and govern-

ment-developed products in each of these categories. The following
table summarizes the major categories of tools and the specific tools
of each type.
24
End Notes
1. An excellent review of the history of forensic science can be found in:
Forensic Science An Introduction to Criminalistics by Peter R DeForest,
R. E .G aensslen and Henry Lee, McGraw-Hill, New York, NY (1983).
2. Two excellent sources for information regarding computer crime
investigations and the steps the system administrator can take to
assure that data are not lost:
a. Icove, David; Seger Karl; VonStorch,William. Computer Crime: a
Crimefighter’s Handbook, O’Reilly and Associates, Sebastopol, CA
(1995).
b. Rosenblatt, Kenneth S. High Technology Crime, KSK Publications,
San Jose,CA (1995).
26
27

28
VII. Computer Forensic Tools
29
30
Evidence Preservation and
Collection Tools
The primary purpose of this set of tools is to preserve the integrity of
data that resides on evidentiary computer media and to provide an unob-
trusive mechanism for making copies of some or all of the original data.
Within the law enforcement community, as well as in other comput-
er forensics laboratories, original computer evidence is handled and/or
examined as little as possible in order to avoid accidental or uninten-
tional modification of the data that resides on the media. Such modifi-
cation may make it difficult or impossible to assure the integrity of the
information that may be subsequently derived from the stored data, and
it may limit the admissibility of such evidence if it is required during a
court case or prosecution of a computer-related crime.
To facilitate a thorough examination of computer-related evidence
while preserving the integrity of the original media,many forensic labo-
ratories create one or more duplicate copies of the original evidence. The
copy or duplicate may be subsequently examined without concern that
accidental or unintentional modification will compromise the original
evidence. During the copy process, however, the original computer evi-
dence could be unintentionally modified. Thus, additional steps, includ-
ing mechanisms that prevent media from being accidentally or inten-
tionally written or modified, are often required to maintain the integrity
of the computer media during the copying function.
Two different sets of software applications are available to assist forensic
examiners during the process of preserving and copying computer evidence: 31
• Write-protection tools
• Disk imaging software
Some of the tools that are described are suited for different opera-
tional scenarios. For example, some tools are better suited as part of an
examiner’s fly-away kit that can be taken to the site where the computer
evidence resides. Other tools operate in the equivalent of a laboratory
environment,where it is assumed that the user of the software (i.e., the
computer forensic examiner) has complete access (physical access,unre-
stricted access, etc.) to the computer media being copied.

Write-Protection Software Tools
To preserve the integrity of evidentiary computer media during any
part of a forensic examination, it is necessary to minimize the potential
for accidental or intentional m odification of the data contained on the
media. The most effective way to reduce or eliminate data modification
is to prevent or disable all attempts to perform write-operations request-
ed by the host operating system or device controller. For some types of
hard drives, disabling write attempts can be accomplished via a hard-
ware jumper setting. However, in most cases, the only available method
to disable write attempts is via a software utility.
32
Description:
Expert Witness implements two different software
Product Name:
techniques that provide varying degrees of write-protec- Expert Witness
tion for evidentiary computer media.In the first technique,
the Expert Witness application itself attempts to gain
exclusive access to the media through operating-system-
specific mechanisms. If exclusive access can be gained, Manufacturer/
then all other software applications will be prevented from
accessing and modifying the locked media.This technique
applies only to the Windows 95 version of Expert Witness,
Vendor:
and it is integrated into the application. Thus, the protec- ASR Data
tion against accidental modification is provided only while Acquisition &
the Expert Witness application is executing. Analysis
The second technique is implemented for a special-
purpose DOS-bootable floppy diskette that can be generat-
ed by the Expert Witness application. The diskette is used
as the start-up disk for evidentiary computers where it Product
would be best not to boot from the local hard drive ,w h ich
may unintentionally modify the hard drive. The system
files that are copied to the bootable floppy are modified so
Information:
as to not query the host system’s resident disks. However, Included in
subsequent accidental or intentional write-operations to Appendix
the host’s local disks will not be blocked.
Cost:
33
$425

34
Description:
ACES implements a unique approach to ensuring that
Product Name:
evidentiary media attached to an examination worksta- Automated
tion are not modified. The solution is a separate software Computer
component (separate from the forensic analysis utilities) Examination
that is installed as part of the operating system and is System (ACES)
loaded when the operating system starts.
This approach is advantageous to the computer foren-
sics application for two reasons. First, write-protection of
disk drives attached to the examination workstation Manufacturer/
occurs during the operating system start-up process,
which is before any other applications can execute. Thus,
the potential for accidental or intentional modification of
Vendor:
evidentiary drives is greatly reduced. Second, because the Federal Bureau of
write-protection software is separated from the rest of Investigation—
the ACES system, it can protect against modification Laboratory
while other forensic tools or other software applications Division
are executed.
Product
Information:
Included in
Appendix
35
Cost:
Government-Owned

Disk Imaging Software
Disk imaging is a process that attempts to duplicate every bit of data
from one physical computer media to another, similar media. In some
cases, the source and destination computer media must be identical. In
other cases, it is sufficient that the destination media be at least as large
(both in terms of disk geometry and capacity) as the source media.
This type of copy operation is called a physical or direct disk copy as
opposed to a logical copy operation. The latter refers to a copy operation
that generally copies files and file names, but does not copy data that
may reside on a computer media but is not part of any file. This type of
data is referred to as slack or unallocated data and is described in the
Analysis Tools section of this report.
Both types of copy operations are useful for the forensic analysis of
computer media, and both offer distinct advantages. The following fac-
tors determine whether the forensics examiner will make a physical copy
of a computer media,a logical copy, or both.
• Duration. How much time does the examiner have to perform the copy?
Typically, a direct, physical copy of a computer media takes longer than
a logical copy.Consider that a physical disk image copy copies an entire
disk regardless of what portion of the disk may actually contain data.
For a contemporary hard disk drive, the size of which may be several
gigabytes, a typical disk image copy may take several hours to per-
form. Alternatively, a logical copy is much more selective in that the
examiner may be able to specify a small, targeted set of data files to
copy from the evidentiary media for subsequent examination. In addi-
36 tion ,u nallocated or slack space ,w h ich may be the majority of a disk’s
capacity,is ignored, thereby increasing the speed with which the exam-
iner can extract or copy the data of interest.
• Type/circumstances of the investigation. What type of information

is being sought and how computer-literate is the target of the investiga-
tion? The type of case that is being investigated may be a determin-
ing factor in deciding whether a logical or physical copy operation is
appropriate. In some cases, specific types of files may contain infor-
mation that is being sought. However, if these files are not intact,
their information value is greatly reduced. Such would be the case for
graphics files or certain types of compressed or scrambled files that
have been deleted—some or all of their content may Figure 1: Creating an
still reside on the media in unallocated portions, but Image Copy
unless the entire file is available, its contents may not
be viewable or recognizable. In other cases,where the
presence of a single word or bit of information may
be valuable, the data that is stored both within files
and in the slack or unallocated portions of the media
should be collected. In the former example,a logical
copy operation is appropriate, whereas in the latter Evidentiary Computer
example a physical disk image copy is necessary.
The remaining discussion in this section focuses on

disk imaging software applications rather than products
that are used for making logical copies.
Two additional characteristics of some disk imaging
software products are worth noting:
• Integrity checking. In addition to performing a bit- External Storage Drive

by-bit copy operation, some disk imaging software (Jazz, Zip, etc.)
products perform varying degrees of integrity check-
ing to verify that all data has been copied without
error or alteration. Particularly with respect to com-
puter forensics, assurance that a disk image copy is
identical to the original media is important. Several
mechanisms may be implemented to verify that the
data stored on the copy is identical to that on the 37
original media. The most common technique used to Image Copy Software
verify data integrity is a digital signature (hashing
function or message digest) or a checksum algorithm. Contemporary
hashing functions generate a fixed-length number or hash (typically
64–168 binary bits) from an arbitrary length message (i.e., file or
stream of data).Good hashing algorithms have the following proper-
ties that make them well-suited to integrity verification: a small
change in the input file/stream will produce a significant change in
the hashed result, and producing the same hashed result from two
different input files/streams is computationally improbable using

today’s technology. Thus,many forensic laboratories rely on the high
level of assurance provided by hashing technology.
• Store image as a file. While the traditional disk imaging software

duplicates one physical computer media onto another, some products
implement a mechanism whereby the image copy of the original
media can itself be stored as a file. In specific scenarios where the
type, size, or geometry of an evidentiary disk drive is not known
ahead of time, or physical access to the drive is impractical or unde-
sirable (such as during the execution of a search), this approach offers
obvious advantages. Most software products that offer this feature
operate as follows: an external storage device such as a Jaz, Zip, or
other removable media drive is attached to the evidentiary computer
via an external interface (parallel, SCSI, etc.) and the stream of data
copied from the original drive is written to one or more files on the
attached, external media. (See figure 1 on page 37.) Some of these
products are capable of splitting the resultant file into two or more
fragments that can be stored on multiple media. Thus, very large disk
drives can be copied onto multiple destination removable media. Of
course, these products also support a mechanism to restore a file that
contains an image copy of a disk drive onto a compatible media.
38
Description:
SafeBack implements many functions that are of ben-
Product Name:
efit to the computer forensics process. The software sup- SafeBack 2.0
ports three distinct modes of operation. The first mode,
Backup, copies the contents of a hard drive bit-for-bit to a
file on a secondary device (removable media or other
hard drive). This mode is referred to as disk-to-file. The Manufacturer/
second operating mode is called Verify, which checks the
integrity of a backed-up image file without actually
restoring the file to a physical media. Copy is the third
Vendor:
operating mode,which skips the intermediate image file Sydex, Inc.
creation. Instead, it creates a clone of the copied drive
onto a second physical drive during the copy operation.
This mode is referred to as disk-to-disk.
As with many other disk imaging software products, Product
SafeBack’s primary function is to perform a physical-
level copy. That is, it does not interpret file system struc-
tures that may be represented on a physical disk. Instead,
Information:
the entire physical disk is copied, sector by sector, irre- Included in
spective of the file systems and operating systems that Appendix
may be stored on it.
Alternatively, SafeBack does support what Sydex
refers to as a partition backup. This type of backup inter-
prets file system structures, and, in the case of Sydex, sup-
ports only those partition types recognizable by MS-DOS
Cost:
(namely, the FAT file system). Not Available
The product supports both IDE and SCSI disk drives 39
for copying. In addition, most removable media formats
are supported (including Jaz, Zip, CD-ROM, 4 mm tape,
and 8 mm tape) for the resultant image file.
Another beneficial feature of this product is integrity
checking during the image file creation process. SafeBack
uses a cyclic redundancy check (CRC) to implement the
integrity checking.

40
Description:
Ghost implements a physical disk copy function that
Product Name:
creates an image file on a secondary local media or Norton Ghost
removable media, including Jaz, Zip, CD-ROM, and SCSI
tape. The image file itself may be stored in compressed
format to reduce the capacity required to store images of
large disk drives. Like SafeBack, Ghost implements Manufacturer/
integrity checking during the image file creation process
with a CRC. In addition, the image file that is created can
span multiple media if it is too large to fit on one.Another
Vendor:
useful feature of this product is its ability to selectively Symantec
restore files or directories from an image file.
Ghost provides additional features that are not direct-
ly relevant to computer forensics, including the ability to
resize disk partitions during an image restoration process Product
and a capability called multicasting, which allows an
image of a disk to be downloaded and installed on multi-
ple computers simultaneously using an IP-based network.
Information:
Licensing of the Ghost software is based on the prem- Included in
ise that the software will be used to replicate one or more Appendix
master disk images onto many corporate computers. A
per-seat license charge applies to each computer that is
the recipient of a restored image copy.
Cost:
$16.80 (software
only, plus a per- 41
seat license fee)

42
Description:
ACES implements two versions of an image copy util-
Product Name:
ity: one is Windows NT-based and is integrated into the Automated
suite of ACES forensic utilities, and the other is a DOS- Computer
based version of the same utility that can be used as part Examination
of a fly-away kit and during on-site data collections. System (ACES)
The two versions of the ACES Image Copy utility are
nearly identical in their capabilities. Both implement
disk-to-file physical media copies, and both provide a
restoration function to restore an image file to a compat- Manufacturer/
ible media.ACES also supports spanning multiple remov-
able media in cases where an image file is larger than can
be stored on a single medium.
Vendor:
The ACES Image Copy utilities implement several Federal Bureau of
integrity checking mechanisms that verify the integrity Investigation—
of the image copy while it is produced. The user can Laboratory
choose between various integrity-checking algorithms or Division
can disable integrity checking entirely (to achieve maxi-
mum performance).
Product
Information:
Included in
Appendix
43
Cost:
Government-Owned

44
Description:
This inexpensive disk imaging software product per-
Product Name:
forms a basic physical copy of one disk media to another DriveCopy
(i.e., disk-to-disk). It also can interpret file system struc-
tures used by several popular operating systems, which
enables DriveCopy to resize partitions during the copy
operation. This is a very useful capability for some appli- Manufacturer/
cations (i.e., upgrading a computer’s primary disk drive
with a new larger drive). However, changing the structure
of a disk drive, even on a copy, may significantly reduce
Vendor:
its evidentiary value. PowerQuest
Corporation
Product
Information:
Included in
Appendix
Cost:
$29.95 45

46
Description:
Drive Image implements more features than
Product Name:
PowerQuest’s other drive imaging offering, DriveCopy. Its Drive Image
primary advantage over DriveCopy is that it provides a disk- Professional 2.0
to-file capability.That is,Drive Image can create and store an
image of a disk drive to a file that can be subsequently
restored to a suitable physical disk drive. In addition, the
contents of the file can be both compressed and encrypted. Manufacturer/
A feature called SmartSector enables Drive Image to
perform a selective image copy that copies only those por-
tions of a physical disk that are allocated to active files.
Vendor:
Thus,no slack or unallocated portions of the original media PowerQuest
will be copied into the disk image file. This feature is sup- Corporation
ported for most popular file systems, including FAT12,
FAT16, FAT32, NTFS, and HPFS. Although this capability
will often result in a faster image copy and a defragmented
resultant disk image, the fact that it changes the original Product
structure of the data as it is stored on a disk may signifi-
cantly reduce its evidentiary value. The SmartSector capa-
bility can be disabled, which will result in the generation of
Information:
a complete disk image (including all slack and unallocated Included in
data) during the image copy process. Appendix
Drive Image provides two integrity checking mecha-
nisms to reduce the potential for data errors during both
the image creation and restoration processes. During the
copy operation, the software can check for file system
errors (i.e., bad sectors or clusters that are identified by
Cost:
47
supported file systems). During the restore operation, $695
Drive Image can check the destination physical drive for
bad sectors before writing data to the disk.

48
Description:
Many of the features of this product have evolved to sat-
Product Name:
isfy not the computer forensics market, but the disk cloning ImageCast IC3
and deployment market where multiple identical comput-
ers must be upgraded with new software or new operating
systems. Nevertheless, ImageCast does offer many useful
tools and features that support the forensics process. Manufacturer/
Both disk-to-disk and disk-to-file image copying meth-
ods are supported. ImageCast integrates EZ-Copy, another
Micro House disk imaging product, to perform basic disk-
Vendor:
to-disk image copies. Note that both the source and desti- Micro House
nation disks in this scenario must be IDE or EIDE. International
An image file viewer utility that has a look-and-feel Inc.
similar to Microsoft Windows Explorer is included with
the product. Using this tool,a user can view the contents
(i.e., directories and files) contained within any FAT par-
tition stored within a disk image file. Also, a user may Product
selectively restore files or directories from a FAT partition
within an image file.
ImageCast also includes a conversion tool that will
Information:
convert disk image files that were created with Ghost into Included in
a compatible format. Appendix
Licensing of ImageCast software, like many other
products in this category, is based on the premise that the
software will be used to replicate one or more master disk
images onto many corporate computers. A per-seat
license charge applies to each computer that is the recip-
Cost:
49
ient of a restored image copy. $150 for 10-host
license

50
Description:
EZ-Copy’s copying capabilities are limited to disk-to-
Product Name:
disk, as opposed to disk-to-file. In addition, it supports IDE EZ-Copy
and EIDE disk drives,but does not support SCSI disk drives.
However,EZ-Copy does provide several useful features,
including support for copying either partitions or entire
media, and resizing of partitions during the copy process. Manufacturer/
Vendor:
MicroHouse, Inc.
Product
Information:
Included in
Appendix
Cost:
$14.95
51

52
Analysis Tools
This set of forensic analysis tools consists of a large number of prod-
ucts from both the commercial and government sectors. In general, the
primary function of forensic analysis tools and products is to assist the
forensic examiner in analyzing vast amounts of data that may comprise
a case. Both the types of information that is sought and the formats of
the data stored on computer media can vary widely. Thus, no single
forensic analysis tool or product is sufficient to address all requirements
of computer forensic analysis.
The tools and products described in this section are divided into cate-
gories,which are based on the primary functions that these tools perform:
• Recovery of deleted files

• Recovery of unallocated/slack data
• Recovery of protected/encrypted data
• String and pattern matching
• File and file-type identification
• File listing or cataloging
• Integrated forensic systems
• Miscellaneous functions.
53

Recovery of Deleted Files
A common technique employed by computer forensic examiners in
analyzing evidentiary computer media is to attempt to recover and
examine information that may be contained within files that have been
deleted. Many popular commercial operating systems do not destroy
data contained within a file when that file is deleted. Instead, the major-
ity of operating systems simply mark the portions of the media that were
occupied by the deleted file as available or unallocated so that they may
be reused as new files are created. Thus, the information contained with-
in these deleted files may persist on the media (See Figure 2), and
through specialized forensic tools, the information may be recovered.
Note that another primary application for this technique is system
administration (i.e., in situations where a user may have accidentally delet-
ed one or more files from the local computer’s hard drive or network file
server).As a result ,m any of the products in this category have been imple-
mented by commercial software vendors for this specific application.
Figure 2: Deleted Files on a Computer Disk
Deleted? File Name File Attributes

N File 1 Size Date...
Y File 2 Size Date...
Y File 5 Size Date...
54
Evidentiary Computer Media with
Residual Deleted Files
File 1
File 2
File 3 File 4
File 5
Description:
This product is specifically implemented for Windows
Product Name:
NT. It comes in two versions and supports two different Undelete for
operating modes. The two versions, Workstation and Windows NT
Server, are intended to be hosted on Windows NT
Workstation and Windows NT Server hosts, respectively.
In the first mode of operation, Undelete for Windows,
when installed, replaces NT’s Recycle Bin with its own Manufacturer/
Recovery Bin. The latter is similar to the Recycle Bin,
except that it captures and retains files deleted by any
method (command line, NT explorer, by an application,
Vendor:
etc.). Files contained within the Recovery Bin can be fully Executive
restored. Once purged from the Recovery Bin, files may be Software
partially or fully restored by Undelete for Windows NT
depending on how much disk activity has transpired.
Although this mode of operation is beneficial to system
administrators and users, it is not particularly valuable as Product
a computer forensics tool because it requires that the tool
be installed before evidentiary files are deleted.
The second mode of operation, called Emergency
Information:
Undelete, requires no software to be installed on the evi- Included in
dentiary media. This mode executes from a CD-ROM, Appendix
and it searches NTFS or FAT partitions on a hard drive for
deleted files that can be recovered. This mode is ideally
suited for the computer forensics application because it
does not disturb the scanned disk drive. Cost:
55
$46.95 for NT
Workstation and
$248.95 for NT
Server

56
Description:
Unerase is one of the utilities that comprise a suite of
Product Name:
disk management and data recovery tools called Norton Unerase (part of
Utilities. This suite of tools is available for a variety of Norton Utilities)
operating system platforms, including DOS, Windows,
Windows 95/98, Windows NT, and Macintosh.
The Unerase utility has two modes of operation, both
of which are not supported by every version of Norton Manufacturer/
Utilities. The first mode of operation requires that Norton
Utilities be loaded onto the computer on which deleted
files are to be recovered. Clearly, this mode has little value
Vendor:
to the computer forensics examiner because it would Symantec, Inc.
require that the utility be loaded before the evidentiary
media is seized or examined.
The second mode of operation uses a version of
Unerase that is executed from a DOS-bootable floppy Product
diskette. The computer that contains the evidentiary media
is booted using the prepared floppy disk. In this mode, the
evidentiary media requires no advance preparation.
Information:
In either mode, the user has an option to restore Included in
selected deleted files to a location other than their origi- Appendix
nal location. Thus, the evidentiary media may be undis-
turbed and unmodified.
Cost:
$72 57

58
Description:
An unerase function is integrated into the Expert
Product Name:
Witness suite of forensic tools. Deleted files are displayed Expert Witness
to the user in a file list report and have a unique indicator
next to the file’s name that indicates the file is deleted.
The user has two recovery options: the file can be recov-
ered in-place, or the file can be restored to an alternate Manufacturer/
location. For a forensics application, the latter method
ensures that the original evidence is not modified. Vendor:
ASR Data
Acquisition &
Analysis
Product
Information:
Included in
Appendix
Cost:
59
$425

60
Description:
One of the ACES forensic utilities, Recover Deleted
Product Name:
Files (RDF), implements the capability to search both Automated
NTFS and FAT file systems for deleted files. RDF per- Computer
forms an initial scan of a user-specified disk and displays Examination
to the user a list of deleted files, along with their estimat- System (ACES)
ed recovery potential. Thus, the user can opt to recover
only those files whose probability of recovering all data is
high. Recovered files are restored to an alternate location,
and the original media is unmodified. Manufacturer/
Vendor:
Federal Bureau of
Investigation—
Laboratory
Division
Product
Information:
Included in
Appendix
61
Cost:
Government-Owned

Recovery of Unallocated/Slack Data
Unallocated or slack space is that portion of computer media that is
not occupied by file data, file system data, or other information main-
tained by the operating system. For example, when new, factory-fresh
media is used for the first time, nearly the entire media is comprised of
unallocated allocation units (sometimes referred to as sectors or clus-
ters, depending on the operating system context). As files are stored,
deleted, and modified on the media, the number, location, and content of
unallocated allocation units changes. In particular, the information con-
tained within some of the allocation units that have been used and then
freed (i.e., as happens when a file is deleted or resized) will persist while
the allocation unit is designated as unallocated (see figure 3).
For computer forensic examiners, these unallocated allocation units
sometimes contain residual information from deleted files or temporary
files and may have significant evidentiary value—thus the need for a
software utility that can recover the unallocated allocation units.
The utilities in this category are quite specialized. Not only do they
perform a very specific function, but they also must be designed and
implemented to analyze a very specific structure and organization of
information (called a file system) as it is stored on computer media. To
illustrate, consider that each of the following operating systems organize
and maintain data on physical,random-access media in unique file sys-
tems that vary greatly in their organization and structure:
• Microsoft DOS—uses a FAT file system

• Microsoft Windows 98—uses the FAT 32 file system (a variant of FAT)
62 • Microsoft Windows NT—uses an NTFS file system
• LINUX—uses a modified UNIX file system (UFS)
• Macintosh—uses an HFS file system.
The software products described in this section typically address

only one of these file systems. In some cases, the vendor may offer a
series of related products that can examine unallocated space on sever-
al different file systems.
Figure 3: Unallocated Data on a Computer Disk
Allocation Table
0 1 2 3 4 5 6 7 8 9
0 Y Y Y Y Y Y Y Y Y Y
10 Y Y Y N N N N N N N
20 N N N N N N N N N N
N N N N N N N N N N
Computer Disk Cluster Numbers
0 1 2 3 4 5 6 7 8 9
0 File 1
10
20
30 File 3 File 4 Key:
40 Allocated
50 Unallocated
63

64
Description:
Unallocated sectors or clusters of physical media are
Product Name:
collected into logical files by Expert Witness and dis- Expert Witness
played to the user in a file list that contains all files asso-
ciated with that media (including deleted files).
The file(s) that contain the data that was stored with-
in the unallocated clusters can be viewed in either hexa- Manufacturer/
decimal or ASCII format. In addition, the files can be
included in a string search and they can be printed. Vendor:
ASR Data
Acquisition &
Analysis
Product
Information:
Included in
Appendix
Cost:
65
$425

66
Description:
ACES implements a utility for recovery of unallocat-
Product Name:
ed disk clusters on either FAT or NTFS file systems, Automated
which are used by MS-DOS and Windows NT, respective- Computer
ly. So as not to modify the original evidentiary media, the Examination
Free Space Extraction (FSE) utility copies the data con- System (ACES)
tained in unallocated sectors to files that are stored to an
alternate location.
In particular, the FSE utility recovers three types of
slack space. The first type comprises all sectors/clusters Manufacturer/
managed by a file system that are not allocated to an active
file or other file system structure. The second type, usually
referred to as slack space, is the portion of the last cluster
Vendor:
or allocation unit allocated to each file that is not occupied Federal Bureau of
by the file’s contents. Third, data on a media that is not part Investigation—
of any logical partition or volume is also recovered. Laboratory
Division
Product
Information:
Included in
Appendix
67
Cost:
Government-Owned

68
Description:
GetFree is one of the tools that comprise NTI’s Law
Product Name:
Enforcement Computer Evidence Suite. It is a DOS-based GetFree
utility that extracts unallocated space on all forms of the
FAT file system (i.e., 12-bit, 16-bit, and 32-bit). As with
the other tools in this category, GetFree collects unallo-
cated sectors into files that are stored to an alternate loca- Manufacturer/
tion so as not to modify the original disk. In addition, the
application supports spanning of multiple media if the
output files created by GetFree are directed to a remov-
Vendor:
able media with insufficient capacity. New Technologies,
Inc. (NTI)
Product
Information:
Included in
Appendix
Cost:
Not Available 69

Recovery of Protected/Encrypted Data
An increasing number of products that provide confidentiality for
users’files and data have become available in the last few years. The most
common mechanism that is implemented in these products is encryp-
tion. A variety of algorithms and techniques are available. The relative
strengths (i.e.,their ability to withstand cryptanalysis) of these products
also varies. For forensic examiners, of course, the challenge is threefold:
to recognize that a file or data has been protected by encryption, to dis-
cover which application has been used to protect the data, and to recov-
er the original, plain-text information.
Two other techniques for protecting user files and data are becoming
prevalent as well:
• Password protection
• Data hiding (steganography).
Password protection often also involves some type of encryption or

scrambling of the protected data using an algorithm or method that is
based on the password. In other words, the encryption key required to
unscramble or decrypt the protected data is derived from the password
or pass phrase.In such schemes, the forensic examiner’s job is not crypt-
analysis, but password cracking. This section describes specific pass-
word cracking tools.
Data hiding, or steganography, is a relatively new technology that has
many applications. Specifically, it is a technology that allows the embed-
ding of data into other digital information such as a file, still image,
70 audio clip, or a video clip without detection. Primary legitimate applica-
tions for steganography (in addition to data hiding) include digital
watermarking, copyrighting, and authentication. The size or ratio of
concealed data to host data varies widely depending on the specific tech-
nique. The degree to which the concealed data is invisible (i.e., unde-
tectable) also varies widely.
Because steganography is a fairly new technology and perhaps
because the market is limited, no commercial products for detecting the
presence of steganography or extracting the concealed data are w idely
available. However, commercial products that both embed and extract
data into host files are available and are described.
Description:
This product actually is comprised of several different
Product Name:
modules that may be integrated together. Each module is Password Recovery
designed to identify password-protected files of a specif- Toolkit
ic type (Microsoft Word, WordPerfect, Lotus 123, etc.)
and crack the associated password.
The application has a Windows-based user interface
that resembles Windows Explorer. From this interface, the Manufacturer/
user selects files and/or folders containing the password-
protected files to be cracked.
The time it takes to recover a password varies based
Vendor:
on the native application that was used to create the file Access Data
and password, and the strength of the password itself.
The product does implement intelligent password guess-
ing algorithms, and it will also resort to a brute-force
attack if necessary. Product
Information:
Included in
Appendix
Cost:
$745—$1,245 71
(depending on
modules included)

72
Description:
Steganos is a software application that provides priva-
Product Name:
cy for sensitive files by encrypting and/or hiding them. Steganos
The latter is accomplished by implementing stegano-
graphic techniques to embed sensitive digital informa-
tion inside a suitable host data type. Steganos will hide
data within a variety of host file types, including specific Manufacturer/
types of graphics files (BMP,MIB), audio files (WAV), and
text files (including HTML files).
Once data is hidden within a suitable host file, it is
Vendor:
very difficult to detect that the original host file has been DEMCOM
modified. In addition to preserving the date and time
stamp of the host file, the information that is contained in
the host file will appear unaltered. In other words,
changes in graphics file images will not be detectable to a Product
viewer and changes made to an audio file will not be dis-
tinguishable to a listener. However, changes made to a
text file may be recognizable if the host file can be com-
Information:
pared with its original format. Included in
Appendix
Cost:
$39.95
73

String and Pattern Matching
A common element of computer forensic examinations is identify-
ing the frequency and occurrence of specific words or patterns. For
example, it may be relevant to a forensic examination to recognize the
presence of the words “Oklahoma City” and “bombing” occurring with-
in the same text file.
Pattern matching or string searching is quite amenable to automa-
tion, and a number of commercial and government software applica-
tions are available to perform these functions. In addition to searching
for strings or words, many of these applications have some or all of the
following additional features:
• Generate a word index. Much like the index in a book,a database of

every word or delimited string contained within a single file, collec-
tion of files, or an entire media is generated. The database may be
alphabetized and may contain other relevant information, including
the number of occurrences of each string, as well as the location of
each occurrence within the file or media.
• Analyze multiple files or entire media. Most applications that are

described support the examination of multiple files for the occurrence
of specified strings or words. Some applications also implement a
mechanism to examine the entire media for the occurrence of strings
or words. Thus, occurrences that may be contained within deleted files
or unallocated sectors or clusters on the media will be identified.
74
• Search for multiple strings. Most applications that are described
support searching for more than one string or word within a speci-
fied file or set of files. Some applications will also accept as input a
list of words that are contained within a file, allowing the user to re-
use a set of search words without having to re-enter them.
• Searches using Boolean expressions. A few pattern matching

software applications implement advanced features that allow more
targeted or intelligent searches. Support for Boolean operators, par-
ticularly “AND”, enables string searching tools to filter files or data
based on a narrow and specific set of criteria. The volume of results
generated by such a search is potentially greatly reduced; thus, the
amount of information that the examiner ultimately has to analyze
will be reduced.
• Fuzzy logic searches. This is another advanced pattern matching

capability that is offered by a few tools in this category. Specifically,
fuzzy logic supports string searching based not only on a specific
word or string, but also on derivatives of a word and/or synonymous
or related words. For example,when searching for files containing the
word “bomb,” files that contain “explosive,” “bombed,” or “dynamite”
may also be considered as matches.Words that have slightly different
spellings or are misspelled may also be considered as matches.
75

76
Description:
DtSearch is a combination of a powerful search
Product Name:
engine and a text indexing tool.It can be used to create an DtSearch
index of words contained within a single file or a set of
files.The index contains a list of words and the number of
occurrences of each.
The search engine is integrated with a file viewing Manufacturer/
capability that includes text annotation. Thus, each file
that contains one or more occurrences of the search
word(s) can be viewed and each occurrence highlighted.
Vendor:
DtSearch supports many advanced text search fea- DT Software, Inc.
tures, including stemming (adding grammatical varia-
tions to a word), synonym searching (including synony-
mous words in a search), fuzzy searching (includes words
that are misspelled or mistyped in a search), and natural Product
language searching (a phrase or sentence is used as the
criteria for finding relevant documents or files). Information:
Included in
Appendix
Cost:
$199
77

78
Description:
ACES implements a basic text string search (TSS) util-
Product Name:
ity as part of its integrated suite of forensic utilities. TSS Automated
supports many features that result in targeted searched Computer
and significant data reduction. In particular, the TSS util- Examination
ity differentiates strings and words. For example, if “men” System (ACES)
is chosen as a search word, occurrences of “amen”,
“amenable”, or “mentor” will not be considered matches.
The TSS utility supports Boolean expressions and the
“AND” operator. In addition, multiple search strings or Manufacturer/
words can be specified either interactively by a user or
stored in a text file that is interpreted by the utility.Multiple
files or an entire media or partition can also be searched.
Vendor:
The report that is generated by TSS lists not only the Federal Bureau of
occurrences of each search string within each file, but it Investigation—
also includes the number of occurrences and the offset of Laboratory
each within each file. Division
Product
Information:
Included in
Appendix
79
Cost:
Government-Owned

File and File-Type Identification
Identifying files by their type or individual identity can often greatly
reduce the volume of data that a forensics examiner will have to analyze.
Based on the type of investigation being performed, identifying all graph-
ic images stored in files or all executable application files may be a neces-
sary part of the examiner’s analysis. This type of filtering is amenable to
automation and has the potential to not only reduce the volume of data
that a forensics examiner must analyze, but also to greatly increase the
efficiency and accuracy with which file type identification is performed.
File type identification is based on a file signature—a unique sequence
of ASCII values stored at a fixed or deterministic offset within a file (see
figure 4). The sequence may be as short as two characters or as long as
twelve characters (or longer). The longer the sequence, the greater the
uniqueness of the signature and the less likely a file will be mislabeled.
Individual file identification is also based on a signature. In this case,
the signature must be calculated over an entire file or data unit. The
value added by automation of the file identification process to the foren-
sic examiner is primarily the increase in efficiency. Using conventional
operating system services (i.e., utilities such as COMP or DIFF) or man-
ually comparing files is not only a slow process, but also typically
requires that a reference copy of each fi le be available for comparison.
Storage requirements for maintaining a reference database of files
(including each file’s contents, not just a signature) make a large data-
base impractical and expensive.
One approach is to identify a file uniquely using a representation that
is both efficient in storage requirements and reliable in terms of its
80 uniqueness. Both requirements are satisfied by hashing algorithms or
message digest algorithms (see figure 5). The strength of the various
hashing algorithms varies, but many of the newest algorithms (MD5 and
SHA) claim to generate a hash of a file or data unit that is computation-
ally impractical to duplicate with a second file or data unit. Thus, the
uniqueness requirement is adequate for most computer forensics appli-
cations. The MD5 and SHA algorithms generate a hash that is 128-160
bits in length,which is only 16-20 bytes. Therefore,a database of unique
signatures would require as little as 16 bytes for each record (plus infor-
mation about each file, including its name) associated with a unique file.
Figure 4: File Type Signatures
Graphics Files (Bitmap)
42 40 AB 42 40 CD
AC BE DC CB DE AB
DF EA FD FA AC ED
AE FB AC FD AB CA
DD EB DF AE EE DC
AC CB BA FE CC AB
BALL.BMP SKY.BMP
Sound/Audio Files (WAV files)
52 49 46 46 52 49 46 46
AC BE DC DA DD BC AB CF
DF EA FD EB EF FA BC BD
AE FB AC FC DB BA FF CA
DD EB DF DF AC DF EA CB
AC CB BA CA AD DC FA EF
BELL.WAV CHIMES.WAV
Figure 5: Individual File Signatures

File Signatures
81
File_1
8A 5E 01 8A CA 3A
Hashing 42 41 00 8B D3 0F
File_2
Algorithm
D7 0F AF D7 66 29
File_3

Figure 6: Known File Filter (KFF) from ACES
Evidentiary Computer Media

(Contents Unknown)
Catalog of
“Known” Files
Known File (Identified)
Filter Utility
Database of Unique
Catalog of “Unknown”
File Signatures
Files
(Not in Database)
Repository for Software

Application/Products
82
Description:
The Known File Filter (KFF) utility, part of the suite of
Product Name:
forensic utilities integrated into ACES, provides unique Automated
file identification. The KFF utility works in conjunction Computer
with a database of known files. Each database entry con- Examination
sists of a file name, information about the file (date, size, System (ACES)
attributes, etc.), and a unique file signature, which is a
128-bit hash calculated using the MD4 hashing algo-
rithm. Using this database, the utility compares signa-
tures in the database with signatures calculated from evi- Manufacturer/
dentiary files. If a match is found, the evidentiary file is
positively identified (See Figure 6).
The KFF utility has several forensics applications,
Vendor:
including the identification of COTS files in copyright Federal Bureau of
violation cases and as a powerful data reduction tool to Investigation—
eliminate known files from further examination. Laboratory
ACES also implements a KFF database manage- Division
ment tool that is used to populate and maintain the
KFF database.
Product
Information:
Included in
Appendix
83
Cost:
Government-Owned

84
Description:
The Data Format Recognition (DFR) utility, part of
Product Name:
the suite of forensic utilities integrated into ACES, pro- Automated
vides unique file type identification. The DFR utility Computer
works in conjunction with a database of known file Examination
types (Microsoft Word document, Excel spreadsheet, System (ACES)
WAV sound file, etc.). Each database entry consists of a
file type description and information describing a
unique header that identifies that file type. The header
information includes the length, offset, and data that Manufacturer/
comprise the unique signature. Using this database, the
utility compares header information from the database
with headers read from evidentiary files. If a match is
Vendor:
found, the evidentiary file is identified as being of the Federal Bureau of
associated file type. Investigation—
ACES also implements a DFR database management Laboratory
tool that is used to populate and maintain the database of Division
known file types.
Product
Information:
Included in
Appendix
85
Cost:
Government-Owned

86
Description:
Included in the set of forensic tools that are integrated
Product Name:
into Expert Witness is a file type identification function. Expert Witness
The function is integrated into the file listing capability,
and the report generated by the file listing function con-
tains file type information (i.e., text file, executable, Font
file, etc.) for any files whose type is recognized. Manufacturer/
The file type is determined by a file’s extension and,
optionally, a file signature. The latter is based on a known
sequence of ASCII characters that uniquely identify a file
Vendor:
by its type. Records containing file signatures, extensions, ASR Data
and other information are maintained by Expert Witness Acquisition &
in a file type database. Analysis
In addition, Expert Witness provides an administra-
tive tool to manage its file type database. File type records
can be added, modified, or deleted. For each record, the
following information can be input: file type extension, Product
description, group, viewer (for displaying files of this
type), and an optional file type signature. The signature
can include wildcards or “don’t care” characters that may
Information:
appear interspersed within the signature. Included in
Appendix
Cost:
87
$425

File Listing or Cataloging
A simple but important computer forensic function is to generate a
catalog of all files and directories stored on a computer media. Each
entry in the catalog typically contains a file’s name, size, creation or
modification date, and attributes. Some products in this category
include more information about each file, including the type of file, the
directory in which it is stored, or a file signature.
Cataloging information about every file on a computer media is
important to the computer forensic examination process for several rea-
sons. First, it provides a concise report of the contents of an evidentiary
media that can be viewed,analyzed,printed,sorted, etc. Second,by record-
ing the state of the evidence when it was received, the report that is gener-
ated by these utilities provides an excellent integrity checking mechanism,
particularly if a file signature is also calculated and recorded.
88
Description:
A DOS-based program that generates a catalog of
Product Name:
every file on one or more specified logical volumes/parti- FILELIST
tions. For each file entry in the catalog, FILELIST
includes the following information: drive letter, directory,
file name, file size, modification date and time, creation
date and time, last accessed date, file attributes, and an Manufacturer/
optional file signature based on RSA Data Security’s MD5
hash algorithm.
The output produced by FILELIST is a compressed
Vendor:
file. The file can span multiple floppy or removable disks New Technologies,
if its size necessitates.A companion product is available Inc.
from New Technologies, Inc. that converts (FILECNVT)
the compressed file output of FILELIST into a Dbase III
file format, which can then be viewed and manipulated
by spreadsheet and database software that can import the Product
DBF file format.A second product, SHOWFL, displays the
converted DBF in a tabular format. Information:
Included in
Appendix
Cost:
Not Available 89

90
Description:
The File Listing (FL) utility, part of the suite of foren-
Product Name:
sic utilities integrated into ACES, generates a report con- Automated
taining a listing of every active file associated with a user- Computer
selected media or directory. The listing is actually gener- Examination
ated in two formats: one is a formatted report that may be System (ACES)
viewed or printed, and the other is a tab-delimited report
that is suitable for import into many popular spreadsheet
and database applications.
Each entry in the file listing report contains the fol- Manufacturer/
lowing information: file name and path (long name, if
applicable), last modified date and time, logical size, and
attributes. Additionally, an optional signature of the file,
Vendor:
which is calculated using the MD4 hashing algorithm, Federal Bureau of
may also be included. Investigation—
Laboratory
Division
Product
Information:
Included in
Appendix
91
Cost:
Government-Owned

92
Description:
Generating a catalog of files on a disk is only one func-
Product Name:
tion of Expert Witness,which is an integration of several Expert Witness
computer forensic functions. The report that is generated
is tabular and columns are configurable and sortable. In
addition, the file listing function and report are well-inte-
grated with other forensic analysis functions. For exam- Manufacturer/
ple, by double-clicking on an entry in the file catalog, the
contents of the corresponding file are displayed.
Each entry in the file listing report contains the fol-
Vendor:
lowing information: name (short name and long name); ASR Data
indicator for file, folder, or volume; indicator for whether Acquisition &
the file is active or deleted; last accessed date; last modi- Analysis
fied date and time; creation date and time; logical size;
physical size; starting cluster within volume; attributes;
file type (if recognized); and the full path.
The file type is based on a file signature (i.e., a Product
known header or string of characters within the file)
and/or a file extension. Information:
Included in
Appendix
Cost:
93
$425

Integrated Forensic Systems
A few commercially available computer forensic products claim to
provide a complete forensics examination system or complete suite of
forensic tools. Such products vary both in their completeness and in how
well they have integrated their various forensic tools. In particular, the
majority of these tools (with the exception of the GOTS ACES system)
address only the forensic examination portion of the entire forensics
process, which also includes case management, evidence tracking, and
report generation.
94
Description:
Expert Witness integrates several computer forensic
Product Name:
tools into a single Windows or Macintosh application. Expert Witness
Integrated into the application are an image copy capa-
bility, file listing capability, file type identification func-
tion, a hexadecimal/ASCII file viewer, and a text string
search capability. In addition, the product also identifies Manufacturer/
files that have been deleted from the target media, as well
as unallocated blocks (sectors or clusters) on the logical
partition or physical disk.
Vendor:
The integration of all of these tools into a single ASR Data
application significantly increases the usability and ver- Acquisition &
satility of Expert Witness. For example, a user can click Analysis
on an entry in the file listing report to view the file con-
tents in hexadecimal or ASCII. Similarly, individual
“hits” resulting from a string search can be presented in
a file listing report format or viewed using the integrated Product
viewer capability.
Another important feature of Expert Witness is its
integrated image copying and analysis capabilities. The
Information:
software includes a built-in image copying capability, as Included in
well as a mechanism for building a DOS-based image Appendix
copy tool that can be used to copy computer media dur-
ing a search. In addition, the image files created by these
tools can be examined directly (i.e., without first having
to restore them to a compatible hard drive or other
media type). All of Expert Witness’ tools, including text
Cost:
95
string searching, identification of deleted files and unal- $425
located blocks, and file listing and identification can be
applied to an image file.

96
Description:
ACES is a custom computer forensics system devel-
Product Name:
oped for the Computer Analysis Response Team (CART) Automated
within the FBI laboratory. The system provides both case Computer
management and forensic analysis functions. ACES is not Examination
available commercially but will be made available to fed- System (ACES)
eral, state, and local law enforcement agencies.
ACES implements many of the basic computer foren-
sic functions that comprise a typical forensics examina-
tion, including: text string search,file listing and identifi- Manufacturer/
cation by type,unique file identification, identification of
deleted files and unallocated blocks, image copying and
file copying with integrity verification, and file viewing
Vendor:
(native format or hexadecimal/ASCII display). Federal Bureau of
Another significant feature of ACES is a capability to Investigation—
examine image files directly, without having to first Laboratory
restore them to compatible media. This capability is Division
implemented for both Windows NT and MS-DOS, and it
allows both ACES forensic tools, as well as third-party
software products, to view and analyze ACES image files.
Several steps comprising a case management process Product
are also implemented by ACES. These steps include evi-
dence recording and tracking, case assignment and
tracking, and examination results and report generation.
Information:
Included in
Appendix
97
Cost:
Government-Owned

98
Miscellaneous Functions
Other commercially available computer forensic software tools
implement a variety of specialized functions, including the following:
• Disk diagnostics—Applications in this category implement a

variety of functions. The most common diagnostic functions rele-
vant to computer forensics include viewing disk sectors or clusters,
and displaying partition or media information.
• File viewers—These applications display files in their native for-

mat without requiring the original applications that created them.
Thus, graphics files, word processing files, or spreadsheets, or other
types of files that may be encountered on evidentiary media can be
viewed, printed, and in some cases changed without having the
native software application that created them loaded on the exam-
ining computer.
• Uncompressing files—To examine data contained within com-

pressed files, the computer forensic examiner must recognize that
a file contains compressed data, recognize which tool has com-
pressed it, and apply the appropriate tool or algorithm to uncom-
press and restore the original information. This process is auto-
mated by tools in this category.
99

100
Description:
Disk Editor, or DiskEdit, is a DOS-based utility that is
Product Name:
used for a wide range of applications. It is considered by Disk Editor (part
many to be a core component of a computer forensics toolset. of Norton
DiskEdit is used to view the contents of a floppy disk, Utilities)
hard disk, or any other physical media that is accessible by
MS-DOS. The contents of a disk can be viewed from a log-
ical perspective when the file system is one that DOS rec-
ognizes. That is, the contents can be viewed as directories Manufacturer/
and files. In most cases, the disk can also be viewed from
a physical perspective as absolute sectors or clusters. The
information can be presented to the user either in a hexa-
Vendor:
decimal format or ASCII character representation. Symantec
DiskEdit also supports string searching within a por-
tion of a disk or across an entire disk. Another feature,
which is of more benefit to a system administrator who
needs to repair data errors than to a forensics examiner, Product
is the ability to write individual bytes (or large blocks) of
data to a disk. Information:
Included in
Appendix
Cost:
101
$72

102
Description:
QuickView Plus,a product that evolved from an earli-
Product Name:
er product called Outside In, is a file viewer application QuickView Plus
that runs on most Windows-based operating systems. It
supports more than 200 file types, including those creat-
ed by Windows applications, Macintosh applications, and
DOS applications, as well as Internet file formats. Manufacturer/
Files viewed using this product are presented in their
native format,including colors, fonts, styles, and page lay-
outs, without requiring the native application (i.e., the
Vendor:
software product that was used to generate the file) to be INSO Corporation
loaded or even installed on the computer.Files that can be
viewed by QuickView Plus can also be printed in their
original format.
Product
Information:
Included in
Appendix
Cost:
$59
103

104
Description:
Included in the suite of forensic utilities that are inte-
Product Name:
grated into ACES is a tool for recognizing and expanding Automated
compressed files. The Uncompress Files (UF) utility rec- Computer
ognizes several different types of file compression result- Examination
ing from the application of a variety of shareware and System (ACES)
freeware software compression utilities. If a file is deter-
mined to be compressed by one of these known methods,
the appropriate decompression routine is invoked.
Of benefit to the computer forensics application is Manufacturer/
that the UF utility stores the resultant uncompressed files
to an alternate location so as not to modify the contents
of the media that contained the original compressed file
Vendor:
(presumably, an evidentiary computer media). Federal Bureau of
Investigation—
Laboratory
Division
Product
Information:
Included in
Appendix
105
Cost:
Government-Owned

106
Case Management Tools
This category contain only a few products. Ironically, in many com-
puter forensics laboratories, particularly those associated with law
enforcement, adherence to protocols and procedures is as important as
maintaining the integrity of the evidence that is being examined.
107

108
Description:
ACES is a custom computer forensics system devel-
Product Name:
oped for the Computer Analysis Response Team (CART) Automated
within the FBI laboratory. The system provides both case Computer
management and forensic analysis functions. ACES is not Examination
available commercially but will be made available to fed- System (ACES)
eral, state, and local law enforcement agencies.
All of the major steps that comprise the case man-
agement process are also implemented by ACES. These
steps include evidence recording and tracking, case Manufacturer/
assignment and tracking, and examination results and
report generation.
ACES provides mechanisms for labeling and recording
Vendor:
evidentiary media, as well as for creating both logical and Federal Bureau of
physical copies of media for examination. Either copy Investigation—
method utilizes a verification step to verify data integrity. Laboratory
Case assignments and tracking are automated by Division
ACES using a variety of mechanisms, including electron-
ic notification (i.e., E-Mail) and workflow-oriented and
collaborative computing application software.
ACES also automates the generation of many of the Product
reports containing results from the execution of its inte-
grated forensic tools and utilities. The reports and other
information derived from evidentiary media are main-
Information:
tained and organized by ACES into cases.In addition,ACES Included in
supports the processing of multiple cases simultaneously. Appendix
109
Cost:
Government-Owned

110
Description:
Expert Witness is an application designed specifically
Product Name:
for the computer forensics market. It provides an inte- Expert Witness
grated suite of forensic analysis tools and limited case
management capabilities.
Expert Witness organizes data collected and analyzed
into individual cases, each of which may consist of any Manufacturer/
number of computer media and/or disk images.
Examinations may be performed on an individual file or
disk, or all disks may be examined at the same time. For
Vendor:
instance, one can perform a text string search against all ASR Data
disks associated with a specific case. Acquisition &
In addition, Expert Witness can generate several Analysis
reports, including a summary of a case, the contents of
a case (i.e., a list of all disks and image files), and a list
of every file, organized by its associated disk, that is a
part of the case. Product
Information:
Included in
Appendix
Cost:
111
$425

112
Bibliography
[1] Westlaw Federal Criminal Code and Rules, West Publishing, St.
Paul,MN (1998).
[2] Noblett, MG “Report of the Federal Bureau of Investigation on
Development of Forensic Tools and Examinations for Data
Recovery from Computer Evidence” In Proceedings of the 11th
INTERPOL, Forensic Science Symposium, Lyon, France, The
Forensic Sciences Foundation Press, Boulder, CO (1995).
[3] Fischer, Lawrence M “I.B.M. Plans to Announce Leap in Disk-
Drive Capacity” New York Times, p. C-2 (December 30,1997).
[4] American Society of Crime Laboratory Directors (ASCLD)
Laboratory Accreditation Board Manual, pp 29-30 (January 1994).
[5] Daubert vs. Merrell Dow Pharmaceuticals, Inc. 113 S. Ct. 2786
(1993).
[6] Frye vs. United States, 54 App D.C.46,47,293 F. 1013,1014 (1923).
113

114
Appendix
Department of Defense: Points of Contact
AFOSI/Defense Computer Forensic Laboratory
911 Elkridge Landing Road
Airport Square, Bldg 11
Linthicum,MD 21090
Ms. Karen Matthews
Phone: (410) 981-0100
U.S. Army Criminal Investigations Laboratory (USACIL)

U.S. Army Criminal Investigations Command (USACIDC)
4553 North 2nd St.
Ft. Gillem,GA 30050-5122
Mr. Ned Tambourini
Phone: (404) 362-7490
U.S. Army Intelligence and Security Command

902nd Military Intelligence Group
Fort George G. Meade,MD 20755
Mr. Larry Chmiel
Phone: (301) 677-4146
Naval Criminal Investigative Service (NCIS)

Computer Crimes Investigations Group (CCIG)
Building 111, Washington Navy Yard 115
901 M Street SE
Washington, DC 20388-5282
Mr. Matt Parsons
Phone: (202) 433-9293
Federal Bureau of Investigation

935 Pennsylvania Ave. NW
Washington, DC 20535
Ms. Mary Horvath
Phone: (202) 324-9307

Note:
GOTS Product Information Since the publishing

of this report, there
Automated Computer Examination System (ACES) have been changes
Federal Bureau of Investigation (FBI) and deletions of
products and URL’s,
Computer Analysis and Response Team Laboratory Division which are reflected in
935 Pennsylvania Ave.,NW this pdf file.
Washington, DC 20535
Phone: (202) 324-9314
COTS Product Information

Disk Editor/Norton Utilities, Symantec
10201 Torre Avenue
Cupertino, CA 95014-2132
Phone:(408) 253-9600
Fax: (408) 253-3968
URL: http://www.symantec.com/nu/nu_nt/features.html
DriveCopy, PowerQuest Corporation

1359 N. Research Way (Building K)
Orem,UT 84097
Phone:(801) 437-8900
Fax: (801) 226-8941
URL: http://www.powerquest.com/drivecopy/index.html
Drive Image Professional, PowerQuest Corporation

1359 N. Research Way (Building K)
116 Orem,UT 84097
Phone:(801) 437-8900
Fax: (801) 226-8941
URL: http://www.powerquest.com/driveimagepro/index.html
DtSearch, DT Software Inc.

2101 Crystal Plaza Arcade, Suite 231
Arlington, VA 22202
Phone:(703) 413-3670
Fax: (703) 413-3473
URL: http://www.dtsearch.com/
Expert Witness, ASR Data Acquisition and Analysis,LLC
11422 Morning Glory Trail
Austin, TX 78750-1399
Phone:(512) 918-9227
Fax: (512) 335-5622
URL: http://www.asrdata.com/ewwin.html
EZ Copy, StorageSoft (formerly Micro House Solutions)

92 Argonaut, Suite 255
Aliso Viejo, CA 92656
Phone:(949) 588-5829
Fax: (949) 588-5871
URL: http://solutions.microhouse.com/products/ezcopy/ezcopy_info.htm
FILELIST, New Technologies Inc.

2075 Northeast Division Street
Gresham, OR 97030
Phone:(503) 666-6599
URL: http://www.secure-data.com/suite6.html
GetFree, New Technologies Inc.

2075 Northeast Division Street
Gresham, OR 97030
Phone:(503) 666-6599
URL: http://www.secure-data.com/suite6.html
ImageCast IC3, StorageSoft (formerly Micro House Solutions)

92 Argonaut, Suite 255 117
Aliso Viejo, CA 92656
Phone:(949) 588-5829
Fax: (949) 588-5871
URL: http://www.imagecast.com/enter.htm

Norton Ghost, Symantec
10201 Torre Avenue
Phone:(408) 253-9600
Fax: (408) 253-3968
URL: http://www.symantec.com/sabu/ghost/indexB.html
Password Recovery Toolkit, AccessData Corporation

2500 N. University (Suite 200)
Provo, UT 84604-3864
Phone:(801) 377-5410
Fax: (801) 377-5426
URL: http://www.accessdata.com/
QuickView Plus, INSO Corporation

Jasc Software, Inc.
7905 Fuller Road
Eden Prairie,MN 55344
Phone:(612) 930-9800.
URL: http://www.jasc.com
SafeBack, Sydex, Inc.

P. O. Box 5700
Eugene, OR 97405
Phone:(541) 683-6033
Fax: (541) 683-1622
URL: http://www.sydex.com/forensic.html
118
Steganos, DEMCOM
Hansmann/Wildgrube/Yoran GBR
Sophienstr. 28
60487 Frankfurt, Germany
Phone:+49-69-707 43 92
Fax: +49-69-707 607 99
URL: http://www.demcom.com/english/steganos/features.htm
Undelete for Windows NT, Executive Software
Executive Software International
701 N. Brand Blvd., Suite 600
Glendale,CA 91203-1242
Phone:(818) 547-2050,(800) 829-6468
Fax: (818) 545-9241
URL: http://www.undelete.com/info
Unerase/Norton Utilities, Symantec

10201 Torre Avenue
Phone:(408) 253-9600
Fax: (408) 253-3968
URL: http://www.symantec.com/nu/nu_nt/features.html
List of Related URLs

American Academy of Forensic Sciences
http://www.aafs.org/
American Society of Crime Laboratory Directors

http://www.ascld.org/
Computer Crimes and Intellectual Property Section (CCIPS)

http://www.usdoj.gov/criminal/cybercrime/searching.html 119
High Technology Criminal Investigation Association (HTCIA)
http://htcia.org/index.html
International Association of Forensic Sciences

http://www.criminalistics.com/IAFS-1999/default.htm

Customer Evaluation
Your feedback is important! Please rate the above products in the following categories
using the rating scheme indicated. FAX the evaluation form to IATAC at: 703.289.5467.
1. PRODUCT RELEVANCE
Use a rating scale of 1 (routine support) to 10 (critical support).
How relevant is the product to your organization's strategic mission and technical objectives?
1 2 3 4 5 6 7 8 9 10
2. PRODUCT TECHNICAL VALUE
Use a rating scale of 1 (limited technical value) to 10 (significant technical value).
How significant is the contribution of the product to the organization's technical knowledge base?
1 2 3 4 5 6 7 8 9 10
3. PRODUCT ACCURACY
Use a rating scale of 1 (low) to 10 (high).
How accurate is the information contained in the product?
1 2 3 4 5 6 7 8 9 10
4. PRODUCT "VALUE ADDED"
How did the information in the product add value to the organization?
1 2 3 4 5 6 7 8 9 10
5. OVERALL PRODUCT SATISFACTION
What is your overall satisfaction with this product?
1 2 3 4 5 6 7 8 9 10
120
Name:
Organization:
Address:
Telephone:
E-Mail:

Computer Forensics

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Forensics

Uploaded by

Copyright:

Available Formats

Computer Forensics:

Tools & Methodology

Book and Cover Design:

vi Lyon, France. The Forensic Sciences Foundation Press, Boulder, CO

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

II. Forensic Science

• In 1844, Dr. Mathieu J.B. Orfila, considered the father of toxicology,

Locard went on to establish t he first cr ime laboratory in Europe in

III. Legal Issues 5

The first attempt by the U.S.Federal Courts to establish standards for

IATAC • Information Assurance Technology Analysis Center

• The science should be well recognized within the relevant scientific

reviewed scientific journal. The plaintiff’s experts had neither published

• Can be (or has been) tested

Since that 1993 decision, forensic science laboratories have begun to

IATAC • Information Assurance Technology Analysis Center

IV. Computer Forensic Science

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

Acquisition Examination Utilization

• Identify data on the basis of specific criteria

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

The availability of software utilities necessary to conduct examina-

Acquisition Examination Utilization

IATAC • Information Assurance Technology Analysis Center

Chain-of-custody logs identify everyone who handled the evidence

IATAC • Information Assurance Technology Analysis Center

1. Contact law enforcement

1 Contact Law Enforcement

2 Turn on Audit Trails

3 Begin Keystroke Monitoring

4 Assemble the Incident Management Team

• Manager—Leads the team and has ultimate responsibility for doc-

5 Designate an Evidence Custodian

6 Make Backups and Print Log Files

7 Begin Recording Costs Necessary to Recover from

IATAC • Information Assurance Technology Analysis Center

8 Document Your Activity

• Your theory on how the intruder got in

VII. Computer Forensic Tools

• Technical support and maintenance is more likely to be provided

The commercially available products may also have the following

IATAC • Information Assurance Technology Analysis Center

• Evidence preservation and collection tools. The primary func-

The following discussion describes both commercial and govern-

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

IATAC • Information Assurance Technology Analysis Center

• Type/circumstances of the investigation. What type of information

The remaining discussion in this section focuses on

• Integrity checking. In addition to performing a bit- External Storage Drive

IATAC • Information Assurance Technology Analysis Center

• Store image as a file. While the traditional disk imaging software

IATAC • Information Assurance Technology Analysis Center