Professional Documents
Culture Documents
Authors:
Michael Noblett
Adam Feldman
1997 Computer Crime Scene Procedures. International Journal of Forensic Computing (1):3-4
1996 Role of the Microcomputer as a Criminal Instrument. United States Attorneys’ Bulletin 44(3):12-15
1995 Report of the Federal Bureau of Investigation on the Development of Forensic Tools and Examinations for
Data Recovery from Computer Evidence.In Proceeding of the 11th INTERPOL Forensic Science Symposium,
1993 Computer: High Tech Instrument of Crime. FBI Law Enforcement Bulletin 62(6):7-9
1992 Computer Analysis and Response Team (CART): The Microcomputer as Evidence. Crime Laboratory
Digest 19(1):10-15.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Mr.Adam Feldman has fourteen years of professional experience in
computer engineering, information security, computer forensics, and
program management. Specifically, Mr. Feldman has extensive experi-
ence in architecting and implementing automated information systems
that address a variety of InfoSec and communications requirements.
Previously, Mr. Feldman helped architect and implement the ACES sys-
tem within the FBI Laboratory.
Mr.Feldman has managed numerous InfoSec related projects including
the Automated Computer Examination System (ACES) (1995-1998) and
software engineering for a systems integration project to develop a series of
LAN and WAN-based real-time network traffic monitoring systems.
In addition, Mr. Feldman has managed many software engineering
projects to develop a set of security utilities for Microsoft Windows NT,
Windows 3.1, MS-DOS,OS/2, and Sun Solaris to address several issues,
such as object reuse and other inherent information security vulnerabil-
ities and general purpose encryption applications using DES CBC and
RSA algorithms.
Mr. Feldman has a B.S. in Computer Engineering from Case Western
Reserve University (1985).
vii
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
About IATAC
The Information Assurance Technology Analysis Center (IATAC) pro-
vides the Department of Defense (DoD) with emerging scientific and
technical information in support of Defensive Information Operations.
IATAC’s mission is to provide a DoD central point of access for informa-
tion on Information Assurance (IA) emerging technologies. These tech-
nologies include system vulnerabilities, research and development, mod-
els, and analysis to support the effective defense against Information
Warfare attacks. IATAC focuses on all defensive activities related to the
use of information, information-based processes and information sys-
tems. One of thirteen DoD-sponsored Information Analysis Centers
(IACs),IATAC is managed by the Defense Technical Information Center
(DTIC), Defense Information Systems Agency (DISA).
IATAC basic services provide the infrastructure to support Defensive
Information Operations. Basic services include the collection, analysis,
and dissemination of IA scientific and technical information; support
for user inquiries; database operations; current awareness activities
(e.g., IATAC newsletter); and the development of critical review and
technology assessment and state-of-the-art reports.
Critical review and technology assessments (CR/TA's) are reports that
evaluate and synthesize the latest information resulting from research
and development activities, or they may be comparative assessments of
technologies and/or methodologies based on specific technical charac-
teristics. Topic areas for CR/TA reports are solicited from the IA
Community to ensure applicability to emerging warfighter requirements.
Inquiries about IATAC capabilities, products and services may be ix
addressed to:
Robert P. Thompson
Director, Information Assurance Technology Analysis Center
3190 Fairview Park Drive
Falls Church, VA 22042
Phone: (703) 289-5454
Fax: (703) 289-5467
E-mail: iatac@dtic.mil
URL: http://www.iatac.dtic.mil
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Table of Contents
xiii List of Figures
xv Tool & Manufacturer
1 I.Introduction
4 II.Forensic Science
5 III.Legal Issues
8 IV.Computer Forensic Science
11 V.Operations
19 VI.The Computer Crime Scene—
Recommended Procedures
22 VII.Computer Forensic Tools
31 Evidence Preservation and Collection Tools
Write-Protection Software Tools
Disk Imaging Software
53 Analysis Tools
Recovery of Deleted Files
Recovery of Unallocated/Stack Data
Recovery of Protected/Encrypted Data
String Pattern Matching
File & File-Type Identification
File Listing or Cataloging
xi
Integrated Forensic Systems
99 Mis c . Tools
107 Case Management Tools
113 Bibliography
115 Appendix
115 DoD Points of Contact
116 Product Information (GOTS & COTS)
119 List of Related URLs
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
List of Figures
Figure 1: Creating an Image Copy 37
Figure 2: Deleted Files on a Computer Disk 54
Figure 3: Unallocated Data on a Computer Disk 63
Figure 4: File Type Signatures 81
Figure 5: Individual File Signatures 81
Figure 6: Known File Filter (KFF) from ACES 82
xiii
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Page Tool and Manufacturer
(First occurrence only)
35 Automated Computer Examination
System (ACES)
Federal Bureau of Investigation
101 Disk Editor
Symantec
45 DriveCopy
PowerQuest Corporation
47 Drive Image Professional 2.0
PowerQuest Corporation
77 DtSearch
DT Software, Inc.
33 Expert Witness
ASR Data Acquisition & Analysis
51 EZ-Copy
Micro House International, Inc.
89 FILELIST
New Technologies, Inc.
69 GetFree
New Technologies, Inc.(NTI)
49 ImageCast IC3
Micro House International, Inc.
41 Norton Ghost
Symantec
71 Password Recovery Toolkit
Access Data xv
103 QuickView Plus
INSO Corporation
39 SafeBack 2.0
Sydex, Inc.
73 Steganos
DEMCOM
55 Undelete for Windows NT
Executive Software
57 Unerase
Symantec, Inc.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
I. Introduction
Forensic science is the application of science to legal issues. It encom-
passes every scientific discipline and numerous specialities within those
disciplines. Traditionally, forensic science consisted of fingerprint com-
parison, toxicology, serology, trace evidence, questioned document
examination, and firearms/toolmarks. This list has been expanded in
recent years to include DNA analysis, explosive device analysis, haz-
ardous materials analysis, and audio/video media analysis. These disci-
plines were added as technical capabilities were developed, as was the
case with DNA analysis, or as law enforcement needs were identified, as
was the case with explosive device and hazardous materials analysis.
Law enforcement has now identified an additional and pressing need:
analysis of computer evidence. The forensic science community has
responded to that need with computer forensic science or, more simply,
computer forensics. The primary focus of this report is the evaluation of
software tools available for this type of analysis. However, these tools will
be used to examine evidence in a legal and procedurally driven environ-
ment. Understanding the technology and understanding the rules are
equally important. The goal of any forensic examination is to provide
valid and reliable information to both the investigator and the court.
Forensic science by its nature is more reactive than proactive. It con-
cerns the examination and evaluation of evidence which, by definition,
does not appear until a crime has been committed. The introduction of
the computer as a target of crime, an instrument of crime, or a reposito-
ry of evidence of crime does not change the basic relationship of inves-
tigation followed by collection of evidence followed by forensic exami- 1
nation of that evidence.
This relationship, however,does not mean that specific forensic expert-
ise cannot help solve investigative problems. For example, forensic scien-
tists routinely participate in crime scene search operations and train law
enforcement in collecting and preserving of evidence. In these examples,
forensic science is used to identify and safeguard fragile evidence.
Although the crime scene is still commanded by the investigators, they are
assisted by a professional scientist with specific knowledge of evidence.
In its broadest reach, forensic science addresses not only the analysis
of evidence but all aspects of acquiring, handling, storing, and examin-
ing materials seized as the result of a criminal investigation. Forensic
Objectives
This report provides a comparative assessment of technologies used
in the forensic examination of computers. The purpose of these exami-
nations is to recover data from computers seized as evidence and pres-
ent it to law enforcement for investigative use and to prosecutors for use
at trial. It is intended to give an overview of the legal background under
which computer forensic science operates as well as the policies and pro-
cedures that must be in place to satisfy the science, the courts, and the
law enforcement community. It is also intended to provide a comprehen-
sive review of commercial-off-the-shelf and government-off-the-shelf
software tools written especially for computer forensic science.
Background
Federal, state, and local government agencies of all sizes and juris-
dictional responsibilities are increasingly finding critical investigative
information and evidence stored on computers. These computers range
in size from microcomputers to mainframes and in complexity from
simple stand-alone desktop computers to complex networked systems
with data distributed worldwide. In any criminal,civil, or administrative
investigation of a subject who has access to a computer, there is an
increasing probability that information crucial to the investigation will
be stored in some form of magnetic or optical media.A new branch of
forensic science is emerging to deal with the technical and procedural
issues associated with this type of evidence—computer forensic sci-
2 ence. Computer forensic science is the discipline of acquiring, preserv-
ing, retrieving, and presenting data from computer evidence.
As law enforcement entities within Department of Defense (DoD),
other federal agencies, and state and local agencies assess their ability to
recover information from these complex and often interconnected crim-
inal enterprise systems, gaps quickly appear. Often, resources that are
able to quickly address the hard technological problems do not have an
understanding of the legal framework associated with evidence in what
will likely become a criminal matter. Just as often, law enforcement,
which does understand evidence and investigative procedure, is limited
by both a severe lack of funding and technical capability.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Computer forensics must serve two masters. First, it must be techni-
cally robust to address questions of complete recovery of probative
information without altering the original material. Second, it must meet
the legal requirement of conducting these examinations in a manner
that is entirely consistent with the rules of evidence. In criminal matters,
there may be specific limits on information that may be recovered (i.e.,
privileged communications and E-mail) and who may be party to the
information (i.e., grand jury material). As computer evidence becomes
more common in court, issues such as these become more significant.
An informal and ad hoc approach to computer forensics will not likely
meet the mandates of the judicial system.
Organization
This report contains five main sections in addition to the
Introduction. Section 2 provides background on the development of
modern forensic science and its history. Section 3 presents legal issues
that determine the boundaries within which forensic science operates.
Section 4 describes a unique subset of forensic science: computer foren-
sic science. Section 5 describes computer forensic science operations,
including the acquisition and examination of computer evidence, and
utilization of the results of this examination process. Section 6 describes
suggested actions to take after discovering that a “computer crime” has
occurred. The report concludes with an appendix that lists points of con-
tact for computer forensics within Department of Defense and the
Federal Bureau of Investigation, product information, and related URL’s.
Section 7 describes specific software tools.
Methodology 3
Much of the information presented in this report was based on the
authors’ experience. Research materials consisted of books,journal arti-
cles, conference proceedings, and manufacturer’s literature,which is pri-
marily available through their web sites. Formal contacts were made
with Department of Defense computer forensic laboratories and the
Federal Bureau of Investigation laboratory and their comments and
advise have been included.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
established legal standards designed to eliminate the results of “junk sci- Note:
Since the publishing
ence” being admitted as evidence.1 of this report, there
Forensic science continues to expand in both scope and ability. It has have been changes
often built upon the development of techniques and instrumentation and deletions of
products and URL’s,
used in analytical and clinical laboratories in the commercial and aca- which are reflected in
demic world. In other instances, such as fingerprint visualization, ques- this pdf file.
tioned document examination, and firearms examination, which have
no private sector counterpart, forensic science has developed its own
capabilities. Today, there are more than 300 forensic laboratories in the
public sector serving more than 16,000 federal, state, and local police
jurisdictions. The largest of these, the FBI Laboratory with more than
1,000 employees, conducts more than 2 million examinations each year.
Professional organizations, such as the American Academy of Forensic
Sciences http://www.aafs.org/ and the International Association of
Forensic Sciences http://www.criminalistics.com/IAFS-
1999/default.htm, provide scientific forums for discussion and peer-
reviewed scientific journals to advance the state-of-the-art.
While forensic laboratories often resemble their analytical and clin-
ical models, they apply their science differently. Forensic science is
much more narrowly focused and operates cooperatively with and
within limits set by law. These limits provide forensic science with
unique and well-defined goals, which are generally determined by the
facts of the investigation and the circumstances of acquiring the evi-
dence. If forensic science and its practitioners exceed these limits, the
court has ample means to punish by either not admitting the evidence
or by holding individual examiners liable.
This simple test, referred to as the Frye Rule, remained the standard
for forensic science for the next 50 years.
In 1960, the Supreme Court began a comprehensive study of the rules
of practice and procedure in the Federal courts. In announcing this study,
Chief Justice Earl Warren said, “Experience has shown that in order to
promote simplicity in procedure, just determination of litigation and the
elimination of unjustifiable expense and delay, it is essential that the
operation and effect of the Federal rules of practice and procedure should
be the subject of continuous study…” [1]. Among other issues studied
was the role of forensic science and the testimony of its experts.
The study resulted in the 1975 publication of the Federal Rules of
Criminal Procedure. In this publication, the Frye Rule was replaced by a
much simpler requirement that the scientist’s results be admitted if the
testimony would assist the judge and jury to understand the evidence.
Even though this rule was published, the courts largely ignored the new
rule and continued to rely on the long-established Frye Rule.
The determination of whether this new rule for forensic science
would become controlling was not made until 1990 when Daubert vs.
Merrell Dow Pharmaceuticals was tried in federal district court. In this
6 case, the parents of two children born with serious birth defects alleged
that those birth defects had been caused by the mother’s taking
Bendectin, a prescription anti-nausea drug marketed by Merrell Dow
Pharmaceuticals. Merrell Dow’s well-qualified experts on the risk of
exposure to various chemical substances had reviewed and published
many studies of Bendectin which concluded that the maternal use of
Bendectin, during the first trimester of pregnancy had not been shown
to be a risk factor for human birth defects.
A review by the plaintiff ’s equally well-qualified experts offered a dif-
ferent interpretation of the same epidemiological data. The plaintiff ’s
experts, however, were not permitted to testify in the trial because Merell
Dow had previously published its studies and conclusions in a peer-
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
“The FBI established a Computer Analysis and Response Team
(CART) and charged it with the responsibility of forensic
examination of computer evidence. Although CART is unique
to the FBI, its function and general organization have been
duplicated in many other law enforcement agencies in the
United States and foreign countries. In 1998, CART examined
computer evidence in more than 2,500 FBI investigations.”
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
disk. Just as the workforce is converting from manufacturing goods to
processing information,crime is, to a large extent, also converting from
a physical dimension where evidence and investigations are described in
tangible terms to a cyber dimension where evidence exists only elec-
tronically and investigations are conducted on-line.
In addition to facilitating traditional crimes, computers and infor-
mation technology have provided the technical basis for new crimes.
Money can be stolen while in electronic transit. The Internet can allow
criminals to enter a business and steal its secrets or corrupt its data with
complete anonymity. If a more dramatic effect is sought, the same crim-
inal can effectively cripple that business by flooding its servers and
denying access to legitimate customers.
Law enforcement recognized its technological shortfalls in this new
environment but had very limited ability to remedy them. Among the
problems faced were meager equipment budgets, a work force trained
for and steeped in the traditions of street rather than high technology
investigations, and salaries that could not compete with the private sec-
tor for talented computer scientists. To remedy the situation, state and
local law enforcement initially looked to their b etter funded a nd more
technically staffed federal counterparts. In many cases they found that
the federal sector was struggling with the same issues. Law enforcement
also coordinated to establish a pool of expertise to address common
issues. Organizations such as the High Technology Criminal
Investigation Association (HTCIA) http://htcia.org/index.html began to
address law enforcement’s needs and identify resources that could help
meet those needs.
As early as 1984, the FBI Laboratory and others saw these emerging
trends and began programs to examine computer ev idence. They real- 9
ized that a controlled and programmatic response would be necessary to
address both the growing demands of investigators and prosecutors and
the increase in the volume and complexity of the computer evidence.
The FBI established a Computer Analysis and Response Team (CART)
and charged it with the responsibility of forensic examination of com-
puter evidence. Although CART is unique to the FBI, its function and
general organization have been duplicated in many other law enforce-
ment agencies in the United States and foreign countries. In 1998,CART
examined computer evidence in more than 2,500 FBI investigations.
In a survey conducted in 1995 by the United States Secret Service, law
enforcement agencies were asked to describe how they were organized to
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
“For this reason, computer forensic science is most effec-
tive when probative facts and details of the investigation
are provided to the computer forensic examiner. From this
information, the examiner can create a list of key words
to be used to cull specific, probative, case-related
information from this extremely large sample.”
V. Operations
This report previously identified three roles in which a computer can
play in a criminal enterprise. In its first role, the computer can be the tar-
get of an attack. In this role, it may contain information such as times
and locations of the attack and may also contain programs left by the
intruder to facilitate reentry.A second role for the computer is the instru-
mentality used to conduct the attack. In this role, it may contain hacker
software and scripts, log files, and telephone numbers associated with
the attack, and other evidence of criminal activity. In its third role, the
computer may be a repository of evidence of a crime or criminal enter-
prise. In this role, it may contain text, databases, spreadsheets, images,
and other data connected to a cr ime. In some instances, the same com-
puter may play multiple roles.
Computer intrusion investigations have typically focused on the
computer's first two roles and traditional criminal investigations, espe-
cially white collar crime investigations, the last. There can be no doubt
that computer intrusion and its effects on nationwide critical infrastruc-
tures pose a grave and growing threat and deserve intense investigative
attention. However, in sheer numbers, the role played by computers as 11
huge complex filing cabinets dwarfs intrusion investigations. In 1997,
the FBI reported that it conducted forensic computer examinations in
more than 2,500 traditional criminal cases compared with a reported
408 computer intrusion investigations. In this report emphasis is placed
on concerns within the last category—the computer as a repository of
evidence. In this role, the forensic examiner will recover data stored in
the computer in a manner that will provide information to not only the
investigator for use in generating investigative leads,but also the prose-
cutor for use at trial.
With this general background, the computer forensic process can be
described as existing in three phases—acquisition, examination, and
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Contrast this with the activity in a typical computer search and seizure
where data and equipment are taken under the assumption that the data
includes the evidence described in the warrant. Both the investigator
and the forensic examiner must realize that when they remove the com-
puter to a laboratory they are merely continuing the search at another
location where extensive technical assets are available to facilitate data
recovery under controlled conditions. Although this may seem a subtle
difference, it has broad implications on issues such as how long the
seized items may be kept and who may have access to the information
contained in the seized material. Every attempt should be made to limit
the amount of material seized on site based on the descriptions con-
tained in the warrant.
In some instances, such as health care fraud investigations, the equip-
ment is considered part of the health care delivery system and cannot be
seized. In other instances, such as large enterprise wide networks, it is not
practical to seize the equipment. The forensic laboratory in either case
must be prepared to recover the needed data using its own resources.
Another concern is the sheer volume of data contained in most com-
puter systems. If the information rather than the equipment is to be
seized, the ability to quickly copy systems become critical. If the com-
puter forensic scientist is faced with transferring 14 gigabytes of data
from a suspect’s computer and has a software tool that transfers 1 giga-
byte per hour, it will take 14 hours to copy that one computer.
The computer forensic scientist is responsible for developing a tech-
nical search plan. Part of this plan includes identifying needed
resources. The plan must include the identity of sufficient personnel who
have both the expertise and equipment to execute the warrant in a pro-
fessional and competent manner within a reasonable time period. 13
Intelligence such as size of storage media, operating systems in use, net-
work topology, and other technical specifications of the system are cru-
cial to develop an effective and efficient search plan.
Assuming that information rather than equipment will be taken, this
acquisition phase of computer forensics will require software tools that can—
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Acquisition Examination Utilization
Forensic science dramatically affects investigations and provides
compelling testimony. To enhance objectivity and minimize the percep-
tion of bias toward law enforcement, forensic science has traditionally
kept itself at arms length from the actual investigation. It uses only those
specific details from the investigation that are necessary for the exami-
nation, such as possible sources of contamination at the crime scene or
fingerprints of non-subjects who have touched the evidence. Forensic
science depends on the ability of the forensic scientists to produce a
report based on the objective results of a scientific examination in which
circumstances of the case play little or no part in the process. For exam-
ple,a DNA examination in a rape case can be conducted without know-
ing the names of the victim or the subject, or the specific circumstances
of the crime.
However, in order to be effective, computer forensic science must be
driven by information uncovered during the investigation. With the
average storage capacity in a personally owned microcomputer
approaching 3 gigabytes [3], and systems readily available with 12 giga-
byte storage capacity, it will soon be impractical to completely and
exhaustively examine every file stored on a seized computer system. In
addition, because computers serve such wide and varied uses within
organizations, there may be legal prohibitions against searching every
file. Attorneys’ and doctors’ computers may contain evidence of fraud,
but they also probably contain client and patient information that is
privileged. Data centrally stored on a computer server may contain
incriminating e-mail prepared by the subject, as well as e-mail of inno- 15
cent third parties who are clearly entitled to privacy.
As difficult as it would be to examine every file, it would be equally
difficult for law enforcement to read and digest this amount of informa-
tion—12 gigabytes of printed text data would create a stack of paper 24
stories tall. For this reason, computer forensic science is most effective
when probative facts and details of the investigation are provided to the
computer forensic examiner. From this information, the exami ner can
create a list of key words to be used to cull specific, probative, case-relat-
ed information from this extremely large sample. Even though the exam-
iner may have the right to search every file, time and legal constraints
• Image data
• Create comprehensive file listings
• Identify and recover text located anywhere on the storage media
(i.e., deleted files and files hidden in unallocated and slack space)
• View text and image files
• Assure that recovery methods do not unnecessarily contaminate
the data or produce artifacts
• Identify compressed data and decompress it
• Identify encrypted files
16 • Assure data integrity.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
that the results are warranted,based on the evidence examined. Computer
forensic science must be able to demonstrate to the court that all legal and
“good laboratory practice” requirements have been met. The results must
be valid and reliable and the product of detailed, documented, peer-
reviewed, state-of-the-art procedures and protocols that are accepted by
the relevant scientific community [4]. These results will be presented and
defended in a courtroom in adversarial and sometimes confrontational
proceedings. The protocols that define the policies and procedures for
examinations and the tools used for examination must be sufficiently
robust to withstand challenges to both the results and methodology.
• Chain-of-custody
• Security of the evidence while in the laboratory
• Scientific protocols and procedures in place in the laboratory
• Rationale for choice of specific software tools.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Computer Crime Scene -
VI. Recommended Procedures
The most recent statistics, compiled in 1997, in a joint Computer
Security Institute/FBI Computer Crime Survey document the fact that
more that 60 percent of networked systems (in both the public and pri-
vate sectors) have no policy regarding intrusions and response to crim-
inal activity. More than 50 percent have no identified team to respond to
intrusions and more than 50 percent have no policy for preserving evi-
dence. This section lists some of the logical steps to take when you dis-
cover an intruder in your system or that you are the victim of a crime.
As important as these steps are, however, they should be preceded by
a written document identifying your agency policy for responding to
these incidents. The importance of this policy document cannot be over-
stated. Decisions, especially those regarding response and notification,
should be made well in advance, and all employees should understand
both the policy and their individual roles during an incident.
In almost all cases, general confusion initially surrounds any crime
scene. This is true in crimes of violence and in crimes of commerce.Your
discovery of an intruder in your system or that you are the victim of a
crime will likely generate similar confusion within your organization.
This is not the atmosphere in which to be making crucial decisions. It is
the time to respond in a logical and measured manner and to take steps
to preserve the scene and notify law enforcement. Your agencies’ policy
should include the following:
19
• Your threshold for notifying law enforcement (or your internal
investigators) of an incident
• Identity of an incident management team and technical specialists
who will respond to the event
• Roles and responsibilities of those managers and specialists during
the incident
• Recovery plans.
The following steps should be taken as soon as possible after you dis-
cover an incident. By following them, you will take control of the crime
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
alter or add artifacts to the evidence. If it is turned on after the incident
is discovered, advise the investigator.
9 Theorize
The system administrator and the team assembled to manage this
event know more about the system than anyone else. Try to reconstruct
the crime, being as open and candid as possible. Investigators will need
your technical expertise and your ideas about issues, such as:
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
and commercial computer forensics labs are software applications and
utilities. These products come from a variety of sources. Many of them
are commercial-off-the-shelf (COTS) products,while others are govern-
ment-off-the-shelf (GOTS) or home-grown. The latter set of tools
includes those developed in-house to satisfy a specific or unique
requirement for an individual case.
Many COTS software products in use in computer forensics laborato-
ries were not developed specifically for the computer forensics market.
In fact, the majority of the most popular software tools used by many
computer forensics laboratories were developed for other applications,
including system administration (primarily system back-up and
restore),data recovery, and diagnostic applications. Although these tools
may not have been developed for computer forensic applications, they do
offer several advantages:
24
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
End Notes
1. An excellent review of the history of forensic science can be found in:
Forensic Science An Introduction to Criminalistics by Peter R DeForest,
R. E .G aensslen and Henry Lee, McGraw-Hill, New York, NY (1983).
2. Two excellent sources for information regarding computer crime
investigations and the steps the system administrator can take to
assure that data are not lost:
a. Icove, David; Seger Karl; VonStorch,William. Computer Crime: a
Crimefighter’s Handbook, O’Reilly and Associates, Sebastopol, CA
(1995).
b. Rosenblatt, Kenneth S. High Technology Crime, KSK Publications,
San Jose,CA (1995).
26
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
27
29
30
Evidence Preservation and
Collection Tools
The primary purpose of this set of tools is to preserve the integrity of
data that resides on evidentiary computer media and to provide an unob-
trusive mechanism for making copies of some or all of the original data.
Within the law enforcement community, as well as in other comput-
er forensics laboratories, original computer evidence is handled and/or
examined as little as possible in order to avoid accidental or uninten-
tional modification of the data that resides on the media. Such modifi-
cation may make it difficult or impossible to assure the integrity of the
information that may be subsequently derived from the stored data, and
it may limit the admissibility of such evidence if it is required during a
court case or prosecution of a computer-related crime.
To facilitate a thorough examination of computer-related evidence
while preserving the integrity of the original media,many forensic labo-
ratories create one or more duplicate copies of the original evidence. The
copy or duplicate may be subsequently examined without concern that
accidental or unintentional modification will compromise the original
evidence. During the copy process, however, the original computer evi-
dence could be unintentionally modified. Thus, additional steps, includ-
ing mechanisms that prevent media from being accidentally or inten-
tionally written or modified, are often required to maintain the integrity
of the computer media during the copying function.
Two different sets of software applications are available to assist forensic
examiners during the process of preserving and copying computer evidence: 31
• Write-protection tools
• Disk imaging software
Some of the tools that are described are suited for different opera-
tional scenarios. For example, some tools are better suited as part of an
examiner’s fly-away kit that can be taken to the site where the computer
evidence resides. Other tools operate in the equivalent of a laboratory
environment,where it is assumed that the user of the software (i.e., the
computer forensic examiner) has complete access (physical access,unre-
stricted access, etc.) to the computer media being copied.
32
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Expert Witness implements two different software
Product Name:
techniques that provide varying degrees of write-protec- Expert Witness
tion for evidentiary computer media.In the first technique,
the Expert Witness application itself attempts to gain
exclusive access to the media through operating-system-
specific mechanisms. If exclusive access can be gained, Manufacturer/
then all other software applications will be prevented from
accessing and modifying the locked media.This technique
applies only to the Windows 95 version of Expert Witness,
Vendor:
and it is integrated into the application. Thus, the protec- ASR Data
tion against accidental modification is provided only while Acquisition &
the Expert Witness application is executing. Analysis
The second technique is implemented for a special-
purpose DOS-bootable floppy diskette that can be generat-
ed by the Expert Witness application. The diskette is used
as the start-up disk for evidentiary computers where it Product
would be best not to boot from the local hard drive ,w h ich
may unintentionally modify the hard drive. The system
files that are copied to the bootable floppy are modified so
Information:
as to not query the host system’s resident disks. However, Included in
subsequent accidental or intentional write-operations to Appendix
the host’s local disks will not be blocked.
Cost:
33
$425
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
ACES implements a unique approach to ensuring that
Product Name:
evidentiary media attached to an examination worksta- Automated
tion are not modified. The solution is a separate software Computer
component (separate from the forensic analysis utilities) Examination
that is installed as part of the operating system and is System (ACES)
loaded when the operating system starts.
This approach is advantageous to the computer foren-
sics application for two reasons. First, write-protection of
disk drives attached to the examination workstation Manufacturer/
occurs during the operating system start-up process,
which is before any other applications can execute. Thus,
the potential for accidental or intentional modification of
Vendor:
evidentiary drives is greatly reduced. Second, because the Federal Bureau of
write-protection software is separated from the rest of Investigation—
the ACES system, it can protect against modification Laboratory
while other forensic tools or other software applications Division
are executed.
Product
Information:
Included in
Appendix
35
Cost:
Government-Owned
• Duration. How much time does the examiner have to perform the copy?
Typically, a direct, physical copy of a computer media takes longer than
a logical copy.Consider that a physical disk image copy copies an entire
disk regardless of what portion of the disk may actually contain data.
For a contemporary hard disk drive, the size of which may be several
gigabytes, a typical disk image copy may take several hours to per-
form. Alternatively, a logical copy is much more selective in that the
examiner may be able to specify a small, targeted set of data files to
copy from the evidentiary media for subsequent examination. In addi-
36 tion ,u nallocated or slack space ,w h ich may be the majority of a disk’s
capacity,is ignored, thereby increasing the speed with which the exam-
iner can extract or copy the data of interest.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
have been deleted—some or all of their content may Figure 1: Creating an
still reside on the media in unallocated portions, but Image Copy
unless the entire file is available, its contents may not
be viewable or recognizable. In other cases,where the
presence of a single word or bit of information may
be valuable, the data that is stored both within files
and in the slack or unallocated portions of the media
should be collected. In the former example,a logical
copy operation is appropriate, whereas in the latter Evidentiary Computer
example a physical disk image copy is necessary.
38
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
SafeBack implements many functions that are of ben-
Product Name:
efit to the computer forensics process. The software sup- SafeBack 2.0
ports three distinct modes of operation. The first mode,
Backup, copies the contents of a hard drive bit-for-bit to a
file on a secondary device (removable media or other
hard drive). This mode is referred to as disk-to-file. The Manufacturer/
second operating mode is called Verify, which checks the
integrity of a backed-up image file without actually
restoring the file to a physical media. Copy is the third
Vendor:
operating mode,which skips the intermediate image file Sydex, Inc.
creation. Instead, it creates a clone of the copied drive
onto a second physical drive during the copy operation.
This mode is referred to as disk-to-disk.
As with many other disk imaging software products, Product
SafeBack’s primary function is to perform a physical-
level copy. That is, it does not interpret file system struc-
tures that may be represented on a physical disk. Instead,
Information:
the entire physical disk is copied, sector by sector, irre- Included in
spective of the file systems and operating systems that Appendix
may be stored on it.
Alternatively, SafeBack does support what Sydex
refers to as a partition backup. This type of backup inter-
prets file system structures, and, in the case of Sydex, sup-
ports only those partition types recognizable by MS-DOS
Cost:
(namely, the FAT file system). Not Available
The product supports both IDE and SCSI disk drives 39
for copying. In addition, most removable media formats
are supported (including Jaz, Zip, CD-ROM, 4 mm tape,
and 8 mm tape) for the resultant image file.
Another beneficial feature of this product is integrity
checking during the image file creation process. SafeBack
uses a cyclic redundancy check (CRC) to implement the
integrity checking.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Ghost implements a physical disk copy function that
Product Name:
creates an image file on a secondary local media or Norton Ghost
removable media, including Jaz, Zip, CD-ROM, and SCSI
tape. The image file itself may be stored in compressed
format to reduce the capacity required to store images of
large disk drives. Like SafeBack, Ghost implements Manufacturer/
integrity checking during the image file creation process
with a CRC. In addition, the image file that is created can
span multiple media if it is too large to fit on one.Another
Vendor:
useful feature of this product is its ability to selectively Symantec
restore files or directories from an image file.
Ghost provides additional features that are not direct-
ly relevant to computer forensics, including the ability to
resize disk partitions during an image restoration process Product
and a capability called multicasting, which allows an
image of a disk to be downloaded and installed on multi-
ple computers simultaneously using an IP-based network.
Information:
Licensing of the Ghost software is based on the prem- Included in
ise that the software will be used to replicate one or more Appendix
master disk images onto many corporate computers. A
per-seat license charge applies to each computer that is
the recipient of a restored image copy.
Cost:
$16.80 (software
only, plus a per- 41
seat license fee)
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
ACES implements two versions of an image copy util-
Product Name:
ity: one is Windows NT-based and is integrated into the Automated
suite of ACES forensic utilities, and the other is a DOS- Computer
based version of the same utility that can be used as part Examination
of a fly-away kit and during on-site data collections. System (ACES)
The two versions of the ACES Image Copy utility are
nearly identical in their capabilities. Both implement
disk-to-file physical media copies, and both provide a
restoration function to restore an image file to a compat- Manufacturer/
ible media.ACES also supports spanning multiple remov-
able media in cases where an image file is larger than can
be stored on a single medium.
Vendor:
The ACES Image Copy utilities implement several Federal Bureau of
integrity checking mechanisms that verify the integrity Investigation—
of the image copy while it is produced. The user can Laboratory
choose between various integrity-checking algorithms or Division
can disable integrity checking entirely (to achieve maxi-
mum performance).
Product
Information:
Included in
Appendix
43
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
This inexpensive disk imaging software product per-
Product Name:
forms a basic physical copy of one disk media to another DriveCopy
(i.e., disk-to-disk). It also can interpret file system struc-
tures used by several popular operating systems, which
enables DriveCopy to resize partitions during the copy
operation. This is a very useful capability for some appli- Manufacturer/
cations (i.e., upgrading a computer’s primary disk drive
with a new larger drive). However, changing the structure
of a disk drive, even on a copy, may significantly reduce
Vendor:
its evidentiary value. PowerQuest
Corporation
Product
Information:
Included in
Appendix
Cost:
$29.95 45
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Drive Image implements more features than
Product Name:
PowerQuest’s other drive imaging offering, DriveCopy. Its Drive Image
primary advantage over DriveCopy is that it provides a disk- Professional 2.0
to-file capability.That is,Drive Image can create and store an
image of a disk drive to a file that can be subsequently
restored to a suitable physical disk drive. In addition, the
contents of the file can be both compressed and encrypted. Manufacturer/
A feature called SmartSector enables Drive Image to
perform a selective image copy that copies only those por-
tions of a physical disk that are allocated to active files.
Vendor:
Thus,no slack or unallocated portions of the original media PowerQuest
will be copied into the disk image file. This feature is sup- Corporation
ported for most popular file systems, including FAT12,
FAT16, FAT32, NTFS, and HPFS. Although this capability
will often result in a faster image copy and a defragmented
resultant disk image, the fact that it changes the original Product
structure of the data as it is stored on a disk may signifi-
cantly reduce its evidentiary value. The SmartSector capa-
bility can be disabled, which will result in the generation of
Information:
a complete disk image (including all slack and unallocated Included in
data) during the image copy process. Appendix
Drive Image provides two integrity checking mecha-
nisms to reduce the potential for data errors during both
the image creation and restoration processes. During the
copy operation, the software can check for file system
errors (i.e., bad sectors or clusters that are identified by
Cost:
47
supported file systems). During the restore operation, $695
Drive Image can check the destination physical drive for
bad sectors before writing data to the disk.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Many of the features of this product have evolved to sat-
Product Name:
isfy not the computer forensics market, but the disk cloning ImageCast IC3
and deployment market where multiple identical comput-
ers must be upgraded with new software or new operating
systems. Nevertheless, ImageCast does offer many useful
tools and features that support the forensics process. Manufacturer/
Both disk-to-disk and disk-to-file image copying meth-
ods are supported. ImageCast integrates EZ-Copy, another
Micro House disk imaging product, to perform basic disk-
Vendor:
to-disk image copies. Note that both the source and desti- Micro House
nation disks in this scenario must be IDE or EIDE. International
An image file viewer utility that has a look-and-feel Inc.
similar to Microsoft Windows Explorer is included with
the product. Using this tool,a user can view the contents
(i.e., directories and files) contained within any FAT par-
tition stored within a disk image file. Also, a user may Product
selectively restore files or directories from a FAT partition
within an image file.
ImageCast also includes a conversion tool that will
Information:
convert disk image files that were created with Ghost into Included in
a compatible format. Appendix
Licensing of ImageCast software, like many other
products in this category, is based on the premise that the
software will be used to replicate one or more master disk
images onto many corporate computers. A per-seat
license charge applies to each computer that is the recip-
Cost:
49
ient of a restored image copy. $150 for 10-host
license
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
EZ-Copy’s copying capabilities are limited to disk-to-
Product Name:
disk, as opposed to disk-to-file. In addition, it supports IDE EZ-Copy
and EIDE disk drives,but does not support SCSI disk drives.
However,EZ-Copy does provide several useful features,
including support for copying either partitions or entire
media, and resizing of partitions during the copy process. Manufacturer/
Vendor:
MicroHouse, Inc.
Product
Information:
Included in
Appendix
Cost:
$14.95
51
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Analysis Tools
This set of forensic analysis tools consists of a large number of prod-
ucts from both the commercial and government sectors. In general, the
primary function of forensic analysis tools and products is to assist the
forensic examiner in analyzing vast amounts of data that may comprise
a case. Both the types of information that is sought and the formats of
the data stored on computer media can vary widely. Thus, no single
forensic analysis tool or product is sufficient to address all requirements
of computer forensic analysis.
The tools and products described in this section are divided into cate-
gories,which are based on the primary functions that these tools perform:
53
File 1
File 2
File 3 File 4
File 5
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
This product is specifically implemented for Windows
Product Name:
NT. It comes in two versions and supports two different Undelete for
operating modes. The two versions, Workstation and Windows NT
Server, are intended to be hosted on Windows NT
Workstation and Windows NT Server hosts, respectively.
In the first mode of operation, Undelete for Windows,
when installed, replaces NT’s Recycle Bin with its own Manufacturer/
Recovery Bin. The latter is similar to the Recycle Bin,
except that it captures and retains files deleted by any
method (command line, NT explorer, by an application,
Vendor:
etc.). Files contained within the Recovery Bin can be fully Executive
restored. Once purged from the Recovery Bin, files may be Software
partially or fully restored by Undelete for Windows NT
depending on how much disk activity has transpired.
Although this mode of operation is beneficial to system
administrators and users, it is not particularly valuable as Product
a computer forensics tool because it requires that the tool
be installed before evidentiary files are deleted.
The second mode of operation, called Emergency
Information:
Undelete, requires no software to be installed on the evi- Included in
dentiary media. This mode executes from a CD-ROM, Appendix
and it searches NTFS or FAT partitions on a hard drive for
deleted files that can be recovered. This mode is ideally
suited for the computer forensics application because it
does not disturb the scanned disk drive. Cost:
55
$46.95 for NT
Workstation and
$248.95 for NT
Server
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Unerase is one of the utilities that comprise a suite of
Product Name:
disk management and data recovery tools called Norton Unerase (part of
Utilities. This suite of tools is available for a variety of Norton Utilities)
operating system platforms, including DOS, Windows,
Windows 95/98, Windows NT, and Macintosh.
The Unerase utility has two modes of operation, both
of which are not supported by every version of Norton Manufacturer/
Utilities. The first mode of operation requires that Norton
Utilities be loaded onto the computer on which deleted
files are to be recovered. Clearly, this mode has little value
Vendor:
to the computer forensics examiner because it would Symantec, Inc.
require that the utility be loaded before the evidentiary
media is seized or examined.
The second mode of operation uses a version of
Unerase that is executed from a DOS-bootable floppy Product
diskette. The computer that contains the evidentiary media
is booted using the prepared floppy disk. In this mode, the
evidentiary media requires no advance preparation.
Information:
In either mode, the user has an option to restore Included in
selected deleted files to a location other than their origi- Appendix
nal location. Thus, the evidentiary media may be undis-
turbed and unmodified.
Cost:
$72 57
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
An unerase function is integrated into the Expert
Product Name:
Witness suite of forensic tools. Deleted files are displayed Expert Witness
to the user in a file list report and have a unique indicator
next to the file’s name that indicates the file is deleted.
The user has two recovery options: the file can be recov-
ered in-place, or the file can be restored to an alternate Manufacturer/
location. For a forensics application, the latter method
ensures that the original evidence is not modified. Vendor:
ASR Data
Acquisition &
Analysis
Product
Information:
Included in
Appendix
Cost:
59
$425
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
One of the ACES forensic utilities, Recover Deleted
Product Name:
Files (RDF), implements the capability to search both Automated
NTFS and FAT file systems for deleted files. RDF per- Computer
forms an initial scan of a user-specified disk and displays Examination
to the user a list of deleted files, along with their estimat- System (ACES)
ed recovery potential. Thus, the user can opt to recover
only those files whose probability of recovering all data is
high. Recovered files are restored to an alternate location,
and the original media is unmodified. Manufacturer/
Vendor:
Federal Bureau of
Investigation—
Laboratory
Division
Product
Information:
Included in
Appendix
61
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Figure 3: Unallocated Data on a Computer Disk
Allocation Table
0 1 2 3 4 5 6 7 8 9
0 Y Y Y Y Y Y Y Y Y Y
10 Y Y Y N N N N N N N
20 N N N N N N N N N N
30 Y Y Y Y Y Y Y Y Y Y
40 Y Y Y Y Y Y Y Y Y Y
N N N N N N N N N N
0 1 2 3 4 5 6 7 8 9
0 File 1
10
20
30 File 3 File 4 Key:
40 Allocated
50 Unallocated
63
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Unallocated sectors or clusters of physical media are
Product Name:
collected into logical files by Expert Witness and dis- Expert Witness
played to the user in a file list that contains all files asso-
ciated with that media (including deleted files).
The file(s) that contain the data that was stored with-
in the unallocated clusters can be viewed in either hexa- Manufacturer/
decimal or ASCII format. In addition, the files can be
included in a string search and they can be printed. Vendor:
ASR Data
Acquisition &
Analysis
Product
Information:
Included in
Appendix
Cost:
65
$425
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
ACES implements a utility for recovery of unallocat-
Product Name:
ed disk clusters on either FAT or NTFS file systems, Automated
which are used by MS-DOS and Windows NT, respective- Computer
ly. So as not to modify the original evidentiary media, the Examination
Free Space Extraction (FSE) utility copies the data con- System (ACES)
tained in unallocated sectors to files that are stored to an
alternate location.
In particular, the FSE utility recovers three types of
slack space. The first type comprises all sectors/clusters Manufacturer/
managed by a file system that are not allocated to an active
file or other file system structure. The second type, usually
referred to as slack space, is the portion of the last cluster
Vendor:
or allocation unit allocated to each file that is not occupied Federal Bureau of
by the file’s contents. Third, data on a media that is not part Investigation—
of any logical partition or volume is also recovered. Laboratory
Division
Product
Information:
Included in
Appendix
67
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
GetFree is one of the tools that comprise NTI’s Law
Product Name:
Enforcement Computer Evidence Suite. It is a DOS-based GetFree
utility that extracts unallocated space on all forms of the
FAT file system (i.e., 12-bit, 16-bit, and 32-bit). As with
the other tools in this category, GetFree collects unallo-
cated sectors into files that are stored to an alternate loca- Manufacturer/
tion so as not to modify the original disk. In addition, the
application supports spanning of multiple media if the
output files created by GetFree are directed to a remov-
Vendor:
able media with insufficient capacity. New Technologies,
Inc. (NTI)
Product
Information:
Included in
Appendix
Cost:
Not Available 69
• Password protection
• Data hiding (steganography).
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
This product actually is comprised of several different
Product Name:
modules that may be integrated together. Each module is Password Recovery
designed to identify password-protected files of a specif- Toolkit
ic type (Microsoft Word, WordPerfect, Lotus 123, etc.)
and crack the associated password.
The application has a Windows-based user interface
that resembles Windows Explorer. From this interface, the Manufacturer/
user selects files and/or folders containing the password-
protected files to be cracked.
The time it takes to recover a password varies based
Vendor:
on the native application that was used to create the file Access Data
and password, and the strength of the password itself.
The product does implement intelligent password guess-
ing algorithms, and it will also resort to a brute-force
attack if necessary. Product
Information:
Included in
Appendix
Cost:
$745—$1,245 71
(depending on
modules included)
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Steganos is a software application that provides priva-
Product Name:
cy for sensitive files by encrypting and/or hiding them. Steganos
The latter is accomplished by implementing stegano-
graphic techniques to embed sensitive digital informa-
tion inside a suitable host data type. Steganos will hide
data within a variety of host file types, including specific Manufacturer/
types of graphics files (BMP,MIB), audio files (WAV), and
text files (including HTML files).
Once data is hidden within a suitable host file, it is
Vendor:
very difficult to detect that the original host file has been DEMCOM
modified. In addition to preserving the date and time
stamp of the host file, the information that is contained in
the host file will appear unaltered. In other words,
changes in graphics file images will not be detectable to a Product
viewer and changes made to an audio file will not be dis-
tinguishable to a listener. However, changes made to a
text file may be recognizable if the host file can be com-
Information:
pared with its original format. Included in
Appendix
Cost:
$39.95
73
74
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
• Search for multiple strings. Most applications that are described
support searching for more than one string or word within a speci-
fied file or set of files. Some applications will also accept as input a
list of words that are contained within a file, allowing the user to re-
use a set of search words without having to re-enter them.
75
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
DtSearch is a combination of a powerful search
Product Name:
engine and a text indexing tool.It can be used to create an DtSearch
index of words contained within a single file or a set of
files.The index contains a list of words and the number of
occurrences of each.
The search engine is integrated with a file viewing Manufacturer/
capability that includes text annotation. Thus, each file
that contains one or more occurrences of the search
word(s) can be viewed and each occurrence highlighted.
Vendor:
DtSearch supports many advanced text search fea- DT Software, Inc.
tures, including stemming (adding grammatical varia-
tions to a word), synonym searching (including synony-
mous words in a search), fuzzy searching (includes words
that are misspelled or mistyped in a search), and natural Product
language searching (a phrase or sentence is used as the
criteria for finding relevant documents or files). Information:
Included in
Appendix
Cost:
$199
77
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
ACES implements a basic text string search (TSS) util-
Product Name:
ity as part of its integrated suite of forensic utilities. TSS Automated
supports many features that result in targeted searched Computer
and significant data reduction. In particular, the TSS util- Examination
ity differentiates strings and words. For example, if “men” System (ACES)
is chosen as a search word, occurrences of “amen”,
“amenable”, or “mentor” will not be considered matches.
The TSS utility supports Boolean expressions and the
“AND” operator. In addition, multiple search strings or Manufacturer/
words can be specified either interactively by a user or
stored in a text file that is interpreted by the utility.Multiple
files or an entire media or partition can also be searched.
Vendor:
The report that is generated by TSS lists not only the Federal Bureau of
occurrences of each search string within each file, but it Investigation—
also includes the number of occurrences and the offset of Laboratory
each within each file. Division
Product
Information:
Included in
Appendix
79
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Figure 4: File Type Signatures
42 40 AB 42 40 CD
AC BE DC CB DE AB
DF EA FD FA AC ED
AE FB AC FD AB CA
DD EB DF AE EE DC
AC CB BA FE CC AB
BALL.BMP SKY.BMP
52 49 46 46 52 49 46 46
AC BE DC DA DD BC AB CF
DF EA FD EB EF FA BC BD
AE FB AC FC DB BA FF CA
DD EB DF DF AC DF EA CB
AC CB BA CA AD DC FA EF
BELL.WAV CHIMES.WAV
Hashing 42 41 00 8B D3 0F
File_2
Algorithm
D7 0F AF D7 66 29
File_3
Database of Unique
Catalog of “Unknown”
File Signatures
Files
(Not in Database)
82
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
The Known File Filter (KFF) utility, part of the suite of
Product Name:
forensic utilities integrated into ACES, provides unique Automated
file identification. The KFF utility works in conjunction Computer
with a database of known files. Each database entry con- Examination
sists of a file name, information about the file (date, size, System (ACES)
attributes, etc.), and a unique file signature, which is a
128-bit hash calculated using the MD4 hashing algo-
rithm. Using this database, the utility compares signa-
tures in the database with signatures calculated from evi- Manufacturer/
dentiary files. If a match is found, the evidentiary file is
positively identified (See Figure 6).
The KFF utility has several forensics applications,
Vendor:
including the identification of COTS files in copyright Federal Bureau of
violation cases and as a powerful data reduction tool to Investigation—
eliminate known files from further examination. Laboratory
ACES also implements a KFF database manage- Division
ment tool that is used to populate and maintain the
KFF database.
Product
Information:
Included in
Appendix
83
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
The Data Format Recognition (DFR) utility, part of
Product Name:
the suite of forensic utilities integrated into ACES, pro- Automated
vides unique file type identification. The DFR utility Computer
works in conjunction with a database of known file Examination
types (Microsoft Word document, Excel spreadsheet, System (ACES)
WAV sound file, etc.). Each database entry consists of a
file type description and information describing a
unique header that identifies that file type. The header
information includes the length, offset, and data that Manufacturer/
comprise the unique signature. Using this database, the
utility compares header information from the database
with headers read from evidentiary files. If a match is
Vendor:
found, the evidentiary file is identified as being of the Federal Bureau of
associated file type. Investigation—
ACES also implements a DFR database management Laboratory
tool that is used to populate and maintain the database of Division
known file types.
Product
Information:
Included in
Appendix
85
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Included in the set of forensic tools that are integrated
Product Name:
into Expert Witness is a file type identification function. Expert Witness
The function is integrated into the file listing capability,
and the report generated by the file listing function con-
tains file type information (i.e., text file, executable, Font
file, etc.) for any files whose type is recognized. Manufacturer/
The file type is determined by a file’s extension and,
optionally, a file signature. The latter is based on a known
sequence of ASCII characters that uniquely identify a file
Vendor:
by its type. Records containing file signatures, extensions, ASR Data
and other information are maintained by Expert Witness Acquisition &
in a file type database. Analysis
In addition, Expert Witness provides an administra-
tive tool to manage its file type database. File type records
can be added, modified, or deleted. For each record, the
following information can be input: file type extension, Product
description, group, viewer (for displaying files of this
type), and an optional file type signature. The signature
can include wildcards or “don’t care” characters that may
Information:
appear interspersed within the signature. Included in
Appendix
Cost:
87
$425
88
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
A DOS-based program that generates a catalog of
Product Name:
every file on one or more specified logical volumes/parti- FILELIST
tions. For each file entry in the catalog, FILELIST
includes the following information: drive letter, directory,
file name, file size, modification date and time, creation
date and time, last accessed date, file attributes, and an Manufacturer/
optional file signature based on RSA Data Security’s MD5
hash algorithm.
The output produced by FILELIST is a compressed
Vendor:
file. The file can span multiple floppy or removable disks New Technologies,
if its size necessitates.A companion product is available Inc.
from New Technologies, Inc. that converts (FILECNVT)
the compressed file output of FILELIST into a Dbase III
file format, which can then be viewed and manipulated
by spreadsheet and database software that can import the Product
DBF file format.A second product, SHOWFL, displays the
converted DBF in a tabular format. Information:
Included in
Appendix
Cost:
Not Available 89
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
The File Listing (FL) utility, part of the suite of foren-
Product Name:
sic utilities integrated into ACES, generates a report con- Automated
taining a listing of every active file associated with a user- Computer
selected media or directory. The listing is actually gener- Examination
ated in two formats: one is a formatted report that may be System (ACES)
viewed or printed, and the other is a tab-delimited report
that is suitable for import into many popular spreadsheet
and database applications.
Each entry in the file listing report contains the fol- Manufacturer/
lowing information: file name and path (long name, if
applicable), last modified date and time, logical size, and
attributes. Additionally, an optional signature of the file,
Vendor:
which is calculated using the MD4 hashing algorithm, Federal Bureau of
may also be included. Investigation—
Laboratory
Division
Product
Information:
Included in
Appendix
91
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Generating a catalog of files on a disk is only one func-
Product Name:
tion of Expert Witness,which is an integration of several Expert Witness
computer forensic functions. The report that is generated
is tabular and columns are configurable and sortable. In
addition, the file listing function and report are well-inte-
grated with other forensic analysis functions. For exam- Manufacturer/
ple, by double-clicking on an entry in the file catalog, the
contents of the corresponding file are displayed.
Each entry in the file listing report contains the fol-
Vendor:
lowing information: name (short name and long name); ASR Data
indicator for file, folder, or volume; indicator for whether Acquisition &
the file is active or deleted; last accessed date; last modi- Analysis
fied date and time; creation date and time; logical size;
physical size; starting cluster within volume; attributes;
file type (if recognized); and the full path.
The file type is based on a file signature (i.e., a Product
known header or string of characters within the file)
and/or a file extension. Information:
Included in
Appendix
Cost:
93
$425
94
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Expert Witness integrates several computer forensic
Product Name:
tools into a single Windows or Macintosh application. Expert Witness
Integrated into the application are an image copy capa-
bility, file listing capability, file type identification func-
tion, a hexadecimal/ASCII file viewer, and a text string
search capability. In addition, the product also identifies Manufacturer/
files that have been deleted from the target media, as well
as unallocated blocks (sectors or clusters) on the logical
partition or physical disk.
Vendor:
The integration of all of these tools into a single ASR Data
application significantly increases the usability and ver- Acquisition &
satility of Expert Witness. For example, a user can click Analysis
on an entry in the file listing report to view the file con-
tents in hexadecimal or ASCII. Similarly, individual
“hits” resulting from a string search can be presented in
a file listing report format or viewed using the integrated Product
viewer capability.
Another important feature of Expert Witness is its
integrated image copying and analysis capabilities. The
Information:
software includes a built-in image copying capability, as Included in
well as a mechanism for building a DOS-based image Appendix
copy tool that can be used to copy computer media dur-
ing a search. In addition, the image files created by these
tools can be examined directly (i.e., without first having
to restore them to a compatible hard drive or other
media type). All of Expert Witness’ tools, including text
Cost:
95
string searching, identification of deleted files and unal- $425
located blocks, and file listing and identification can be
applied to an image file.
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
ACES is a custom computer forensics system devel-
Product Name:
oped for the Computer Analysis Response Team (CART) Automated
within the FBI laboratory. The system provides both case Computer
management and forensic analysis functions. ACES is not Examination
available commercially but will be made available to fed- System (ACES)
eral, state, and local law enforcement agencies.
ACES implements many of the basic computer foren-
sic functions that comprise a typical forensics examina-
tion, including: text string search,file listing and identifi- Manufacturer/
cation by type,unique file identification, identification of
deleted files and unallocated blocks, image copying and
file copying with integrity verification, and file viewing
Vendor:
(native format or hexadecimal/ASCII display). Federal Bureau of
Another significant feature of ACES is a capability to Investigation—
examine image files directly, without having to first Laboratory
restore them to compatible media. This capability is Division
implemented for both Windows NT and MS-DOS, and it
allows both ACES forensic tools, as well as third-party
software products, to view and analyze ACES image files.
Several steps comprising a case management process Product
are also implemented by ACES. These steps include evi-
dence recording and tracking, case assignment and
tracking, and examination results and report generation.
Information:
Included in
Appendix
97
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Miscellaneous Functions
Other commercially available computer forensic software tools
implement a variety of specialized functions, including the following:
99
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Disk Editor, or DiskEdit, is a DOS-based utility that is
Product Name:
used for a wide range of applications. It is considered by Disk Editor (part
many to be a core component of a computer forensics toolset. of Norton
DiskEdit is used to view the contents of a floppy disk, Utilities)
hard disk, or any other physical media that is accessible by
MS-DOS. The contents of a disk can be viewed from a log-
ical perspective when the file system is one that DOS rec-
ognizes. That is, the contents can be viewed as directories Manufacturer/
and files. In most cases, the disk can also be viewed from
a physical perspective as absolute sectors or clusters. The
information can be presented to the user either in a hexa-
Vendor:
decimal format or ASCII character representation. Symantec
DiskEdit also supports string searching within a por-
tion of a disk or across an entire disk. Another feature,
which is of more benefit to a system administrator who
needs to repair data errors than to a forensics examiner, Product
is the ability to write individual bytes (or large blocks) of
data to a disk. Information:
Included in
Appendix
Cost:
101
$72
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
QuickView Plus,a product that evolved from an earli-
Product Name:
er product called Outside In, is a file viewer application QuickView Plus
that runs on most Windows-based operating systems. It
supports more than 200 file types, including those creat-
ed by Windows applications, Macintosh applications, and
DOS applications, as well as Internet file formats. Manufacturer/
Files viewed using this product are presented in their
native format,including colors, fonts, styles, and page lay-
outs, without requiring the native application (i.e., the
Vendor:
software product that was used to generate the file) to be INSO Corporation
loaded or even installed on the computer.Files that can be
viewed by QuickView Plus can also be printed in their
original format.
Product
Information:
Included in
Appendix
Cost:
$59
103
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Included in the suite of forensic utilities that are inte-
Product Name:
grated into ACES is a tool for recognizing and expanding Automated
compressed files. The Uncompress Files (UF) utility rec- Computer
ognizes several different types of file compression result- Examination
ing from the application of a variety of shareware and System (ACES)
freeware software compression utilities. If a file is deter-
mined to be compressed by one of these known methods,
the appropriate decompression routine is invoked.
Of benefit to the computer forensics application is Manufacturer/
that the UF utility stores the resultant uncompressed files
to an alternate location so as not to modify the contents
of the media that contained the original compressed file
Vendor:
(presumably, an evidentiary computer media). Federal Bureau of
Investigation—
Laboratory
Division
Product
Information:
Included in
Appendix
105
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Case Management Tools
This category contain only a few products. Ironically, in many com-
puter forensics laboratories, particularly those associated with law
enforcement, adherence to protocols and procedures is as important as
maintaining the integrity of the evidence that is being examined.
107
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
ACES is a custom computer forensics system devel-
Product Name:
oped for the Computer Analysis Response Team (CART) Automated
within the FBI laboratory. The system provides both case Computer
management and forensic analysis functions. ACES is not Examination
available commercially but will be made available to fed- System (ACES)
eral, state, and local law enforcement agencies.
All of the major steps that comprise the case man-
agement process are also implemented by ACES. These
steps include evidence recording and tracking, case Manufacturer/
assignment and tracking, and examination results and
report generation.
ACES provides mechanisms for labeling and recording
Vendor:
evidentiary media, as well as for creating both logical and Federal Bureau of
physical copies of media for examination. Either copy Investigation—
method utilizes a verification step to verify data integrity. Laboratory
Case assignments and tracking are automated by Division
ACES using a variety of mechanisms, including electron-
ic notification (i.e., E-Mail) and workflow-oriented and
collaborative computing application software.
ACES also automates the generation of many of the Product
reports containing results from the execution of its inte-
grated forensic tools and utilities. The reports and other
information derived from evidentiary media are main-
Information:
tained and organized by ACES into cases.In addition,ACES Included in
supports the processing of multiple cases simultaneously. Appendix
109
Cost:
Government-Owned
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Description:
Expert Witness is an application designed specifically
Product Name:
for the computer forensics market. It provides an inte- Expert Witness
grated suite of forensic analysis tools and limited case
management capabilities.
Expert Witness organizes data collected and analyzed
into individual cases, each of which may consist of any Manufacturer/
number of computer media and/or disk images.
Examinations may be performed on an individual file or
disk, or all disks may be examined at the same time. For
Vendor:
instance, one can perform a text string search against all ASR Data
disks associated with a specific case. Acquisition &
In addition, Expert Witness can generate several Analysis
reports, including a summary of a case, the contents of
a case (i.e., a list of all disks and image files), and a list
of every file, organized by its associated disk, that is a
part of the case. Product
Information:
Included in
Appendix
Cost:
111
$425
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Bibliography
[1] Westlaw Federal Criminal Code and Rules, West Publishing, St.
Paul,MN (1998).
[2] Noblett, MG “Report of the Federal Bureau of Investigation on
Development of Forensic Tools and Examinations for Data
Recovery from Computer Evidence” In Proceedings of the 11th
INTERPOL, Forensic Science Symposium, Lyon, France, The
Forensic Sciences Foundation Press, Boulder, CO (1995).
[3] Fischer, Lawrence M “I.B.M. Plans to Announce Leap in Disk-
Drive Capacity” New York Times, p. C-2 (December 30,1997).
[4] American Society of Crime Laboratory Directors (ASCLD)
Laboratory Accreditation Board Manual, pp 29-30 (January 1994).
[5] Daubert vs. Merrell Dow Pharmaceuticals, Inc. 113 S. Ct. 2786
(1993).
[6] Frye vs. United States, 54 App D.C.46,47,293 F. 1013,1014 (1923).
113
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Appendix
Department of Defense: Points of Contact
AFOSI/Defense Computer Forensic Laboratory
911 Elkridge Landing Road
Airport Square, Bldg 11
Linthicum,MD 21090
Ms. Karen Matthews
Phone: (410) 981-0100
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Expert Witness, ASR Data Acquisition and Analysis,LLC
11422 Morning Glory Trail
Austin, TX 78750-1399
Phone:(512) 918-9227
Fax: (512) 335-5622
URL: http://www.asrdata.com/ewwin.html
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report
Undelete for Windows NT, Executive Software
Executive Software International
701 N. Brand Blvd., Suite 600
Glendale,CA 91203-1242
Phone:(818) 547-2050,(800) 829-6468
Fax: (818) 545-9241
URL: http://www.undelete.com/info
1. PRODUCT RELEVANCE
Use a rating scale of 1 (routine support) to 10 (critical support).
How relevant is the product to your organization's strategic mission and technical objectives?
1 2 3 4 5 6 7 8 9 10
2. PRODUCT TECHNICAL VALUE
Use a rating scale of 1 (limited technical value) to 10 (significant technical value).
How significant is the contribution of the product to the organization's technical knowledge base?
1 2 3 4 5 6 7 8 9 10
3. PRODUCT ACCURACY
Use a rating scale of 1 (low) to 10 (high).
How accurate is the information contained in the product?
1 2 3 4 5 6 7 8 9 10
4. PRODUCT "VALUE ADDED"
Use a rating scale of 1 (low) to 10 (high).
How did the information in the product add value to the organization?
1 2 3 4 5 6 7 8 9 10
5. OVERALL PRODUCT SATISFACTION
Use a rating scale of 1 (low) to 10 (high).
What is your overall satisfaction with this product?
1 2 3 4 5 6 7 8 9 10
120
Name:
Organization:
Address:
Telephone:
E-Mail:
Computer Forensics: Tools & Methodology • Critical Review & Technology Assessment Report