:.:i.

s,
I I I I T

Forensics Computer Fundamentals

lectronic evidenceand information gathering have becornecentral issuesin an increasingnumber of conflicts and crimes. Electronic or computer eviI I-ldence usedto mean t}re regularprint-out ftom a computer-and a greatdeal ofcomputer exhibits in court are just that. However, for many years,law enforceas ment officershavebeenseizingdata media and computers themselves, they have becomesmaller and more ubiquitous. In the very recentpast,investigatorsgenerated their own printouts, sometimes using the original application program, sometimesspecialistanalytic and examination tools. More recently, investigatorshave found ways of collecting evidence profrom remote computersto which they do not have immediate physicalaccess, vided such computers are accessible a phone line or network connection. It is via even possible to track activities across a computer network, including the Internet. Theseproceduresform part of what is caTled computer though some forensics, people also use the term to include the use of computers to analyzecomplex data (for example,connectionsbetweenindividuals by examination oftelephone logs or bank account transactions).Another use of the term is when computers are employed in the court itself, in the form ofcomputer graphics,to illustrate a complex situation such as a fraud or as a replacementfor large volumes ofpaper-basedexhibits and statements. So,what actually is computer forensics? Computer forensicsis about evidence ftom computers that is sufficiently reliableto stand up in court and be convincing. You might employ a computer forensicsspecialistto acquire evidencefrom computers on your behalf. On the other hand, you may want one to criticize the work of others. The field is a rapidly growing one, wit}t a solid core but with many controversiesat its edges.

.;-l

Computer Forensics, Second Edition

INTRODUCTION COMPUTER TO FORENSICS

Computer forensics,also referred to ascomputer forensicanalysis, electronicdiscovery electronicevidencediscovery,digital discovery,data recovery,data discovery, computer analysis,and computer examination, is the processof methodically examining computer media (hard disks,diskettes, tapes,etc.) for evidence. thorA ough analysis a skilled examinercan result in the reconstructionof the activities by of a computer user. In other words, computer forensicsis the collection,preservation,analysis, and presentation of computer-related evidence.Computer evidencecan be usefirl in criminal cases, civil disputes,and human resources/employment proceedings. Far more information is retained on a computer than most people realize.It's alsomore difficult to completelyremoveinformation than is generallythought. For thesereasons(and many more), computer forensicscan often find evidenceof, or even completely recover,lost or deletedinformation, even if the information was intentionally deleted. Computer forensics,although emplofng some of the sameskills and software as data recovery,is a much more complex undertaking. In data recovery the goal is to retrievethe lost data. In computer forensics,the goal is to retrievethe data and interpret as much information about it aspossible. The continuing technological revolution in communications and information exchangehas created an entirely new form of crime: ryber crime or computer crime. Computer crime has forced the computer and law enforcement professions to develop new areasof expertiseand avenuesof collecting and anaiyzing evidence.This is what has developedinto the scienceof computer forensics.The processofacquiring, examining, and applying digital evidenceis crucial to the success ofprosecuting a cyber criminal. With the continuous evolution of technology, it is difficult for law enforcement and computer professionalsto stay one step ahead of technologically sawy criminals. To effectively combat cyber crime, greater emphasismust be placed in the computer forensic field of study, including but not lirnited to financial support, international guidelines and laws, and training ofthe professionalsinvolved in the process,aswell as the following subjectmatter: I I I I I I Computer crime The computer forensicobjective The computer forensicpriority The accuracyversusspeedconflict The need for computer forensics The double tier approach

Computer Forensics Fundamentals

I I

Requirementsfor the double tier approach The computer forensicsspecialist

Computer Crime
According to industry analysts,there are currently 657 million people online worldwide. That figure is expectedto rise to 794 millionby 2009.This represents lot of a data interchange. Unfortunately many small businesses,and even large organizations, do not know how to properly protect their sensitivedata, thus leaving the door open to criminals. Computers can be involved in a wide variety of crimes including white-collar crimes, violent crimes such as murder and terrorism, counterintelligence,economic espionage,counterfeiting, and drug dealing. A 2003 FBI survey reported that the average bank robbery netted $6,900,whereasthe average computer crime netted $900,000[1]. The Internet has made targetsmuch more accessible, the and risks involved for the criminal are much lower than with traditional crimes. A person can sit in the comfort of his home or a remote site and hack into a bank and transfer millions of dollars to a fictitious account, in essence robbing the bank, without the threat ofbeing gunned down while escaping. One hearsofsuch technoiogical crimes almost daily, thus creatinga perception oflawlessness the cyber in world. The sameFBI surveyrevealedthat both public and private agencies faceserious threatsfrom externalaswell asinternal sources. Out ofthe 849 organizations that respondedto the survey,30olo claimed theft of proprietary information, 23o/o reported sabotage data or their networks, 350lo of experiencedsystempenetration from an outside source,and l2oloclaimed filancial fraud. More alarming is the ease of access sensitivedata employeeshavewithin the organization. Fifty-nine percent to of the organizations involved in the survey reported employees having unauthorized access corporate information. to Recently a survey was conducted to determine where the FBI was focusing their computer forensicefforts.An alarming 74olo oftheir workload is centeredon whitecollar crime. This type of crime includes health care fraud, government fraud including erroneous IRS and Social Security benefit payments, and financial institution ftaud. Theseare high-dollar crimes made easyby technology.The other 260lo ofthe workload is split equally among yiolent crime (child pornography, interstatetheft), organized crime (drug dealing, criminal enterprise), and counterterrorism and national security. As shown by this survey, computer crime is widespreadand has infiltrated areasunimaginable just a few years ago. The FBI caseload has gone from near zero in 1985to nearly 10,000cases 2003. It is no in doubt considerablyhigher today. They have gone from tlvo part-time scientiststo

Computer Forensics, Second Edition

899 personnel in regional field offices throughout the country. Technology has brought this field of study to the forefront. Rolesof a Computr a Crime in A computer can play one of threerolesin a computer crime. A computer canbe the target ofthe crime, it can be the instrument ofthe crime, or it can serseas an evidencerepository storing valuableinformation about the crime. In some cases, the computer can have multiple roles. It can be the "smoking gun" serving as the instrument ofthe crime. It can also serveasa file cabinet storing critical evidence. For example, a hacker may usethe cornputer asthe tool to break into another computer and steal files, then store them on the computer. When investigating a case,it is important to know what roles the computer played in the crime and then tailor the investigativeprocessto that particular role. Applyrng information about how the computer was used in the crime also helps when searchingthe systemfor evidence.If the computer was used to hack into a network password file, the investigator will know to look for password cracking software and passwordfiles. If the computer was the target of the crime, such as an intrusion, audit logs and unfamiliar programs should be checked.Knowing how the computer wasusedwill help narrow donn the evidencecollection process. With the sizeofhard drives thesedays,it can take a very long time to checkand anallze everypieceofdata a computer contains.Often law enforcementof6cialsneed the information quickly, and having a general idea ofwhat to look for will speedthe evidence collection process.

The Computcr Forenslr Oblettlvc is It anaThe objective computerforensics quitestraightforward. is to recover, in l1ze,andpresentcomputer-based materialin sucha waythat it is useable evidence as in a court of law.Thekeyphrase hereis useable evidence a courtof law.It is esas in that noneofthe equipment procedures or usedduring the examination of sential the computer obviate this. The ComputerForensit Priority procedures, primarilywith forensic rulesof eviComputerforensics concerned is processes.is only secondarily Theredence, legal and It concerned computers. with fore,in contrast all otherareas computing, to of where speed themainconcern, is in priority is accuracy. talksof completing computer forensics absolute the One work asefficientlyaspossible, that is, asfastaspossibie without sacrificingaccuracy.

Computer Folensics Fundamentals

A.(Uracy VersusSpeed In this seemingly ftenetic world wherethe preciousresourceof time is usuallyat a premium,pressure heaped is upon you to work asfastaspossible. Workingunder suchpressure achieve to deadlines may inducepeopleto take shortcutsin order to time. save In computerforensics, in anybranch offorensic science, emphasis as the must be on evidentialintegrity andsecurity. observing prioriry everyforensicpracIn this titioner must adhere stringentguidelines. to Suchguidelines not encompass do the taking of shortcuts,and the forensicpractitioner accepts the preciousresource that of time must be expended order to maintain the higheststandards work. in of Thc ComputcrIolcnrlcs Sperlallst
A computer forensics specialist is the person responsible for doing computer forensics. The computer forensics specialist will take severalcarefirl stepsto identifr and attempt to retrieve possible evidence that may exist on a subject computer system: l. 2. Protect the subject computer system during the forensic examination ftom any possiblealteration, damage,data corruption, or virus introduction. Discover all files on the subject system. This includes existing normal fiIes, deleted yet remaining files, hidden files, password-protected files, and encrypted files. Recoverall (or asmuch aspossible)ofdiscovered deletedfiles. Reveal(to the extent possible)the contents ofhidden files aswell astemporary or swap files usedbyboth the application programs and the operating qrstem. (ifpossible and iflegally appropriate) the contentsofprotected or Accesses encrypted files. Analyze all possibly relewantdata found in special (and typically inaccessible) areasof a disk This includes but is not limited to what is called unallocated space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as slack spacein a file (the remnant areaat the end ofa file, in the last assigneddisk cluster, that is unused by current file data but once again may be a possible site for previously createdand relevant evidence). Print out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provide an opinion of the system layout; the file structures discovered; any discovered data and authorship information; any attempts to hide, delete,protect, or encrypt information; and anything elsethat has been discovered and appears to be relevant to the overall computer system examination. Provide expert consultation and/or testimony, as required [2].

3. 4. 5. 6.

7.

8.

Computer Forensics, Second Edition

Who CanUseComputer Forensic Evidence? Many typesof criminal and civil proceedingscan and do make useof evidencerevealedby computer forensicsspecialists. r Criminal Prosecutorsuse computer evidencein a variety of crimes where incriminating documents can be found: homicides, fiaancial fraud, drug and embezzlement record-keeping,and child pornography. Civil litigations can readily make use ofpersonal and businessrecords found on computer systems that bear on fraud, divorce, discrimination, and harassment cases. Insurance companiesmay be able to mitigate costsby using discovered computer evidenceofpossible fraud in accident,arson, and workman's compensatroncases. Corporations often hire computer forensicsspecialists find evidencerelating to to sexual harassment,embezzlement,theft or misappropriation of trade secrets,and other internal/confidential information. Law enforcement officials frequently require assistance pre-searchwarrant in preparationsand post-seizure handling ofthe computer equipment. The useof computer forensicsin law enforcementis discussed detail in the next section in and throughout the book. Individuals sometimeshire computer forensicsspecialists support ofpossible in claims of wrongful termination, sexualharassment, agediscrimination [2]. or

USEOF COMPUTER FORENSICS LAW ENFORCEMENT IN

If there is a computer on the premisesof a crime scene,the chancesare very good that there is valuable evidenceon that computer. If the computer and its contents are examined (evenifvery briefly) by anyoneother than a trained and experiencedcomputer forensics specialist,the usefulnessand credibility of that evidencewill be tainted.

a Chooslng Conprter ForenrltsSpcclallst a Crlnlnal Case lor Whenyou require services a computer the of forensics specialist, beafraidto don't
shop around. There are an increasingnumber ofpeople who claim to be expertsin the field. Iook very carefully at the lwel ofexperience of the individuals involved. There is far more to proper computer forensic analysisthan the ability to retrieve data, especially when a criminal caseis involved. Think about computer forensics just as you would any other forensic scienceand look for a conesponding level of expertise. The bottom line is that you will be retaining the seryices an individual who of will likely be calledto testifr in court to explain what he or shedid to the computer

Computer Forensics Fundamentals

and its data. The court will want to know that individual's own level of training and experience, not the experience of his or her employer. Make sure you find someone who not only has the expertise and experience,but also the ability to stand up to the scrutiny and pressureof cross-examination.

FORENSICS ASSISTANCE HUMAN TO COMPUTER PROCEEDINGS RESOURCES/EMPLOYMENT

usefi.rl businesses. to ComputComputerforensics analysis becomingincreasingly is proceedings, including cancontain evidence many typesof human resources in ers suits, allegationsof discrimination, and wrongfi:l termination sexualharassment and mail strstems, networkservers, on on claims.Evidence be found in electronic can with which computer individual employee's computers.However,due to the ease and datacanbe manipulated, the search anallsisis not performedby a trainedcomif puter forensics specialist, could likely be thrown out of court. it

Protran Employcr Safcguard

more prevalentin businesses, employers must safeguard critAs computers become ical business hformation. An unfortunateconcemtodayis the possibilitythat data individual. destroyed, misappropriated a discontented or by could be damaged, Beforean individual is informed of their termination, a computerforensicspecialist should come on-site and createan exactduplicateof the data on the indichoose do anythingto that to vidual's computer.In this way, shou.ld employee the datacanbe rethe is Damaged deleted or databeforeleaving, employer protected. placed,and evidencecan be recoveredto show what occurred.This metJrodcan alsobe usedto bolsteran employer's case showingthe removalofproprietary inby protect the employerfrom falsecharges madeby the employee. formation or to Whetheryou arelooking for widence in a criminal prosecutionor civil suit or has determiningexacdywhat an employee beenup to, you should be equippedto find and interpret the cluesthat havebeen left behind. This includes situations or wherefileshavebeendeleted, diskshavebeenreformatted, other stepshave For beentakento concealor destroythe evidence. example,did you know r I I t I What Web siteshavebeenvisited What files havebeendownloaded Whenfileswerelastaccessed evidence Of attempts conceal destroy to or Of attemDts fabricateevidence to

t0

Computer Forensics. Second Edition

I I

: I I

That the electronic copy of a document can contain text that was removed from the final printed version That somefax machinescan contain exactduplicatesofthe lastseveral hundred pagesreceived That faxessent or receivedvia computer may remain on the computer indefinitely That email is rapidly becoming the communications medium of choice for businesses That people tend to write things in email that they wor:ld never considerwriting in a memorandum or letter That email hasbeen usedsuccessfullyin criminal cases well asin civil litigation as That email is often backed up on tapesthat are generallykept for months or years That many people keep their financial records, including inyestments, on comPuters [3]

COMPUTER FORENSICS SERVICES

No matter hor,vcarefi.rl they are, when people attempt to steal electronic information (everything from customer databases blueprints), they leavebehind traces to of their activities. Likewise, when people try to destroy incriminating evidence contained on a computer (from harassing memos to stolen technology),they leavebehind vital clues.In both cases, those tracescan prove to be the smoking gun that successfullywins a court case.Thus, computer data evidence is quickly becoming a reliable and essential form of evidence that should not be overlooked. A computer forensicsprofessionaldoesmore than turn on a computer, make a directory listing, and searchthrough files. Your forensicsprofessionals should be able to successfrrllyperform complex evidence recovery procedures with the skill and expertisethat lends credibility to your case.For example,they should be able to perform the following services: I I I ! r f I I Data seizure Data duplication and preservation Data recovery Document searches Media conversion Expert 'itness services Computer evidence service options Other miscellaneous services

ComDuter Forensics Fundamentals

||

DataScizurc
Federal rules of civil procedure let a party or their representative inspect and copy designated documents or data compilations that may contain evidence.Your computer forensics experts, following federal guidelines, should act asthis representative, using their knowledge of data storagetechnologies to tra& down evidence [ 3] . Your experu should also be ableto assistofficials during the equipment seizureprocess.See Chapter 6, "Evidence Collection and Data Seizure," for more detailed information.

Data Duplltation ard Prcscruatlor When oneparty must seize datafrom another,two concerns mustbe addressed: the put an undueburden datamust not be alteredin anyway,and the seizure must not partf. Your computerforensics on the responding expertsshouldacknowledge both of these concerns makingan exactduplicate by ofthe needed data.Because duplicationis fast,the responding party can quicklyresumeits normal business your expertswork on the duplicateddata, the integrity of functions, and, because the original data is maintained.SeeChapter 7, "Duplication and Preservation of Digital Evidence,"for more detailedinformation. Data Rc(ovcry Using proprietary tools, your computer forensicsexpertsshould be able to safely recoverand analyze otherwiseinaccessible evidence. The ability to recoverlost evidenceis madepossible the expert's by advanced understanding storage of technologies. example, For when a userdeletes email,traces that message still an of may exist on the storagedevice.Although the message inaccessible the user,your is to expertsshould be able to recoverit and locate relevantevidence.SeeChapter 5, "Data Recovery," more detailedinformation. for Do(ument Searthcs Your computerforensics experts shouldalsobe ableto search over200,000 electronic documents seconds in ratherthan hours.The speed and efficienryof thesesearches process complicated les intrusiveto all partiesinvolved. makethe discovery less and Mcdla Converslon
Some clients need to obtain and investigate computer data stored on old and unreadable devices.Your computer forensics experts should extract the relevant data from tlese devices, convert it into readable formats, and place it onto new storage media for analysis.

12

Computer Forensics, Second Edition

ExpertWltt|ess Seryl(et
computer forensics expertsshould be ableto explaincomplextechnicalprocesses in an easy-to-understand fashion.This should help judgesandjuries compiehendhow computer evidenceis found, what it consistsof, and how it is relevant to a soecific situation (seesidebar,"pro'de Expert consultation and Elrpertwitness services" ).

PROVIDE EXPERT CONSULTATION AND EXPERTWITNESS SENVICES Conpurrns

Eqcd Tenimony r Has testified mr.rltipletimes asan expert witnessin computersand computer forensics circuit court in I Regularlytestift asan expertwitnessin computersand computer forensicsin federal court for U.S.attorney's offices ComDuter Expedise r Belongs the Computer Crime Investigators to Association I Trainedin the forensic examination computers (pC & Mac), havingcon_ of ductedexaminationsin countless cases including child exploitation,homicide, militia, softwarepirary, and fraud I Has testified in stateand federalcourts asan e)rpertin computers,computer forensics, Internet, and AmericaOnline; often asan expertwitnssfor U.S. the attorney'soffices r Is thoroughlyfamiliar with both computerhardwareand software, havingwrit_ ten softwareand repairedand assembled computers I Teaches computercrirneinvestigation,including computersearch seizure, and for the Institute of PoliceTechnologyand Management r Regularlyconsultswith law enforcementof6cersin the searchand seizureof computers r Hasprovidedforensictrainingto numerous enforcement law officersand corpo_ ratesecuritf omcers r Regularlyconsultedbyother forensicexaminers advicein difficult cases for Trrlniq Given Erpert Computcr as in Crimes I LawEnforcement Corrections and Technology Symposium Exhibition and r BweauoffusticeStatistics/|usticeResearchStatisticsAssociation

ComDuter Forensics Fundamentals

|5

Elecrnouc Sunvgrttnrcc
I Theft by employees others or r Time r Property I Propriety information and trade secrets Embezdement Inappropriate employee actions Burglary

I I r

Your computerforensics expert's experience shouldincludeinstallingcameras every in warehouses, imaginable location(indoorsandoutdoors, offices, homes, stores, sdrools, gambling, or vehicles) wery conceivable for crime (theft,burglaries, homicides, narprostitution,ortortion,or embezdement) cotics, underwery conceivable circumstance (controlledsettings, hostage crisis, court-ordered or covertintrusion). If you needto know what your employees doing on your time and on your are premises, your computerforensicsexpertsshould be able to covertly ilstall video monitoring equipmentsothat you canprotectyour interests. This evenincludessituationswhereemployees be misusingcompanycomputers. usingvideo surmay By propertf, or secrets veillanceto documentemployees who are stealingtime, ftom you, you should protectyourselfif you plan to take appropriateaction againstthe employees.

Crrr-o Explorrerror
r r Child sexualexploitation Child pornography I Manufacture r Use r Sale I Trading I Collection r Child erotica Useof computers child exploitation in Search and seizure Victim acquisition Behavior ofpreferential situational and offenders Investigation I Proactive I Reactive [4]

I I r ! I

lf

Computel Forensics, Second Edition

Conputcr EYldcnrcScfllcc Optloni Your computerforensics experts shouldoffer variouslevelsof service, eachdesignedto suit your individual investigative needs. example, For they shouldbe able to offerthe followingservices: I I I I I Standardservice On-siteservice Emergency service Prioritf service Weekendservice

Standard Service Your computerforensics experts shouldbe ableto work on your case during normal business hours until your critical electronicevidence found. They must be is ableto provide cleanrooms and ensurethat all warrantieson your equipmentwill still be valid following their services. On-Site Service Your computerforensics experts shouldbe ableto travelto your locationto perform completecomputerevidence services. While on-site,the expertsshould quickly be ableto produceexactduplicatesof t}te datastoragemedia in question. Their services should then be performedon the duplicate,minimizing the disruption to business the computer and system. Your experts shouldalsobe ableto help federalmarshalsseize computer dataand be very familiar with the FederalGuidelinesfor Searching Seizing and Computers. Emergency Scwice After receiving computerstorage the media,your computerforensics erEertsshould be ableto give your casethe highestpriority in their laboratories. They should be ableto work on it without intemrption until your evidence objectives met. are PliorityService Dedicatedcomputerforensicsexpertsshould be ableto work on your case during (8:00A.M. to 5:00P.M.,MondaythroughFriday)until the normalbusiness hours evidence found. Priority servicetypically cutsyour turnaround time in half. is Weekend Service Computerforensics experts shouldbe ableto work from 8:00A.M. to 5:00P.M., Saturdayand Sunday,to locatethe neededelectronicevidence and will continue

ComputerFolensicsFundamentals l5

working on your caseuntil your evidence objectives are met. Weekend service depends on the availability of computer forensics experts.

OthcrtlsrcllaneousS.rYI.cs forensics experts should beable provide also to extended services. These C,omputer services include
I I I I r I r I r I Analysisof computersand datain criminal investigations On-site seizureof computerdatain criminal investigations Analysisof computersand datain civil litigation. On-site seizure computerdatain civil litigation of activity Analpis of companycomputersto dtermineemployee Assistance preparingelectronicdiscoveryrequests in Reportingin a comprehensive readily understandable and manner computerorpert vyitness testimony Court-recognized Computer forensics both PC and Mac platforms on Fastturnaround time

YouThou8ht LostForevel Re(over Data Was Computerssystems may crash.Filesmay be accidentallydeleted.Disks may accidentallybe reformatted.Computervirusesmay corrupt files.Filesmaybe accidenmay trf to destroyyour files.AII of these tally overwritten. Disgruntledemployees canlead to the lossofyour critical data.You may think it's Iost forever,but computer forensicsorpertsshouldbe ableto employ the latesttools and techniques to recoveryour data. In many instances, data cannot be found using the limited softwaretools the available most users. to The advanced tools that computerforensicsexpertsutilize allow them to 6nd your files and restore them for your use. In those instances the exwherethe fileshavebeenirreparablydamaged, experts'computerforensics pertiseallowsthem to recovereventhe smallestremainingfragments. Advisc on Howto I(eep You YourData Information ftom and Safe Theftor Accidentrl loss Business todayrelieson computers. Your sensitive client recordsor tradesecrets are vulnerableto intentional attacksfrom, for example, computerhackers, disgruntled employees, viruses,and corporateespionage. Equallythreatening,but far Iessconsidered, unintentionaldatalosses are caused accidental by deletion,computerhardwareand softwarecrashes. accidentalmodification. and

t5

Computer Forensict Second Edition Computer forensicsexpertsshould adviseyou on how to safeguard your data by suchmethodsasencryptionand back-up.The expertscanalsothoroughlyclean sensitive from anycomputersystem plan on eliminating. data you Your files,records, conversations just asvital to protectasyour data. and are Computer forensics expertsshould surveyyour business provide guidancefor and improving the security of your information. This includes possibleinformation leakssuchas cordless telephones, cellulartelephones, trash,employees, anand swering machines. Eramine Computer FindOutWhatltr UJer Been I to Has Doing Whetheryou're looking for widencein a criminal prosecution, looking for evidence in a civil suit, or determiningexacdywhat an employee beenup to, your comhas puter forensics expertsshouldbe equippedto find and interpret the cluesthat have beenleft behind. This includessituationswherefiles havebeendeleted,diskshave beenreformatted,or other stepshavebeentakento conceal destroyevidence. or As previouslymentioned, your computerforensics experts shouldprovidecompleteforensicservices. These includeelectronic discovery consultation, on-siteseizure of evidence, thoroughprocessing evidence, of interpretationof t}teresults, reporting the resultsin an understandable manner,and court-recognized experttestimony. Your computerforensics expertsshouldalsobe ableto reguJarly provide training to other forensic examiners,from both the governmentand private sectors. When other forensic examinersrun into problerns,they should turn to your expertsfor solutions. Swcep YourOffice Listenlng for Dcvices In today'shigh-techsociety, buggingdwices,rangingfrom micro-miniature transmitters to micro-miniature recorders,are readily available. Automatic telephonerecording devicesare as closeasyour narestRadio Shackstore.Your computer forensicsexpertsshould havethe equipment and expertiseto conduct thorough (ECM) sweeps your premises. electronic countermeasures of High-f InYertigations ech Your computer forensicsexpertsshould havehigh level governmentinvestigative experience the knowledgeand experience conduct investigations and to involving technology,whetherthe technologyis the focusof the investigationor is required to conduct the investigation.The expertsshould be uniquely qualified to conduct investigations involving cellulartelephone cloning,celluJar subscriptionftaud, softwarepiracy,dataor informationtheft, tradesecrets, computercrimes, misuse of computers employees, anyothertechnology by or issue.

ComputerForensicsFundamentals 17

So, what are your employeesactually doing? Are they endlesslysurfing the Web? Are they dorrrloading pornography and opening your company to a sexual harassment lawsuit? Are they emailing trade secretsto your competitors? Are they running their own business from your facilities while they are on your clock? Your computer forensics experts should be uniquely qualified to answer these questionsand many more. Don't trust thesesensitiveinquiries to companiesthat don't havethe required expertise.Trust no one! For a detailed discussion ofthe preceding computer forensics services,seeChapter 4, "Vendor and Computer Forensics Services." Now, let's examinehow evidence might be sought in a wide range of computer crime or misuse,including theft of trade secrets,theft or destruction of intellectual property, and fraud. Computer specialists can draw on an array of methods of discovering data that resides in a computer system or for recovering deleted, encrypted, or damaged file information. Any or all of this information may help during discovery, depositions, or litigation.

BENEFITS PROFESSIONAT OF FORENSICS METIIODOLOGY

The impartial computer forensics expertwho helpsduring discoverywill qpically haveexperience a wide rangeof computer hardwareand software.It is always on beneficialwhenyour case involveshardwareand softwarewith which this expertis directlyfamiliar,but fundamental computerdesign and software implemeniation is oftenquitesimilarfrom onesystem another. to Experience oneapplication in or operatingsystemareais often easilytransferable a new system. to Unlike paperevidence, computerevidence often existin many forms, with can versions accessible a computer earlier still on disk.Knowingthe possibility oftheir existence, alternate even formatsofthe same datacanbediscovered. discovery The process be served can well by a knowledgeable expertidentifying more possibilities that can be requested possiblyrelevantevidence. addition,during on-site as In premises inspections, cases for wherecomputerdisksare not actuallyseized or forensicallycopied,the forensicsexpert can more quickly identift placesto look, signsto look for, and additional information sources relevantevidence. for These maytakethe form of earlierversions datafiles(memos, of spreadsheets) still that existon the computer'sdisk or on backupmediaor differendy formatted versions (word processing, of data,eithercreated treated otler application or by programs spreadsheet, email,timeline,scheduling, graphic). or Protectionof evidence critical. A knowledgeable is computer forensics professionalshouldensure a subject that computersystem carefully is handledto ensure that I No possible evidence damaged, is destroyed, otherwise or compromised the by procedures used investigate computer to the

l8

Computer Forensics, Second Edition

r I r I I

No possible computer virus is introduced to a subject computer during the analysis process Extracted and possibly relevant evidence is properly handled and protcted ftom later mechanical or electromagnetic damage A continuing chain of custody is established and maintained Businessoperations are affected for a limited amount of time, if at all Any client-attorney information that is inadvertendy acquired during a forensic exploration is ethically and legally respected and not dirr:Iged [2].

Steps Takenby ConputerlorensicsSpecialists

The computer forensics specialist needsto complete an Evidence Identification and RetrievalChecklist (as shown in Table F1.1 in Appendix F) [2]. He or she should take several carefirl steps to identift and attempt to retrieve possible evidence that may exist on a subject'scomputer system.

WHO CAN USECOMPUTER FORENSIC EVIDENCE?

Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists.These are as follows: I Criminal prosecutors use computer evidence in a variety of crimes where incriminating documents can be found, including homicides, financial fraud, drug and embezzlement record-keeping, and child pornography. Civil Iitigations can readily make use ofpersonal and businessrecords found on computer systemsthat bear on fraud, divorce, discrimination, and harassment cases. Insurance companies may be able to mitigate costs by using discovered computer evidenceofpossible fraud in accident,arson,and workman's compensation cases. Corporations often hire computer forensics specialiststo find evidence relating to sexual harassment, embezzlement, and theft or misappropdation of trade secrets,and other internal and confidential information. Law enforcement officials ftequendy require assistancein pre-search warrant preparations and post-seizure handling ofthe computer equipment. Individuals sometimes hire computer forensics specialists in support ofpossible claims of wrongfrrl termination, sexual harassment, or age discrimination.

t I

ComDuterForensicsFundamentals 19

However, there are concems and problems with computer forensic evidence.Let's examine some of those problems.

Problcmrwlth ComputffForcnslc Evldcnrc

Computer evidenceis like any other evidence. must be It I I I r r Authentic Accurate Complete Convincing to juries In conformity with common law and legislativerules (i.e., admissible)[5] There are also specialproblems: I I I I Computer data changes moment by moment. Computer data is invisible to the human eye;it can only be viewed indirectly after appropriate procedures. The processof collecting computer data may change it-in significant ways. The processes ofopening a file or printing it out are not alwaysneutral. Computer and telecommunicationstechnologiesare alwayschangilg so that forensicprocesses seldombe fixed for very long [5]. can

ThcForcnskTcrhnlclan Contrary whatis oftenthought, many to in cases ispossible produce it to reliable

computer-derived evidencewithout recourseto specialisttools. The generalprinciplesare: I I The sceneof crime has to be frozen; that is, the evidencehas to be collectedas early aspossibleand without any contamination. There must be continuity of evidence, sometimes known as chain of custody; that is, it must be possibleto accountfor all that hashappenedto the exhibit between its original collection and its appearance court, preferablyunaltered. in All proceduresusedin examinationshouldbe auditable;that is, a suitablyqualified independentexpert appointed by the other sidein a caseshould be ableto track all the investigationscarried out by the prosecution'sexperts [5].

Good resultscan be obtained by using the standard disk repair, network testing, and other utilities; however, complete records need to be kept. Even so, for somepurposesthesemay not be enough, for exarnple,where it is hoped to recover previously deleted material or where a logic bomb or virus is suspected. these In

20

computerForensics, Second Edition

circumstances,specialisttools are needed.Specialtraining is also required. The tools themselves don't addressall ofthe problems ofproducing evidencethat will stand up in court. Thus, the key featuresofthe forensictechnician are r I I I a Carefirl methodology ofapproach, including record keeping A sound knowledge of computing, particularly in any specialistareasclaimed A sound knowledge of the law of evidence A sound knowledgeof legalprocedures Access and skill in the useof appropriate utilities [5] to

Legal Tcsts The rules vary from legislation to legislation,but one can give a broad oudine of what happensin thosecountrieswith a common law tradition-tJre U.K., U.S.,and the so-called old Commonwealth. The law makes distinctions between real evidence,testimonial evidence,and hearsay.Real evidenceis that which comesftom an inanimate object that can be examined by the court. Testimonial evidence is that The which a live witnesshas seenand upon which he or shecan be cross-examined. hearsay rule operatesto excludeassertions made other than those madeby the witnesswho is testifring as evidenceof the truth of what is being asserted. The pure hearsay rule is extremely restrictive and has been extensively modified by various statutory provisions. Thus, there are rules about the proving of documents and business books. Bankers'books have separate legislation.Some of the rules apply explicitly to computers,but many do not, although they can be (and havebeen) interpreted to cover many situations in which computers are involved. For example,in the U.K. there havebeen situationswhere legal rules presumably designedto help the court may in fact hinder it. In practice, theseissuesmay be circumvented.For instance,in a criminal case, evidencemay be obtained by inadmissible methods. This evidence, however, then points investigators to admissible sources ofevidence for the samesetsofcircumstances.An exampleofthis could occur during a fraud investigation.In otler words, computer searchmethods are often used to identifr allegedly ftaudulent transactions, but the evidential items eventuallypresentedin court are paper-based invoices,contract notes,dockets,or other documents.In this manner, the prosecution can demonstrateto the jury the deceptionor breach of the CompaniesAct or other speciEcfraudulent act. Again, in civil litigation the partiesmay decideto joindy acceptcomputer-based evidence (or not to challengeit) and insteadconcentrateon the more substantiveelements rather than a in the dispute.A defendantmay prefer to have a substantivedefense technicalone basedon inadmissibility. Or, again,the legal team may not feel sufficientlv comoetent to embark on a technicalchallense.

ComDuterForensicsFundamentals 2l

of In the U.S,,rnanypracticalproblems existaroundthe actualseizure computerscontainingevidence. enforcement Law officersmust complywith the Fourth Amendment the U.S.Constitution. to

Sublect tatler ol Conputer Forcnsks

The subject matter of computer forensicscan, thus, not be solely concernedwith proceduresand methodsofhandling computers,the hardwarefrom which they are made up, and the files they contain. The ultimate aim offorensic investigation is its At with common law and juusein legalproceedings. the sametirne, an obsession dicial rules is likely to inhibit many investigations. It might be a mistake for inquiries not to be comrnenced simply because of fear of possible inadrnissibility. Fudhermore, aswe have alreadyseen,a number of computer-investigatorymethods may turn out not to be directly admissible but may neverthelessbe usefi:l in locating noncomputer evidencethat is admissible. One may haveto take a somewhatpragmatic view of the precisebounds of the subiect matter, but it should still be possible to define its core activities. It might he$ to explore the way in which forensic science in general has developed and t}ten seewhat expectations one might reasonablyhave ofcomputer forensics. Although forensic sciencewas already well established,and indeed forms a central feature of many of Conan Doyle's Sherlock Holmes stories published ftom 1892onwards, up until the 1970s,eachforensic scientisttended to develophis or her own methodsand presentthem ad hoc to juries. Obviously,reliancewas placed on descriptionsof methods usedby others, but for courts, the testsof whether to believethe forensicevidencewere the manner of presentation-the supposedeminenceofthe forensicscientistand the skill of the opposition lawyer (or rival expert who might be called). During the 1970s,a more formal checklist-based approach was introduced. This was pardy to bring about standardization as between different laboratoriesand pardy in response the criticism (in the U.K.) tJrataroseover to such controversialcases the Birmingham Six. In the U.K. Home Office Forensic as Service,these checklists were devised by senior staff. Obviously, such checklists are revisedin-the light of experience-the publication of new specialistresearch ador verseexperienceduring a trial. An increasinglyused feature of modern practice is quality control, which involves work being checked by an otherwise uninvolved coworker before being offered to external scrutiny. In any event, the broad tests for evidence include Authenticitp Does the material come ftom where it purports? Reliabilitp Can the substance ofthe story the material tells be believed and is it consistent? the caseof computer-derived material, are there reasonsfor In doubting the correct working ofthe computer?

Forensics, Edition Computer Second

Completeness: Is the story that the material purports to tell complete? Are there other stories that the material also tells that might have a bearing on the legal dispute or hearing? Freedom from interference and contamination: Are these levels acceptableas a result of forensicinvestigationand other post-eventhandling [5]? Any approach to computer forensicswould, thus, need to include the elementsof
I I

I t I

Well-defined proceduresto address various tasl$ the An anticipation of likely criticism of eachmethodology on the grounds of failand possiblecontaure to demonstrateauthenticitf, reliability, completeness, mination as a result of the forensic investigation The possibility for repeat teststo be carried out, if necessary, expertshired by by the other side Checkliststo support eachmethodology An anticipation of any problems in formal legal tests of admissibility The acceptance that any methods now describedwould almost certainly be subject to later modification [5]

Dlvcrgcntcs fron Convcntional lorensir lnvestlgation

There will be divergences from the expectations more traditional areasof forenof sic investigation. The main reason is the rate of changeof computer technology. The devisor of a test for the presenceof a prohibited drug, an explosive,fabric fibers, bodily tissues,and the like, can expect that over a period of time, the test may be improved or shown to be defective,but, the need for the test and most ofits essential details will probably not change. However, in computers, newnessand obsolesce the norm. is For example, a key feature of computer forensicsis the examination of data media: new forms and methods of data storage occur at intervals of less than 4 years.The floppy disk of 13yearsagowasin 5.25 inch format and held 360 k. The current equivalentis 3.5 inchesand holds 1.44MB, and much higher densitiesare expected soon.A typical hard-disk sizeon a PC ofthe samedatewas20-30 MB, was in 5.25 inch form, and used modified frequency modulation (MFM) controller of technology.Today most PCs have hard disks in excess 1750MB in 2.5 inch or even 1.5inch form using integrateddevelopmentenvironment (IDE) or run length limited (RLL) technology.On minis and mainftames,data may be held on redundant array of independent (or inexpensive) disks (RAID), where individual files may be split and spreadover eight or more separate disk surfaces. Similar changes programmable readhave taken place in tape technology and the use of erasable only memory (EPROMs).

ComputerForensicsFundamentals 2,

computers that

T.*H*.fr:roundchangesinthesa ,i*:T..".,-'":,$:*T:'J::il:";.ff -..;,:'-^P.::"1"1 tne Iargecentralmainfiame

rs now a rariry,

pr*.i".".;";;;;li'.;,i'J":,[."::,.1.fl.j,;lTr#;:,y*"'changeshavetake
onetmghtexpect find to heldin a .^;;;l':'^1':*cteo thetype

Computerr havebecomeini canbe subverted wide_area te portunitiesfor b, theyrrsealsokeep.il-gl";."" rne toregoing simplvlir ,

,T*t"1tJ".fl",

bya multiplicity il;ft;

rng as well. Modems and network routers are fairly commo" a""i."r. i::anners fi"i ery. ing used moreandmore.These provideop_ "u''rals and forensicinvestrgators. protocols The

of information the rolowing tech;;i;;;;il-".:"#jJlil"fi ;io*,'".,il. ;;l;;;: The grorth of email,bot _t withinrargeorganizationsandw jtrm*i#J*li:;ft :ff

:;ff iffi l#tl"T:',ffi:tffi:ffir;texrrarawarearchitecture acnrne interact to.

is lr "ss.mbred .uny o,h".r.
herdon otirer r be seamless to often doesnot r with softwareand data i" .tatge-mainframes *"y th"t ect of his is that a c, " "pp*il"' --- -7 '" ar'uvtt)'ofonecomputer Aawing information

requi,,arentofaliiir;:lrJlrrd.i::t1l:

r -

l:. rne eudence transacti ofa

-Fx:iffir"H*hh'f'.fi:T:L'!!tr;:',::'; 'T;,ffii..,;:i:t1T[ilx:,';ti:;.".fiH
structures,w: :lementof autoco-";',: :

,r::si#:t,#,#';.hT';,J;*
particularly those H,l,uernoo-s_, ormring-in a"'ig'' or6"'i' iJ'; g software. Thereis much g."I,.. or" )uter language m.aarl. roi.**p-r", nentsandnew,mor. fo.rnul and methods of testrng m"thod, have also

. rfrff,ri:::fr
oflibrariesofpro objeclorientei p of program devr changei [s].

; ffiffi"S1;;td::Jffi'#lttion

ffil[:If,11,Hl**"94;'.

24

Folensics, Second Edition Computer As a result, computer forensicmethodsmay not havethe time in which to esor tablish themselves, the longevity,that more traditional chemistry-and physicsthe usual way in which specific forensic based forensics enjoy. Nevertheless, journal. For via publication in a specialistacademic is methodsbecomeaccepted to example,a forensicscientistseeking justifr a methodologyin court cando soby statingthat it is basedon a specificpublishedmethod that had not up to the point of the hearingbeencriticized. praaice refersto the useof the b*t praaice, availableand known Therule of best at the time of thegiving of eviilence.

CASE HISTORIES
One of the fundamentalprinciples of computer investigationis the needto follow established and testedproceduresmeticulouslyand methodicallythroughout the investigation. no point of the investigationis this more critical than at the stage At is capture.Reproducibilityof evidence the key.Without the firm of initial evidence antirewhich havebeenstricdy applied,any subsequent baseof solid procedures, and the caseasa whole will likely be pudiation attemptsin court will be suspect, weakened. recendy whereapparentlysolid cases high-profile cases Therehavebeenseveral or have been weakened thrown out on tJrebasisof inappropriate consideration givento the integrity and reproducibility ofthe computerwidence.This may happen for severalreasons. Lack of training is a prime culprit. If the individuals inno or volvedhavenot beentrainedto the requiredstandards, havereceived training is computer evidence the sadbut inevitableresult. at all, then tainted or damaged is Not only lack of site experience, Another frequentcause lack of experience. might be encountered. of but also inappropriate experience the type of systems, is knowing when to call for help. It is essenOne of the most difficult on-site skills or tial that a sympatheticworking environmentis createdsuchthat peerpressure feat ofloss of statusand respectdoesnot overridethe needto call for help. Easier for but saidthan done,perhaps, no lessessential that reason. pressureapplied on-site, fatigue,and careFinally, sloppiness, time pressure, lessness all beencontributory factorsin transformingsolid computerwidence have are into a dubious collectionof fiIes.Thesetotally avoidableissues relatedto indiappropricontrol and policy, and selecting vidual mental discipline,management with which one cannotsympathize. atestaffto carry out the work Thereareissues This is bad work, plain and simple.

Computer Forensics Fundamentals

2t

llltimately, any tirne the collection of computer evidenceis calledinto question, it is damagingto everyonewho is a computer forensic practitioner; it is in bestinterestto ensurethat the higheststandards maintained. are everyone's To usea rather worn phrasefrom an old American police series(Hill Street "Let'sbe carefrrl there!" Blues): out Takcn lor a Rldc A sad,but all too frequentstory ftom prospective clients:I've just spent$15,000 on a Web site and got takenfor a ride. I cannotfind t}te con man now and all I haveis an aliasand a pay-as-you-go mobilenumber,Canyou helpme please? WhatCan YouDo? It is stongly recommended peopledealingwith entitieson the Intemet needto that makesuretheyknowwho theyaredealing with beforetheyenterinto anytransaction (preferably or agreement. you camot obtain a real-worldaddress If within thejurisdiction in whichyou live), then think twiceaboutgoinganyfurther. Alwaysquestion the useof mobile phonenumbers-they should setalarmbels ringing! This taskis madeeasier the U.K., asall mobile numbers[6] stafi with 07boq 078:o<, 079or. in or Pagers with 076nc From April 28,2001,on, all old mobile,pager(thosethat do start rate,and premium ratenumbersstopped not begin07), special working. with the transaction, Ifyou do want to proceed then usea credit cardrather than a debit card or other type of money transfer;then at leastyou \^'ill havesome protection and only be liable for $50 rather than havingyour entire bank account your comlike cleaned out. In termsof tracing a suspect the one in the preceding, puterforensic experts shouldbe ableto traceemails aroundtheworld;and,by acting quickly and in conjunctionwith legal firms, they should be able to track individuals down to their homes.An application for a civil searchorder can then all quickly and allow entry and the experts be ableto secure electronicevidence will more of a problem, but it is remarkable efficiendy.Internet caf6sare sometirnes how many usersgo to the trouble of trying to disguisetheir tracksonly to end up sitting in exactlythe sameseateverytime they visit the sameCaf6.So,yes,your you computerforensicexperts can help, but by taking the proper precautions, would not needto call them in the first place. Abrsc ol Powcr and Posltlon is new;in fact,it couldbe saidthat it hasbeenrepeated This message by no means so forums that it is amazing management falls foul of manytimes in so many that still the following circumstances. recentmonths,investigators Vogon Intemational In at Limited [7] havebeenasked eraminecomputerdatafor evidence fraud.On one to of t}le a occasion, clientwasa charity,and on the second, multinational company.

26

Computer Forensict Second Edition In both cases, fraud, totaling hun&eds of thousands dollarswasuncovered. of The modusoperandi ofthe suspects verysimilarin both cases. was Bogus companies weresetup and invoicesweresubmittedfor payment.The ftaudsterswerein a position to authorizethe paymentofthe invoicesand had the power to prevent unwelcomescrutiny of the accounts. In addition, one of the fraudsterswaspaying another member of the staff to turn a blind eyeto what washappening.On further investigation,this memberof the staffwasobviouslyliving beyondhis means. The message simple: whether you are a multinational-companyor a small is business, possibilityof fraud is everpresent. the While not wishing to fuel paranoia, traditional checks balances and must be in placeto ensurethat thosetrustedmembersof the staffwho havepower cannot abuse their positions.

SctutcErasulc
Now, let's touch on this "old chestnut" again, becauseit appearsto be the source of considerableconfusion and misinformation. Vogon's customer baseseemsto be polarized into two main camps [7]: those who desperatelywant to retain their data and fail, often spectacularln to do so and those who wish to irrevocably destroy their data, and ftequently fail in a similarly dramatic manner. The latter may be criminals who wish to cover their tracks ftom the police or legitimate businessorganizations who wish to protect themselvesftom confidential information falling into t}re wrong hands. Fundamentally, the issuesare the same. The legitimate destruction of data is ultimately a matter of management responsibiliry which requires a considered risk analysis to be carried out. To the question, Can data be securely erased?, answer is, self-evidently, yes. the If you were to ask, Is it straightforward or certain?, it depends,wor:ld be the answer. Many systemsare in use for securely erasing data ftom a wide range of media. Some are effective, some completely ineffective, and some partially effective. It is the latter situation that causesconcern and, frequendy, not an inconsiderable amount of embarrassment. Those systemsthat absolutely destroy data do so in a manner that is total, unequivocal, and final; there can exist no doubt as to their effectiveness.Systemsthat are sold as being completely effective but that are fundamentally flawed are obviously flawed. With only cursory analysis, this is evident, so these are (or should be) swiftly disregarded. Vogon is regularly askedto verift the destruction of data by many oftheir large clients [7]. What they find is that ftequently only a ftaction of a sample sent is correctly or accurately deleted. RAID systemsare a prime candidate for chaos. Certain revisions of drive firmware can present special challenges;in some cases,even the software used defeats the eraser.The list ofsuch software is long and growing.

Computer Folensics Fundamentals

27

Vogon is often asked for advice on this issue [7]. The answer is always the same.Ifthe destructionofdata hasmore valuethan the drive, physically d.st oy th. drive._crushingis good; melting in a fumace is better. If the drive has more varue than the data, what are you worrying about?

CASESTUDTES
Overthe years, Vogon'sdata-recovery laboratories haveseen prettf much everf_ thing that canhappen a computer, matterhow incredibre, to no whether is a fit ologistwho, in testingfor minerals, inadvertently blew up his own t"ptop, oi it. factoryworkerwho covered computerrunning the pioducti", il. the ;, ;;i; syrup. Thelist is now solongthat the incredible haslecome almostmundane. For_ tuitously,two in the ratest long line ofincrediblerecoveries ofa recently occurred, so,it seemed appropriate includethem ascase to studies. CaseStudy One:Thc Carc of the Flylng taptop Picture scene: the policerushinginto premises theninth floor ofa building.Al_ on most irnmediately thereafter, laptop accelerates a rapidly groundward. ;f the out windowof theaforementioned Dremises. Aslong agoasl6g7,.Sir Isaac Newtonpredicted with uncanny accurary in_ the evitable conclusion this a-ction: to nameln the laptop (or to be strictlyaccurate, largenumberof pieces a former laptop)comingto restwith a singular of lack oi grace theground.Luckily,no onewasinjuredby the impact.The on r-esultant bag of smashed laptop components arrivedat Vogon;slaboratoryfor a forensicalli sound datarecovery [7]. Thelaptopcomputer irnpactr had forcingtheharddiskdriveassembly tr top. The highlydelicate spatial relati, spindle hadbecome disturbed, tl and impartedal oscillation two dimensions in during driveoperation. The driveelectronicsweredestroyed the impact.After an evening's in work by a highryskilled hardware engineer, wasdetermined it that a full fix ivaspossible, ani a perfect imagewastaken.Vogon had no knowledge ofwhether the cirapwasguilty, but they bet he wasin shock whenthe evidence presented wis [7]. CascStudy Two: Thc Cascof thc Burncd Tapcs Thiscase does involvetrue forensic not investigation, it does but highlightthefactthat it is importantneverto giveup on ajob, no mitter how seemingly iopiless it appears.

2A

Forensics, Second Edition Computer

Setsof digital audio tape (DAT) tapes were sent to Vogon from a loss adjuster [7]. The DAT tapeswere caught in a 6re, which had engulfed a company s head office and wiped out the primary trading infrastructure. The company's IT systemshad been at the center of the blaze,and this had unfortunately raisedthe magnetic media on the surfaceof the servershard drives past its curie point. The DAT tapeshad, rather inadvisablyas it turned out, not been stored off-site. They were, however,stored a litde way from the centerof the blaze. Despitethis, the DAT tapesarrived in a rather sorry condition. The plastic casing had melted to, around, and onto the tapes,and t}rewhole mechanismwasfused into a homologous glob. It is fair to saythe tapeswere sent to Vogon with the frrll expectationthat they would be declaredunrecoverableand used asthe basisfrom which to make a losssetdement [7]. This recovery involved hours of work from both hardware and tape recoverf The tapeswere carefully cut away from the molten massand treatedfor engineers. fire damage.The next stagewas to rehousethe tapesand passthem forward to the tape recoveryteam. Following a number of complex stages, recoveryteam was the able to extract a stream of data from the tapesthat accountedfor some 950lo ofthe original data stored on the company'stape backups. The result was a company up and running in a matter ofdays rather than weeks, or, more likely, never. It also resulted in a significant reduction in the claims setdement by the loss adjuster and businesscontinuit)' for the unfortunate compan)'.

SUMMARY
Computers haveappeared the courseof litigation for over 28 years.ln 1977, in therewere291U.S.federal cases 246state and cases whichtheword comPuter in appeared whichweresufficiently and In importantto be notedin theLexisdatabase. the U.K., therewereonly 20.However, earlyas 1958, computer's as the existence provisions be madein the Enwasconsidered sufficiently importantfor special to glish Civil Evidence Act. The following descriptionis designed sumrnarizethe issues rather than atto guide. far asonecantell,noncontentious temptto givea complete As cases not tend to be reported, the arrivalof computers commercial and in disputes in crimiand nal cases not create did immediate difficulties. soughtto allow computerfudges basedevidenceon t}te basisthat it was no different from forms of evidence with whichtheywerealready familiar:documents, machines, business books, weighing machines, films,and audiotapes. calculating Thisis not to saythat suchcases were without difficulty; however, completely no new principleswererequired.Quite soon,though,it became apparent that manynew situations werearisingand that

Computer Forensics Fundamentals

29

analogiesto more traditional evidential material were beginning to break down. Someofthese were tackled in legislation,aswith the English 1968act and the U.S. FederalRules of Evidencein 1976,but many were addressed a seriesof court in cases. Not all of the key cases deal directly with computers,but they do havea bearing on them asthey relateto matters that are characteristic ofcomputer-originated evidence.For example,computer-originated evidenceor information that is not immediately readable a human being is usuallygatheredby a mechanicalcountby ing or weighing instrument. The calculation could also be performed by a mechanicalor electronic device. The focus of most of this Iegislationand judicial activity was determining the admissibility of the evidence.The common law and legislativerules are those that have arisen as a result ofjudicial decisionsand specificlaw. They extend beyond mere guidance.They are rules that a court must folloq the thought behind these rules rnay havebeento impose standardsand uniformity in helping a court test authenticity, reliability, and completeness. Nevertheless, they haveacquireda statusof their own and in some cases prevent a court from making ad hoc common sense decisionsabout the quality ofevidence.The usualeffectis that once a judge hasdeclared evidenceinadmissible(that is, failing to conform to the rules), the evidence is never put to a jury, for a variety ofreasons that will become apparent shortly. It is not wholly possiblefor someoneinterestedin the practical aspects computer of forensics(that is, the issues demonstratingauthenticity,reliability, completeness, of or lack thereof) to separate out the legaltests. Now let's look at someof the more common questionsthat computer forensics may be able to answer.The following conclusions are not exhaustive,nor is the order significant.

Concluslons
Documents:To proveauthenticitlt alternatively, demonstrate forgery.This to a is the directanalogy provingthe authenticity a print-based to of document. Rqrorts: Computergenerated ftom human input. This is the situation wherea series original eventsor transactions input by human beings,but where of are afterregularcomputerprocessing, largenumberof reports,both via print-out a andon-screen begenerated. can Examples would includethe order,sales, inand ventoryapplications used manycommercial by organizations retailbanking. and Realevidence: Machine-readable measurements the like (weighing,countand ing,or otherwise recording events) thereading and ofthe contents magnetic of stripes bar codes smartcards. and and Reports generatedfrom machine-readablemasurements:Items that have beencounted, weighed, soon and the results and thenprocessed collated. and

lo

Computer Forensics, Second Edition

Electronic transactions: To prove that a transaction took placeor to demonstratea presumption was incorrect. Tlpical examplesinclude money transfers, ATM transactions,securitiessettlement,and EDIs. Conclusions reached by search programs: These are programs that have searched documents,reports, and so on, for namesand patterns.Tlpical users ofsuch programs are auditors and investigators. Event reconstruction: To show a sequence eventsor transactionspassing of tlrough a complex computer system.This is related to the proving of electronic transactions, but with more proactive means of inveitigation event reconstruction-to show how a computer installation or processdependent on a computer may have failed. Typical examples include computer contract disputes (when a computer failed to deliver acceptablelevels of service and blame must be apportioned), disasterinvestigations, and failed trade situationsin securities dealing systems. Liabilitl' in a situation: This is where CAD designs have relied on autocompletion or filling-in by a program (in other respects, CAD designis a straighta forward computer-held document). Liability in a situation is also where a computer program hasmade a decision(or recommendation)basedon the application of rules and formulae, where the legal issue is the quality and reliability of the application program, and the rules with which it has been fed. The following occasionscould arisein any ofa number of forms of litigation: r I I t I t I I r r I I Civil matters Breachof contract Assetrecovery Tort, including negligence Breach of confidence Defamation Breachof securitiesindustry legislationand regulation or companiesacts Employeedisputes Copyright and other intellectual property disputes Consumer protection law obligations (and other examples ofno-fault tiability) Data protection legislation Criminal matters such as r Theft acts,including deception r Criminal damage I Demanding money with menaces I Companieslaw, securitiesindustry and banking offenses : Criminal offenses concerned with copyright and intellectual property

ComputerForensicsFundamentals Il

I r I r t

Drug offenses Trading standardsoffenses Official secrets Computer Misuse Act offenses Pornographyoffenses

As mentioned earlier, the rnost likely situations are that computer-basedevidence contributes to an investigationor to litigation and is not the whole ofit.

An Atendafor Actlon
When completing the Principle Forensic Activities Checklist (as shown in Table F I .2 ofAppendix F), the computer forensics specialistshould adhereto the provisional list of actionsfor some of the principle forensicmethods.The order is not significant; however, theseare the actMties for which the researcherwould want to provide a detaileddescriptionofprocedures,review,and assessment ease for ofuse and admissibility. A number ofthese methodshavebeenmentioned in passingalready. Finally, let's move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, caseprojects, and an optional team case project. The answersand solutions by chapter can be found in Appendix E.

REVIEW AND GHAPIER QUESTTONS EXERCTSES Trro/Falsc

l.

True or False? Crimind prosecutorsuse computer evidencein a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record-keeping, child pornography. and True or False? Civil litigations cannot make use of personal and business recordsfound on computer systems that beai on ftaud, divorce, discrimination, a-rid harassment cases. True or False? Insurancecompanies may be ableto mitigate costsby using discoveredcomputer evidenceof possibleftaud in accident,arson, and workman's compensation cases. True or False? Corporationsoftenhire computerforensics specialists find evito dencerelatingto sexualharassment, embezzlement, theft or misappropriation oftrade secrets, other internal and confidentialinformation. and True or False? Law enforcementofficials frequendyrequire assistance prein search warrantpreparations post-seizure and handlingofcomputer equipment.