- In 1981, IBM introduced the personal computer (PC). One year later,
there were 5.5 million PCS in the United States. Ten years later this number
had increased to 65 million. According to the International Data Corp,
1997 shipments of computers should increase to 80.2 million units. Computers
have gone from one computer for every four people to more than one computer
shipped each year for every three people. Computers have become a fact
of life in the United States. They are found in our homes, businesses,
schools, and churches. Everywhere you look, you will find computers.
- As more and more people use computers, more and more information of
all kinds is being stored on them. This includes information that could
be of interest to a client or have bearing on a civil or criminal case,
such as evidence of financial fraud, embezzlement, wrongful termination,
sexual harassment, theft, arson, workers compensation fraud, age discrimination,
child pornography, theft of trade secrets, or infidelity, just to name
a few. In order to use this information, investigators must be able to
locate and recover it.
- Computers have been compared to filing cabinets, and this is true in
a general sense. The computers. A filing cabinet@ is usually the computers
hard drive, but it could be floppy disks, removable storage media such
as ZIP drives or JAZ drives, or network drives. In some cases, it could
be a hard drive on someone elses computer. Both the computer and the filing
cabinet store information or files in A folders.@ Both the computer and
the filing cabinet allow the user to add and remove information as he or
she chooses, and both have a finite amount of space to store this information.
This is where the similarity ends. Computers offer features that filing
cabinets do not:
- 1. Computers use a hierarchical structure of folders
or subdirectories to store files.
- 2. A hard drive can also be divided into separate
drives or partitions making it, in effect, two or more Afiling cabinets.@
- 3. If a file is removed from a filing cabinet, it
is really gone, but DOS or Windows 95 delete commands do not actually eliminate
any of the data in a file that is deleted. Rather, that portion of memory
on the hard drive is marked available, and the space can be written over
- 4. A filing cabinet stores only information that someone
actually puts there, but computer programs routinely store information
in the computer=s
without the owner=s
knowledge or consent. For instance, word processing programs routinely
store backup files of the document that is currently being worked on. System
programs routinely use portions of files currently in use to fill in blank
or dead spots at the end of saved files. This means that portions of a
document that is prepared or viewed on a computer could be stored in several
locations on the computer=s
hard drive without the operator=s
- There are several different ways to hide or protect files
in the computer
- =s Afiling
- 1. The easiest way to hide a file is to disguise it.
The operator can give the file a Acover@
name. For example: You could rename a WordPerfect document called Agirlfriend.wpd@
The change of girlfriend would be obvious. No matter what the extension
was on a file named Agirlfriend,@
it would still merit investigation. Changing the extension to dll (a library
file) would not keep WordPerfect from opening the file, but it could hide
the file from view or keep the uninformed investigator from trying to open
- 2. The operator can mark a file as hidden. This will
not keep the document from being opened, but it could keep an investigator
from finding it.
- 3. Files can be placed in hidden folders, hidden partitions,
or areas of the hard drive that are not normally used to store data and
are hidden from most DOS or Windows 95 programs. Again, this will not keep
a document from being opened, but it could keep the document from being
- 4. Files can be protected with passwords or encryption.
Such protection will not hide a file, but it will prevent users who do
not possess the password or encryption key from accessing the file.
- Data can also be damaged, destroyed, or altered without
knowledge or consent. Simply turning on a computer, with some operating
systems, can change important information.
A skilled user can rig a computer
with bombs, booby traps, hot keys, or TSRs. These potentially destructive
programs can destroy or change important data when an unauthorized user
attempts to access the computer. A much more common cause of data loss
is computer viruses. No matter what the cause or how it occurs, data loss
can seriously damage a case. It can:
- 1. Cause valuable evidence or information to be lost.
- 2. Cause the court to throw out or not admit valuable
- 3. Cause the investigator and his or her firm to be
found liable for monetary damages.
- Data can be placed in many different places on a computer,
both intentionally and unintentionally. Data can be hidden or protected
in a variety of ways. Data can also be damaged, destroyed, or altered without
knowledge or consent. So, how do we safely find and recover all of the
relevant data stored in the computer=s
The answer is a professional forensic computer examination. A professional
forensic computer examination will:
- 1. Protect original data. Whenever possible, two mirror
image copies will be made of the original storage medium. Steps are taken
during the mirror-image process to prevent any data from being written
to the original medium. All forensic examinations will be made using one
of these mirror images. The other image will be retained as an original
copy. This allows the original medium to be returned to the owner while
a pristine copy is retained for court.
- 2. Locate all relevant data, including data in deleted
files, hidden files, disguised files, and protected files.
- 3. Recover all relevant data. As much data as physically
possible will be recovered. Only data that have been overwritten by other
files cannot be recovered.
- 4. Access protected files. Where possible and legal,
password-protected or encrypted files will be accessed.
- 5. Provide professional documentation detailing who,
what, where, why, and how information was safely located and recovered.
- 6. Provide expert testimony when required.
- A company that provides forensic computer examinations
or computer investigative services will differ from data recovery companies
in two main ways:
- 1. Data recovery companies are better equipped to
handle data loss caused by equipment failure.
- 2. A company that provides forensic computer examinations
will safely locate and recover relevant information in a manner that is
admissible in court.
- Companies that provide forensic computer examinations
are growing in number, and most of them can be found on the Internet by
searching for either forensic computer examinations or computer investigative
services. A good company will have investigators that are both trained
and experienced in the type of computer platform you have. The majority
of forensic investigators in the United States today are law enforcement
employees. Most law enforcement training is provided by the International
Association of Computer Investigative Specialists (IACIS) or by the Federal
Law Enforcement Training Center at Glyncoe, Georgia. Both courses are similar
in nature. The IACIS program provides a take-home certification process
that fewer than 10 percent of the graduates complete. There are also several
non-law-enforcement related companies providing forensic computer services.
- Daniel Hooper is the owner of Westpark Investigations,
a private investigative firm that specializes in computer investigative
services. He has 20 years of law enforcement experience and is the Utah
Department of Public Safety=s
forensic computer specialist. He completed the IACIS training course in
1995 and the IACIS Acertification
in April of 1996. Daniel is a member of the International Association of
Computer Investigative Specialists, the American Association of Certified
Fraud Examiners, the National Association of Investigative Specialists,
and the Private Investigators Associations of Utah. He can be reached at:
(801) 856-9900, E-mail email@example.com
or Web page http://www.burgoyne.com/pages/westpark/index.htm