Forensic Computer Examination
By Daniel Hooper

 
 
 
In 1981, IBM introduced the personal computer (PC). One year later, there were 5.5 million PCS in the United States. Ten years later this number had increased to 65 million. According to the International Data Corp, 1997 shipments of computers should increase to 80.2 million units. Computers have gone from one computer for every four people to more than one computer shipped each year for every three people. Computers have become a fact of life in the United States. They are found in our homes, businesses, schools, and churches. Everywhere you look, you will find computers.
As more and more people use computers, more and more information of all kinds is being stored on them. This includes information that could be of interest to a client or have bearing on a civil or criminal case, such as evidence of financial fraud, embezzlement, wrongful termination, sexual harassment, theft, arson, workers compensation fraud, age discrimination, child pornography, theft of trade secrets, or infidelity, just to name a few. In order to use this information, investigators must be able to locate and recover it.
Computers have been compared to filing cabinets, and this is true in a general sense. The computers. A filing cabinet@ is usually the computers hard drive, but it could be floppy disks, removable storage media such as ZIP drives or JAZ drives, or network drives. In some cases, it could be a hard drive on someone elses computer. Both the computer and the filing cabinet store information or files in A folders.@ Both the computer and the filing cabinet allow the user to add and remove information as he or she chooses, and both have a finite amount of space to store this information. This is where the similarity ends. Computers offer features that filing cabinets do not:
 
1. Computers use a hierarchical structure of folders or subdirectories to store files.
2. A hard drive can also be divided into separate drives or partitions making it, in effect, two or more Afiling cabinets.@
 
3. If a file is removed from a filing cabinet, it is really gone, but DOS or Windows 95 delete commands do not actually eliminate any of the data in a file that is deleted. Rather, that portion of memory on the hard drive is marked available, and the space can be written over if needed.
4. A filing cabinet stores only information that someone actually puts there, but computer programs routinely store information in the computer=s Afiling cabinet@ without the owner=s knowledge or consent. For instance, word processing programs routinely store backup files of the document that is currently being worked on. System programs routinely use portions of files currently in use to fill in blank or dead spots at the end of saved files. This means that portions of a document that is prepared or viewed on a computer could be stored in several locations on the computer=s hard drive without the operator=s knowledge.
 
There are several different ways to hide or protect files in the computer
=s Afiling cabinet@:
1. The easiest way to hide a file is to disguise it. The operator can give the file a Acover@ name. For example: You could rename a WordPerfect document called Agirlfriend.wpd@ to Afrd.dll@. The change of girlfriend would be obvious. No matter what the extension was on a file named Agirlfriend,@ it would still merit investigation. Changing the extension to dll (a library file) would not keep WordPerfect from opening the file, but it could hide the file from view or keep the uninformed investigator from trying to open it.
2. The operator can mark a file as hidden. This will not keep the document from being opened, but it could keep an investigator from finding it.
3. Files can be placed in hidden folders, hidden partitions, or areas of the hard drive that are not normally used to store data and are hidden from most DOS or Windows 95 programs. Again, this will not keep a document from being opened, but it could keep the document from being found.
4. Files can be protected with passwords or encryption. Such protection will not hide a file, but it will prevent users who do not possess the password or encryption key from accessing the file.
Data can also be damaged, destroyed, or altered without the user=s knowledge or consent. Simply turning on a computer, with some operating systems, can change important information.  A skilled user can rig a computer with bombs, booby traps, hot keys, or TSRs. These potentially destructive programs can destroy or change important data when an unauthorized user attempts to access the computer. A much more common cause of data loss is computer viruses. No matter what the cause or how it occurs, data loss can seriously damage a case. It can:
1. Cause valuable evidence or information to be lost.
2. Cause the court to throw out or not admit valuable evidence.
3. Cause the investigator and his or her firm to be found liable for monetary damages.
 
Data can be placed in many different places on a computer, both intentionally and unintentionally. Data can be hidden or protected in a variety of ways. Data can also be damaged, destroyed, or altered without the user=s knowledge or consent. So, how do we safely find and recover all of the relevant data stored in the computer=s Afiling cabinet@? The answer is a professional forensic computer examination. A professional forensic computer examination will:
 
1. Protect original data. Whenever possible, two mirror image copies will be made of the original storage medium. Steps are taken during the mirror-image process to prevent any data from being written to the original medium. All forensic examinations will be made using one of these mirror images. The other image will be retained as an original copy. This allows the original medium to be returned to the owner while a pristine copy is retained for court.
2. Locate all relevant data, including data in deleted files, hidden files, disguised files, and protected files.
3. Recover all relevant data. As much data as physically possible will be recovered. Only data that have been overwritten by other files cannot be recovered.
4. Access protected files. Where possible and legal, password-protected or encrypted files will be accessed.
5. Provide professional documentation detailing who, what, where, why, and how information was safely located and recovered.
6. Provide expert testimony when required.
 
A company that provides forensic computer examinations or computer investigative services will differ from data recovery companies in two main ways:
 
1. Data recovery companies are better equipped to handle data loss caused by equipment failure.
2. A company that provides forensic computer examinations will safely locate and recover relevant information in a manner that is admissible in court.
 
Companies that provide forensic computer examinations are growing in number, and most of them can be found on the Internet by searching for either forensic computer examinations or computer investigative services. A good company will have investigators that are both trained and experienced in the type of computer platform you have. The majority of forensic investigators in the United States today are law enforcement employees. Most law enforcement training is provided by the International Association of Computer Investigative Specialists (IACIS) or by the Federal Law Enforcement Training Center at Glyncoe, Georgia. Both courses are similar in nature. The IACIS program provides a take-home certification process that fewer than 10 percent of the graduates complete. There are also several non-law-enforcement related companies providing forensic computer services.
Daniel Hooper is the owner of Westpark Investigations, a private investigative firm that specializes in computer investigative services. He has 20 years of law enforcement experience and is the Utah Department of Public Safety=s forensic computer specialist. He completed the IACIS training course in 1995 and the IACIS Acertification course@ in April of 1996. Daniel is a member of the International Association of Computer Investigative Specialists, the American Association of Certified Fraud Examiners, the National Association of Investigative Specialists, and the Private Investigators Associations of Utah. He can be reached at: (801) 856-9900, E-mail westpark@burgoyne.com   or  Web page http://www.burgoyne.com/pages/westpark/index.htm

 


Click On Graphics For Book Review

 

RETURN TO NAIS NEWSLETTER ARTICLES