Electronic Fingerprints -- Computer Evidence Comes of Age

While the use of computers by criminals has become more common, seized computers have given law enforcement new sources of evidence.

by / October 31, 1996 0
Personal computers have become an inexpensive yet powerful tool that can be used in the furtherance of almost any criminal activity. Criminal acts can easily be coordinated worldwide using the Internet, and criminal communications can easily be encrypted and thus secreted from law enforcement officials. Bomb-making recipes and other tools of terror can be shared worldwide over the Internet. The fruits of a crime can be recorded and tracked with computer spreadsheets and the particulars regarding criminal associates can be easily managed using computer databases.

While this could present a bleak picture for law enforcement, the use of personal computers by the criminal element can create a wealth of unique and valuable evidence that might not otherwise be available to investigators.

Fortunately for law enforcement computer evidence specialists, personal computers were never designed to be secure. As a result, sensitive data, passwords, time and date stamps and other potentially valuable information are written to bizarre locations on computer hard disk drives and floppy diskettes as part of the normal operating process. To the corporate, government or individual computer user this can be the source of serious computer security concerns. To an experienced "cybercop," it can be a dream come true.

PROGRESS
Back in "the good old days," we knew very little about computers and attorneys and judges knew even less. But computer evidence is very fragile and can easily be altered, and the processing of such evidence for use in trial by an individual without proper training is like performing brain surgery with a pocket knife. It is important that only properly trained computer evidence specialists process computer evidence.

The first computer evidence courses were offered at the Federal Law Enforcement Training Center (FLETC) back in 1989. We've come a long way since then. Specialized software utilities to automate the search of large computer hard disk drives have been developed by folks like Steve Choy and Bill Haynes. The "electronic crime scene" can now be preserved with programs like SafeBack from Sydex Corp. Obscure data segments containing binary (nonreadable) data can now be filtered, making the contents easily printed or displayed using simple word processing software.

Most importantly, additional training courses have been spawned to deal with the demand for law enforcement and military forensic computer science training. Just recently, the University of New Haven, in West Haven, Conn., created a Forensic Technology Institute which is dedicated to such training. This is probably the first university to offer college credit and certification tied to computer evidence processing.



A Training and Research Institute was recently created at the National White Collar Crime Center to deal with law enforcement computer evidence training issues. Because of the demand, these much-needed institutions are welcomed and supplement the training courses already offered at FLETC and by SEARCH and The International Assn. of Computer Investigative Specialists .

COMMON MISTAKES
Obviously, a complete training course in forensic computer science is outside the scope of this article. However, following are some of the common mistakes that are made and some tips that may be helpful in the processing of computer evidence tied to DOS/Windows-based computer systems.

Mistake #1 -- Running the Computer

The first rule is to never run any programs on the computer in question without taking precautions -- e.g., write protection or by making a backup. Also, you should not boot or run the computer using the operating system on the computer in question. It is relatively easy for criminals to rig their computers to destroy hard disk drive content or specific files by planting decoy programs or through the modification of the operating system. For example, the simple DIR instruction, which is used to display the directory of a disk, can easily be rigged to reformat the hard disk drive.

After the data and destructive program has been destroyed, who is to say whether the computer was rigged or if you were negligent in processing the computer evidence?

Mistake # 2 -- Getting Help From the
Computer Owner

It is a serious mistake to allow the owner of the computer to help you operate the computer in question. It's like asking some thug to help you unload the 9mm you just found under his car seat. Don't do it. In one case a few years ago, the defendant was asked to answer questions about the computer evidence and was allowed access to the seized computer. He later bragged to his buddies that he had encrypted relevant files "right under the noses of the cops" without their knowledge. The good news is that the computer specialists had made a bit-stream backup of the computer before giving the defendant access to it. As a result, his destructive act became another nail in the coffin at his trial.

Mistake #3 -- Not Checking for Computer Viruses

You can imagine how credible your testimony might be as the expert witness for the government if you were the one that infected the computer evidence with a computer virus. It might get even worse, if you carry that a step further and infect several of the computers in the police department in the process. Always use fresh diskettes and check all diskettes and hard disk drives with good quality virus-scanning software.

Mistake #4 -- Not Taking Precautions in the Transport of Computer Evidence

Computer evidence is very fragile. Heat and magnetic fields can destroy or alter it in a very short period of time. The heat of summer in a car trunk or the magnetic field created by an operating police radio in the trunk of a squad car can ruin computer evidence. If a good defense attorney can show that you were negligent in storing or transporting the computer equipment, your case may be in jeopardy and you may spend some time in civil court defending your agency against a lawsuit.

HELPFUL TIPS
Tip #1 -- Perform Bit-Stream Backups

Normally, computer evidence is preserved by making an exact copy of the original evidence before any analysis is performed. It is not enough to just make copies of computer files using a conventional backup program. Valuable evidence may exist in the form of erased files and the data associated with these files can only be preserved through a bit-stream backup.

Specialized software is available to law enforcement agencies that perform this task, e.g., SafeBack. For floppy diskettes, the DOS Diskcopy program will suffice.

Tip #2 -- Check Temporary Files

Word processing programs and database programs create temporary files as a byproduct of the normal operation of the software. Most computer users are unaware of the creation of these files because they are usually erased by the program at the end of the work session. However, the data contained within these erased files can prove to be most valuable from an evidence standpoint. This is particularly true when the source file has been encrypted or the word processing document was printed but never saved to disk. Like magic, these files can be recovered.

Tip #3 -- Check the Windows Swap File

The popularity of Microsoft Windows has brought with it some added benefits for computer investigators in their quest for new sources of computer evidence. The Windows swap file acts as a huge data buffer, and many times fragments of data or even an entire word processing document may end up in this file. As a result, careful analysis of the swap file can result in the discovery of valuable evidence when Windows is involved.

Tip #4 -- Make Document Comparisons
is relatively easy for criminals to rig their computers to destroy hard disk drive content or specific files by planting decoy programs or through the modification of the operating system. For example, the simple DIR instruction, which is used to display the directory of a disk, can easily be rigged to reformat the hard disk drive.

After the data and destructive program has been destroyed, who is to say whether the computer was rigged or if you were negligent in processing the computer evidence?

Mistake # 2 -- Getting Help From the
Computer Owner

It is a serious mistake to allow the owner of the computer to help you operate the computer in question. It's like asking some thug to help you unload the 9mm you just found under his car seat. Don't do it. In one case a few years ago, the defendant was asked to answer questions about the computer evidence and was allowed access to the seized computer. He later bragged to his buddies that he had encrypted relevant files "right under the noses of the cops" without their knowledge. The good news is that the computer specialists had made a bit-stream backup of the computer before giving the defendant access to it. As a result, his destructive act became another nail in the coffin at his trial.

Mistake #3 -- Not Checking for Computer Viruses

You can imagine how credible your testimony might be as the expert witness for the government if you were the one that infected the computer evidence with a computer virus. It might get even worse, if you carry that a step further and infect several of the computers in the police department in the process. Always use fresh diskettes and check all diskettes and hard disk drives with good quality virus-scanning software.

Mistake #4 -- Not Taking Precautions in the Transport of Computer Evidence

Computer evidence is very fragile. Heat and magnetic fields can destroy or alter it in a very short period of time. The heat of summer in a car trunk or the magnetic field created by an operating police radio in the trunk of a squad car can ruin computer evidence. If a good defense attorney can show that you were negligent in storing or transporting the computer equipment, your case may be in jeopardy and you may spend some time in civil court defending your agency against a lawsuit.

HELPFUL TIPS
Tip #1 -- Perform Bit-Stream Backups

Normally, computer evidence is preserved by making an exact copy of the original evidence before any analysis is performed. It is not enough to just make copies of computer files using a conventional backup program. Valuable evidence may exist in the form of erased files and the data associated with these files can only be preserved through a bit-stream backup.

Specialized software is available to law enforcement agencies that perform this task, e.g., SafeBack. For floppy diskettes, the DOS Diskcopy program will suffice.

Tip #2 -- Check Temporary Files

Word processing programs and database programs create temporary files as a byproduct of the normal operation of the software. Most computer users are unaware of the creation of these files because they are usually erased by the program at the end of the work session. However, the data contained within these erased files can prove to be most valuable from an evidence standpoint. This is particularly true when the source file has been encrypted or the word processing document was printed but never saved to disk. Like magic, these files can be recovered.

Tip #3 -- Check the Windows Swap File

The popularity of Microsoft Windows has brought with it some added benefits for computer investigators in their quest for new sources of computer evidence. The Windows swap file acts as a huge data buffer, and many times fragments of data or even an entire word processing document may end up in this file. As a result, careful analysis of the swap file can result in the discovery of valuable evidence when Windows is involved.

Tip #4 -- Make Document Comparisons

Many times duplicate word processing files may be found on computer hard disk drives and/or floppy diskettes. Subtle changes or differences between versions of the same document may have evidentiary value. These differences can easily be identified through the use of the redline and compare features of most modern word processing programs. This trick alone can save countless hours of time that could be wasted making manual comparisons from one document to another. Because the resulting file is modified by the word processor, be sure to work from copies.

The popularity of computers in society today has changed the evidence rules a bit, but this technology has provided investigators with potential sources of evidence and information that did not previously exist.

Michael R. Anderson, who retired from the IRS's Criminal Investigation Division in 1996, is internationally recognized in the fields of forensic computer science and artificial intelligence. Anderson pioneered the development of federal and international training courses that have evolved into the standards used by law enforcement agencies worldwide in the processing of computer evidence.

He also authored software applications used by law enforcement agencies in 16 countries to process evidence and to aid in the prevention of computer theft. He continues to provide software free of charge to law enforcement and the military. He is currently a consultant. P.O. Box 929 Gresham, OR 97030. E-mail < mrande@teleport.com >.


* While the use
of computers
by criminals
has become
more common,
seized computers
have given law
enforcement
new sources
of evidence.