October 31, 1996 By Michael R. Anderson
While this could present a bleak picture for law enforcement, the use of personal computers by the criminal element can create a wealth of unique and valuable evidence that might not otherwise be available to investigators.
Fortunately for law enforcement computer evidence specialists, personal computers were never designed to be secure. As a result, sensitive data, passwords, time and date stamps and other potentially valuable information are written to bizarre locations on computer hard disk drives and floppy diskettes as part of the normal operating process. To the corporate, government or individual computer user this can be the source of serious computer security concerns. To an experienced "cybercop," it can be a dream come true.
Back in "the good old days," we knew very little about computers and attorneys and judges knew even less. But computer evidence is very fragile and can easily be altered, and the processing of such evidence for use in trial by an individual without proper training is like performing brain surgery with a pocket knife. It is important that only properly trained computer evidence specialists process computer evidence.
The first computer evidence courses were offered at the Federal Law Enforcement Training Center (FLETC) back in 1989. We've come a long way since then. Specialized software utilities to automate the search of large computer hard disk drives have been developed by folks like Steve Choy and Bill Haynes. The "electronic crime scene" can now be preserved with programs like SafeBack from Sydex Corp. Obscure data segments containing binary (nonreadable) data can now be filtered, making the contents easily printed or displayed using simple word processing software.
Most importantly, additional training courses have been spawned to deal with the demand for law enforcement and military forensic computer science training. Just recently, the University of New Haven, in West Haven, Conn., created a Forensic Technology Institute which is dedicated to such training. This is probably the first university to offer college credit and certification tied to computer evidence processing.
A Training and Research Institute was recently created at the National White Collar Crime Center to deal with law enforcement computer evidence training issues. Because of the demand, these much-needed institutions are welcomed and supplement the training courses already offered at FLETC and by SEARCH and The International Assn. of Computer Investigative Specialists
Obviously, a complete training course in forensic computer science is outside the scope of this article. However, following are some of the common mistakes that are made and some tips that may be helpful in the processing of computer evidence tied to DOS/Windows-based computer systems.
Mistake #1 -- Running the Computer
The first rule is to never run any programs on the computer in question without taking precautions -- e.g., write protection or by making a backup. Also, you should not boot or run the computer using the operating system on the computer in question. It is relatively easy for criminals to rig their computers to destroy hard disk drive content or specific files by planting decoy programs or through the modification of the operating system. For example, the simple DIR instruction, which is used to display the directory of a disk, can easily be rigged to reformat the hard disk drive.
You may use or reference this story with attribution and a link to