Evidence Processing: Computer Autopsy

Part 2 of a series on seizing and handling compter evidence. The basics of computer evidence processing.

by / September 30, 1997
Forensic computer science deals with the preservation and processing of computer evidence. Forensics is basically applying science to the evidentiary process. In the case of computer evidence, the science is computer science and the evidence is data stored in any number of forms on a variety of computer storage media. Some have likened computer forensics to the autopsy of a computer. Precision and accuracy are essential in the processing of computer evidence, and this cannot be achieved without using the right set of tools. To do otherwise would be like trying to do brain surgery with a pocket knife.

Law enforcement agencies are woefully underfunded. This is especially true regarding computer evidence and related technology issues. It is tough enough for law enforcement management to pay salaries and keep a fleet of vehicles running in these tight budgetary times. However, computer evidence is here to stay, and every law enforcement agency will have to deal with computer evidence issues in time. The good news is that the price of computer technology is at an all-time low. An adequate setup that meets the minimum requirements for most small law enforcement departments can be purchased for under $6,000. This includes both computer hardware and software.

Back Up

It is important to preserve computer evidence and safely transport the seized computer to a secure location so a bit stream backup can be made of all computer media. This is required before processing the evidence to avoid triggering potential destructive processes that may have been planted in the computer by the crooks. It also avoids the accidental overwrite of data stored in the form of erased files, in the Windows swap file and in file slack. To process computer evidence without making bit stream backup of the "best evidence" is playing with fire. You are going to get burned badly at some point. The catch is that you must have the proper tools before the evidence can be backed up and processed.

The price of computer hard-disk drives has dropped substantially over the past year. As a result, forensic computer specialists are encountering large volumes of potential data stored on huge hard-disk drives. To put this in perspective, 10 years ago, a 20 megabyte hard disk-drive was considered standard. Today, it is not uncommon for a desktop computer to have multiple hard-disk drives with storage capacities exceeding 2 gigabytes (GB) per drive. For those unfamiliar with these terms, a 20 megabyte hard-disk drive has the capacity to store approximately 20 million characters of data. A 2GB hard-disk drive has the capacity to store approximately 100 times that capacity. To make matters worse, from a computer evidence standpoint, 5GB hard-disk drives are now available and will surely find their way into police evidence lockers.

These small storage devices are not much bigger than a deck of cards, but they have the potential of storing the content of hundreds of thousands of printed pages. For these reasons, plan on spending some money on computer hard-disk drives and storage media.

Even after making a bit stream backup, processing should rarely be done on the seized computer. To do so could subject the seized computer to excessive wear and tear. Your worst nightmare might involve your expert testimony in court about how you came to break the subject computer. To avoid living this nightmare, always plan on restoring bit stream backup, made from the seized computer, to a law enforcement computer. A lightning fast computer is normally not required. With the exception of some specialized automated fuzzy logic forensic tools, most forensic software tools operate quite nicely on lower-end Pentium-based computers or the equivalent, e.g. Pentium 133MHZ to 150MHZ. However, plenty of storage capacity is a requirement, and it is also a good idea to buy at least 64MB of Random Access Memory (RAM) to ensure that you can run and evaluate the software retrieved from the seized computer.


Flexibility is the name of the game when you create a computer system that will process computer evidence. You must prepare to deal with the seizure of a variety of computer systems and equipment configurations. As a result, it is wise to equip your processing computer with multiple floppy disk drives, a color SVGA monitor and plenty of external storage capacity to supplement the onboard hard disk drives. Opinions may vary, but I recommend the following hardware configuration as a minimum system for use in computer evidence processing:

* Pentium 133MHz or equivalent
tower desktop computer

* SVGA 14-inch color monitor

* Two 5GB hard-disk drives

* One Iomega Zip disk drive

* One SyQuest SyJet (or Iomega
Jazz) disk drive

* One 5.25-inch, 1.2MB floppy disk drive

* One 3.5-inch, 1.44MB floppy disk drive

* One CD-ROM (8x recommended)

* One Uninterruptible Power Supply (UPS)

* One laser printer (6 pages per
minute recommended)

The recommended system should meet the computer-evidence needs of most small- to medium-size law enforcement agencies. As stated, this is the minimum system configuration and it should be supplemented with an adequate supply of floppy disks and storage cartridges, e.g. Zip disks. Further, I strongly recommend the use of a second law enforcement notebook computer for documentation purposes. When the processing computer is used to document findings, there is a potential for parts of the text in the reports to "cross pollinate" the backup copies of the evidence. The potential of a memory dump into file slack is the culprit. By using a separate computer to document findings, this potential problem is eliminated. Inexpensive notebook computers can be purchased for under $1,000 and may come in handy for other tasks in the department as well.

The Forensic Computer Setup

Computer evidence processing can't begin without forensic software tools. The recommended tool kit should include the following:

* MS DOS 6.22 (DOS 7.0 is not recommended) Disk Mgt. Software to take full advantage of large hard disks under DOS Norton Disk Edit

* A bit stream backup utility (SafeBack
by Sydex is recommended)

* A virus scanning utility

* A DOS shell utility with file view

* Password recovery utilities (Access
Data's utilities are recommended)

* A text search utility

* Other specialized disk utilities

Please be aware that the capacity of hard-disk drives increase continually. Normally, forensic processing is performed under DOS rather than Windows, to avoid overwriting potential evidence in the form of erased files. However, DOS will not access huge hard-disk drives without disk management software. For this purpose, OnTrack Data Recovery offers a disk utility that is inexpensive and can be purchased via their Internet Web site at .

The purchase of computer components and forensic software is a step in the right direction for most law enforcement agencies who desire to begin dealing with computer evidence issues.

Michael R. Anderson, who retired from the IRS's Criminal Investigation Division in 1996, is internationally recognized in the fields of forensic computer science and artificial intelligence. Anderson pioneered the development of federal and international training courses that have evolved into the standards used by law enforcement agencies worldwide in the processing of computer evidence.

He also authored software applications used by law enforcement agencies in 16 countries to process evidence and to aid in the prevention of computer theft. He continues to provide software free of charge to law enforcement and the military. He is currently a consultant. P.O. Box 929 Gresham, OR 97030. E-mail .