Evidence Processing: Computer Autopsy

Flexibility

Flexibility is the name of the game when you create a computer system that will process computer evidence. You must prepare to deal with the seizure of a variety of computer systems and equipment configurations. As a result, it is wise to equip your processing computer with multiple floppy disk drives, a color SVGA monitor and plenty of external storage capacity to supplement the onboard hard disk drives. Opinions may vary, but I recommend the following hardware configuration as a minimum system for use in computer evidence processing:

* Pentium 133MHz or equivalent

tower desktop computer

* SVGA 14-inch color monitor

* Two 5GB hard-disk drives

* One Iomega Zip disk drive

* One SyQuest SyJet (or Iomega

Jazz) disk drive

* One 5.25-inch, 1.2MB floppy disk drive

* One 3.5-inch, 1.44MB floppy disk drive

* One CD-ROM (8x recommended)

* One Uninterruptible Power Supply (UPS)

* One laser printer (6 pages per

minute recommended)

The recommended system should meet the computer-evidence needs of most small- to medium-size law enforcement agencies. As stated, this is the minimum system configuration and it should be supplemented with an adequate supply of floppy disks and storage cartridges, e.g. Zip disks. Further, I strongly recommend the use of a second law enforcement notebook computer for documentation purposes. When the processing computer is used to document findings, there is a potential for parts of the text in the reports to "cross pollinate" the backup copies of the evidence. The potential of a memory dump into file slack is the culprit. By using a separate computer to document findings, this potential problem is eliminated. Inexpensive notebook computers can be purchased for under $1,000 and may come in handy for other tasks in the department as well.

The Forensic Computer Setup

Computer evidence processing can't begin without forensic software tools. The recommended tool kit should include the following:

* MS DOS 6.22 (DOS 7.0 is not recommended) Disk Mgt. Software to take full advantage of large hard disks under DOS Norton Disk Edit

* A bit stream backup utility (SafeBack

by Sydex is recommended)

* A virus scanning utility

* A DOS shell utility with file view

capabilities

* Password recovery utilities (Access

Data's utilities are recommended)

* A text search utility

* Other specialized disk utilities

Please be aware that the capacity of hard-disk drives increase continually. Normally, forensic processing is performed under DOS rather than Windows, to avoid overwriting potential evidence in the form of erased files. However, DOS will not access huge hard-disk drives without disk management software. For this purpose, OnTrack Data Recovery offers a disk utility that is inexpensive and can be purchased via their Internet Web site at .

The purchase of computer components and forensic software is a step in the right direction for most law enforcement agencies who desire to begin dealing with computer evidence issues.

Michael R. Anderson, who retired from the IRS's Criminal Investigation Division in 1996, is internationally recognized in the fields of forensic computer science and artificial intelligence. Anderson pioneered the development of federal and international training courses that have evolved into the standards used by law enforcement agencies worldwide in the processing of computer evidence.

He also authored software applications used by law enforcement agencies in 16 countries to process evidence and to aid in the prevention of computer theft. He continues to provide software free of charge to law enforcement and the military. He is currently a consultant. P.O. Box 929 Gresham, OR 97030. E-mail .