Utility Aids Investigators in Swap-File Search

A new crime-fighting tool can retrieve deleted files from a suspect's computer and use them as evidence.

by / November 30, 1997
It's sad but very true. Although the Internet has proven to be a valuable tool for learning, worldwide communication, commerce and data exchange, these capabilities are also being used to perpetrate serious crimes.

With increasing regularity, law enforcement agencies are encountering computers at crime scenes. These computers are used to store the secrets of criminals as well as in the commission of crimes. But what law enforcement agencies have discovered is that a criminal's computer can be used to aid in his prosecution.

Law enforcement successes in computer-related investigations are directly tied to the availability and quality of forensic software utilities. Until recently, law enforcement computer specialists were without specialized forensic tools to deal with Internet-related computer evidence. A number of law enforcement supporters recognized this deficiency and created a forensic tool to deal with it.

IPFILTER, developed by New Technologies Inc., was created to help law enforcement computer specialists evaluate desktop and notebook computer hard-disk drives and to identify the frequency and identity of Internet Web browsing and e-mail activity. Available free of charge to law enforcement agencies, it was created primarily to help in cases involving child pornography, but it has an abundance of law enforcement potential for any case involving the Internet. A special law enforcement version of the IPFILTER program can be downloaded over the Internet from New Technologies Inc.'s Web site at .

The law enforcement version of IPFILTER is also being distributed by the National White Collar Crime Center to its law enforcement members.

It Does Windows

From a computer investigator's standpoint, the Microsoft Windows operating system is a dream come true. After all, DOS and Windows were never intended to be secure. This is particularly true concerning Internet-related evidence stored on computer hard-disk drives in the form of ambient data. E-mail addresses, the contents of e-mail messages and a history of Internet browsing activity potentially passes through the Windows swap file. In those cases where Windows swap files are created during the work session and then erased, the same information is left behind as a large erased file in unallocated space. Much of this information remains behind waiting for discovery and documentation by the computer investigator.

Computer investigators are fortunate that evidence, in the form of ambient data, remains behind in the Windows swap file. That is the good news. The bad news is that these swap files can be huge, and picking out the various URLs can be a time-consuming and tedious task. That is where the IPFILTER program comes to the rescue. It relies upon fuzzy logic concepts to automatically identify patterns of e-mail addresses and URLs. The process takes just a few minutes and creates a database file that can be reviewed or analyzed using any popular spreadsheet or database application.

A copy of the public domain program DM accompanies IPFILTER and can be used to quickly sort through the database and provide meaningful statistical information about prior Internet activity on a specific computer.

As a point of clarification, the Internet activity is identified from remnants of data stored on the computer hard-disk drive and not from an analysis of Web traffic or with electronic sniffers.

The Internet and related computer evidence issues are here to stay. And because of the common belief that Internet use cannot be easily monitored by law enforcement agencies, it is likely that the Internet will become even more of a haven for criminals in the future. Training and the availability of computer evidence processing utilities will be a key to success for law enforcement in the coming months and years.

Michael R. Anderson retired from a 25-year federal law enforcement career in 1996. He is internationally recognized in the field of forensic computer science and also in the field of computer artificial intelligence. .

December Table of Contents