La planificación central de la Rusia Soviética

Regardless of which strategy an investigator uses to secure evidence at a site, the investigator still has the tasks of identifying and recovering evidence stored as electronic media. One example source for systems and assistance in this step is CyberForensic Associates, of Garden Grove, California (www.cyberforensic.com). It is important for the investigator to keep the chronological case log up to date during this phase of the investigation. At the time of this publication, most cases will involve critical evidence recovered from computer hard drive examination. It is beyond the scope of this chapter to cover the subject of forensic hard drive examination in detail; however, a computer crime investigator should be familiar with the following concepts and utilities associated with them.

1. Drive Duplication Utilities

This is software that makes a forensic copy of a hard drive. It is critical that this utility makes an exact copy of the drive at the binary level and has been tested and proven to do so. Whenever possible, the investigator does not examine the original disk because of the possibility that the drive might crash or be unintentionally altered by the investigator.

104 Forensic Computer Crime Investigation

2. Search Utilities

Search utilities allow an investigator to find occurrences of a pattern of characters on electronic media. Examples might be a credit card number or the word insurance in a homicide case. The search utility allows the investi- gator to find all occurrences of the search pattern on the media. This helps the investigator to zero in on information of possible relevance to the case. One of the tasks of the investigator is to create a list of search words or patterns relevant to the case to be searched for during the evidence recovery process.

3. Graphic and File Viewer Utilities

There are a number of programs that allow an investigator to view the information on electronic media. These utilities format the binary informa- tion on the media into a picture or document so that it is recognizable. The best of these utilities will allow the investigator to view virtually any file type in its intended display format. The kinds of files of interest to the investigator vary depending on the case type. For example, in an obscenity case the files of interest are likely to be picture format files.

4. Recovering Deleted Evidence

When a suspect deletes information on a computer, it does not disappear. In most operating systems the deletion process just makes the space on the disk that the information occupied available for other information. Some oper- ating systems use the concept of a recycle bin for deletion from which deleted files can be recovered. File recovery utilities allow the investigator to retrieve the deleted information if it has not been overwritten by other information. If the deleted information has been overwritten, it is still possible to recover the overwritten information by disassembling the hard drive and recovering the overwritten data directly from the magnetic disk media with specialized lab equipment. At the time of publication, this magnetic-force scanning recovery process is not typically available or realistic for law enforcement investigations. There are also file-overwriting utilities that, instead of using the operating system’s deletion process, directly overwrite the information on the disk with a binary pattern up to 35 successive times. If properly used by a suspect, these file-overwriting utilities can make the information unre- coverable.

5. Disk Utilities

Evidence can sometimes exist on a hard drive in areas not used by the file system. Slack space refers to an unused area of a disk after the end of one file, before the start of the next file. This area can contain information from a

Investigative Strategy and Utilities 105 previously deleted file. Information may also exist on the disk in unallocated space, parts of the disk marked as bad sectors, or in other partition types. Disk utilities allow the investigator to examine these areas.

6. Hash or Checksum Utilities

A hash or checksum utility uses every bit of a file to compute a unique result for the file. The checksum result for a file can be used to see whether any bits in the file have changed. If just one bit of the file changes, approximately half of the bits of the checksum will change. This is useful for the investigator to identify files and to demonstrate that a file has or has not changed. One commonly used checksum algorithm is named MD5. There is a database of MD5 checksums of known system files and known child pornography vio- lations. An investigator can compute MD5 checksums for all the files on a disk being examined and then compare them to the database. The suspect system files that match do not need to be examined further, because there is a very high probability that they are just operating system files. If any of the MD5 checksums match against the known child pornography database, there is a very high probability that the investigator has found a violation.

7. Passwords and Encrypted Media

Encryption is a process of scrambling information so that it is not recogniz- able without descrambling it. It can also be used for authenticating informa- tion and verifying that information is correct. Passwords and encryption are obstacles for the computer crime investigator that can be difficult to over- come if the investigator is not prepared for them. Password crackers and cryptanalysis utilities are commercially available that employ a variety of algorithms to gain access to the system or encrypted information. The success rate of these utilities varies depending on the type of encryption used and how good a password or key was chosen by the suspect.

A more reliable way to deal with passwords and encryption is to recover the password or the encryption key from the suspect by using the system. This can be accomplished in several ways. (1) A hardware or software key- stroke logger can be installed on the suspect’s computer. This records all of the keystrokes made by the suspect on the computer keyboard, including passwords and encryption keys. Both hardware and software keystroke log- gers are readily available to investigators. (2) A surveillance pin camera can also be installed over the suspect’s keyboard and good guesses can be made about passwords and encryption keys from the recorded movement of the suspect’s fingers on the keyboard. However, before employing these methods, the investigator needs to determine whether a federal wiretap warrant is required. It is sometimes possible to recover encryption keys from RAM memory.

106 Forensic Computer Crime Investigation

8. Evidence Recovery from RAM Memory

One case I investigated involved organized-crime gambling violations. The intelligence phase of the investigation, through an informant, indicated that bets were being taken by telephone and entered into a computer employing a RAM drive. RAM refers to random access memory on computer chips and is different than magnetically stored information on the hard drive. RAM is usually composed of junctions that hold a binary one or zero as long as power is supplied to the memory chip. A RAM drive is a utility program that uses a portion of the computer’s chip memory as if it were a disk to store infor- mation. The suspect believed that if there was a police raid, they could turn off the power to the computer and destroy all evidence of the crime. One critical success factor of this case was to raid the location and get to the computers before the suspects could remove power from them. This was accomplished by using a utility program on a floppy disk to copy the contents of all of the RAM to a zip disk plugged into the parallel port of the suspect’s computer. The betting evidence was later recovered from the zip disk.

Most people believe that when RAM is powered down it is not possible to recover the information stored in it. However, equipment does exist that can determine what state the RAM was in when it was powered down, depending on how much time has elapsed since the power was removed, the temperature of the chip since power was removed, and how long the memory cell was in the same state before power was removed. This equipment is not readily available to law enforcement at the time of this publication. For the time being, if evidence critical to the investigation is in RAM, the investigator needs to get to the computer while it is powered on.

9. Forensic Suite Software

There are a few software packages available that attempt to combine all of the investigative utility functions into one program. These programs can duplicate drives, search media, format, view files, recover information, and even help keep the case log. One of the biggest advantages to these forensic software packages is the availability of training and support for the investi- gator. However, an investigator who uses one of these evidence recovery software suites still needs to be aware of alternative utilities in the event a situation occurs that the software is not designed to handle.

10. Network Drive Storage

On networked computer systems, the evidence of interest to the investigator may turn out to be stored anywhere on the network. This greatly increases the amount of intelligence the investigator needs in order to make a good

Investigative Strategy and Utilities 107 guess on the location for the search warrant, because the evidence might not be in the same location as the suspect. Additionally, Internet services exist where someone can use disk storage space on a remote system as though it were a local hard drive. With this technology it is only a matter of time until some investigator executes a warrant at a site of suspected criminal activity and finds that the critical evidence is stored through the Internet on a server in another country under a crypto-analytically secure protocol.