Computer Forensics: Tools of Evidence

Computer forensic tools now make it possible to more easily search for, and find, evidence on hard drives

March 01, 2003 — CSO — Much of the U.S. government's case in Criminal No. 01-455-A will be based on digital evidence found on the defendant's computer hard drives. The case, better known as United States v. Zacarias Moussaoui, is the government's high-profile terrorism trial against the alleged "20th hijacker." Among the evidence that the government has in its possession are so-called disk images from two laptop computers, one belonging to Moussaoui, the other to his roommate Mukkarum Ali. Also in evidence: images of two computers from the University of Oklahoma, where at least one of Moussaoui's roommates attended classes.

The government's use of computer evidence in this case isn't surprisingsuch evidence is increasingly being used in both criminal and civil matters. In criminal cases, computer evidence gives investigators and prosecutors a way of looking back through time and into the mind of a criminal defendant. Such evidence is invariably admitted by courts, and it can be incredibly damaging to the defenseit convicts the defendant with his own words.

But finding those words can be quite a challenge. It's not likely that a captured computer will have a file on its desktop named "PlanstoBombtheWorldTradeCenter.doc." No, incriminating information needs to be painstakingly searched for, cataloged and recorded. What's more, an investigator needs to be able to document that the "found" evidence wasn't actually planted on the suspect's computer by the police.

A challenge, yes, but one that's eminently doable, thanks to a new generation of computer forensic tools now available.

To understand how these tools work, it's important to know the basics of how information is stored on modern computers. The hard drive that is inside almost every laptop and desktop computer in use today is a tremendously sophisticated piece of engineering, with the ability to store millions of e-mail messages, documents, photographs and the like. But fundamentally, every hard disk stores information as a series of 512-byte units that are called blocks. A 10GB hard drive has 20 million of them.

When you format a hard drive with Windows, the operating system scans the entire disk to see if any of the blocks are bad. It then writes an empty directory at the beginning of the disk. This will become your computer's C directory. When you save a file on the drive, some of the blocks get dedicated to that file; a name is then put in the directory that points at these blocks. When you try to read a file, the computer's operating system follows that pointer. When you delete the file, the pointer is erased.