Computer Forensics: Tools of Evidence

Computer forensic tools now make it possible to more easily search for, and find, evidence on hard drives

For years, the only practical way for analyzing the data on a seized computer was to use the computer itself for analyzing its own disks. Investigators would start in the root directory and look around; the better investigators would use tools that could search files for keywords or make a list of every file on the computer by file type or modification date. Deleted files could be "undeleted" with Norton Utilities, but that was about the limit of many forensic investigations.

Modern forensic tools begin where the computer's own tools leave off. For starters, instead of working on a disk drive itself, tools work on a block-for-block copy of the drive called a drive image file. You can make a drive image with special software or with special-purpose hardware. If you have access to a computer running Unix or Linux, you can make that image file with the dd command. For the Moussaoui case, the original hard drive was copied onto another hard drive using a Logicube SFK-000A handheld disk duplicator; this master, in turn, is used to create the image files.

When making an image copy, the investigator also records the cryptographic checksum of the drive and its copy. Typically this is done using the MD5 algorithm; if both MD5 codes match, then the investigator can testify in court that the copies are identical. (In the case of Moussaoui's Toshiba laptop, the drive image was made using SafeBack; it had an MD5 code of de12b076f9d6cc168fe3344dc1e07c58.)

Once you've got that image file, you have a lot of choices. You can use a function like Unix "strings" to search through the file and display every printable string. Among other things, that will show you the content of e-mail messages, Microsoft Word files and so on. With some versions of Linux and BSD-based operating systems, you can actually mount an image file as a file system. That will show you all of the files that you could see if you had sat down at the original computer.

But if you want to really look inside the image, use a special-purpose forensic tool. The best free tool out there is Task, written by Brian Carrier, based on a program called TCT, by Dan Farmer and Wietse Venema. Task lets you step through the image, recover deleted files and create a time line showing when each file was created, last modified and last accessed. Task is a great way for people interested in computer forensics to get their first glimpse of this world.