In Depth

Tools of Evidence

By Simson Garfinkel

March 01, 2003CSO — Much of the U.S. government's case in Criminal No. 01-455-A will be based on digital evidence found on the defendant's computer hard drives. The case, better known as United States v. Zacarias Moussaoui, is the government's high-profile terrorism trial against the alleged "20th hijacker." Among the evidence that the government has in its possession are so-called disk images from two laptop computers, one belonging to Moussaoui, the other to his roommate Mukkarum Ali. Also in evidence: images of two computers from the University of Oklahoma, where at least one of Moussaoui's roommates attended classes.

The government's use of computer evidence in this case isn't surprisingsuch evidence is increasingly being used in both criminal and civil matters. In criminal cases, computer evidence gives investigators and prosecutors a way of looking back through time and into the mind of a criminal defendant. Such evidence is invariably admitted by courts, and it can be incredibly damaging to the defenseit convicts the defendant with his own words.

But finding those words can be quite a challenge. It's not likely that a captured computer will have a file on its desktop named "PlanstoBombtheWorldTradeCenter.doc." No, incriminating information needs to be painstakingly searched for, cataloged and recorded. What's more, an investigator needs to be able to document that the "found" evidence wasn't actually planted on the suspect's computer by the police.

A challenge, yes, but one that's eminently doable, thanks to a new generation of computer forensic tools now available.

To understand how these tools work, it's important to know the basics of how information is stored on modern computers. The hard drive that is inside almost every laptop and desktop computer in use today is a tremendously sophisticated piece of engineering, with the ability to store millions of e-mail messages, documents, photographs and the like. But fundamentally, every hard disk stores information as a series of 512-byte units that are called blocks. A 10GB hard drive has 20 million of them.

When you format a hard drive with Windows, the operating system scans the entire disk to see if any of the blocks are bad. It then writes an empty directory at the beginning of the disk. This will become your computer's C directory. When you save a file on the drive, some of the blocks get dedicated to that file; a name is then put in the directory that points at these blocks. When you try to read a file, the computer's operating system follows that pointer. When you delete the file, the pointer is erased.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
IT productivity challenges: Google survey results

GoogleIn this webcast, Google reveals results from a survey of message security and compliance priorities and concerns. Download a free copy of the survey report after registering.

» Watch the Webcast

Featured Sponsors
Sponsored Links

Secure your virtual and physical environments with the same software.

Identity-Aware Networks: Bringing Efficiency to Compliance

Can Google help you save time and money in your fight against spam?

An Executive Guide to Understanding Hosted Messaging Systems

ITCi White Paper: Challenges and Opportunities of PCI

The PCI Data Security Standard

Hardware-based security. That's IT as it should be.

A Guide to Providing Proactive Protection to Consumer Online Transactions

Webcast: Best practices in application security: How do you stack up?

This whitepaper describes how you can test your Web applications with virtualization

Read The Evolution of Application Security in Online Banking White Paper

White Paper: Learn how to use Adaptec(R) Snap Server(TM) with MOBOTIX IP Network Cameras

Compliance: Moving From Mandate to Differentiator White Paper

Webcast: Best Practices for Application Security in the Financial Sector

Simple, Economical Server Virtualization For Any Size Company

Global Companies' Best Practices for Security and Compliance

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Gene Kim's Practical Steps to Mitigate Virtualization Security Risks

Eliminate network threats and downtime with Juniper Networks. View demo

Configuration Audit and Control for Virtualized Environments

Webcast: learn results from an annual Google message security survey of 575 global IT professionals

This white paper presents document security strategies and best practices

IT Service Management: Metrics That Matter

White Paper: Learn more about how you can use compliance as a means of competitive differentiation.