Computer Forensics: Tools of Evidence

Computer forensic tools now make it possible to more easily search for, and find, evidence on hard drives

Much of the U.S. government's case in Criminal No. 01-455-A will be based on digital evidence found on the defendant's computer hard drives. The case, better known as United States v. Zacarias Moussaoui, is the government's high-profile terrorism trial against the alleged "20th hijacker." Among the evidence that the government has in its possession are so-called disk images from two laptop computers, one belonging to Moussaoui, the other to his roommate Mukkarum Ali. Also in evidence: images of two computers from the University of Oklahoma, where at least one of Moussaoui's roommates attended classes.

The government's use of computer evidence in this case isn't surprisingsuch evidence is increasingly being used in both criminal and civil matters. In criminal cases, computer evidence gives investigators and prosecutors a way of looking back through time and into the mind of a criminal defendant. Such evidence is invariably admitted by courts, and it can be incredibly damaging to the defenseit convicts the defendant with his own words.

But finding those words can be quite a challenge. It's not likely that a captured computer will have a file on its desktop named "PlanstoBombtheWorldTradeCenter.doc." No, incriminating information needs to be painstakingly searched for, cataloged and recorded. What's more, an investigator needs to be able to document that the "found" evidence wasn't actually planted on the suspect's computer by the police.

A challenge, yes, but one that's eminently doable, thanks to a new generation of computer forensic tools now available.

To understand how these tools work, it's important to know the basics of how information is stored on modern computers. The hard drive that is inside almost every laptop and desktop computer in use today is a tremendously sophisticated piece of engineering, with the ability to store millions of e-mail messages, documents, photographs and the like. But fundamentally, every hard disk stores information as a series of 512-byte units that are called blocks. A 10GB hard drive has 20 million of them.

When you format a hard drive with Windows, the operating system scans the entire disk to see if any of the blocks are bad. It then writes an empty directory at the beginning of the disk. This will become your computer's C directory. When you save a file on the drive, some of the blocks get dedicated to that file; a name is then put in the directory that points at these blocks. When you try to read a file, the computer's operating system follows that pointer. When you delete the file, the pointer is erased.

For years, the only practical way for analyzing the data on a seized computer was to use the computer itself for analyzing its own disks. Investigators would start in the root directory and look around; the better investigators would use tools that could search files for keywords or make a list of every file on the computer by file type or modification date. Deleted files could be "undeleted" with Norton Utilities, but that was about the limit of many forensic investigations.

Modern forensic tools begin where the computer's own tools leave off. For starters, instead of working on a disk drive itself, tools work on a block-for-block copy of the drive called a drive image file. You can make a drive image with special software or with special-purpose hardware. If you have access to a computer running Unix or Linux, you can make that image file with the dd command. For the Moussaoui case, the original hard drive was copied onto another hard drive using a Logicube SFK-000A handheld disk duplicator; this master, in turn, is used to create the image files.

When making an image copy, the investigator also records the cryptographic checksum of the drive and its copy. Typically this is done using the MD5 algorithm; if both MD5 codes match, then the investigator can testify in court that the copies are identical. (In the case of Moussaoui's Toshiba laptop, the drive image was made using SafeBack; it had an MD5 code of de12b076f9d6cc168fe3344dc1e07c58.)

Once you've got that image file, you have a lot of choices. You can use a function like Unix "strings" to search through the file and display every printable string. Among other things, that will show you the content of e-mail messages, Microsoft Word files and so on. With some versions of Linux and BSD-based operating systems, you can actually mount an image file as a file system. That will show you all of the files that you could see if you had sat down at the original computer.

But if you want to really look inside the image, use a special-purpose forensic tool. The best free tool out there is Task, written by Brian Carrier, based on a program called TCT, by Dan Farmer and Wietse Venema. Task lets you step through the image, recover deleted files and create a time line showing when each file was created, last modified and last accessed. Task is a great way for people interested in computer forensics to get their first glimpse of this world.

If forensics is your businessrather than your hobbythen you will almost certainly want to get one of the professional tools on the market. Two of the best are EnCase, by Guidance Software (roughly $2,495 per user), and the Forensic ToolKit (FTK), by AccessData ($595).

Although EnCase and FTK are very different programs, they have a surprising amount of overlapping functionality. Both programs run on Windows and require that you have a dongle installed on your system to deter software piracy. (Ironically, law enforcement investigators have a terrible reputation when it comes to software piracy.) Both let you do searches for particular strings and file types. Both let you view regular files, deleted files or examine the part of the hard drive that isn't mapped to any file at all. Both will log the operator's actions and allow you to prepare a professional report. Indeed, both of these programs have a ton of functionality: Reading the manual is not enough. To get the best use out of these programs, you'll need to take the training offered by the companies.

To start using these programs, create a new investigation "case" and then add evidence. FTK lets you add images, files, directories or disks that are attached to the computer. EnCase allows you to acquire from a raw file or from another computer, either over a network or by using a special cable that the company provides. EnCase adds images quickly, allowing you to go about the business of hunting for data faster. FTK is much slower at adding evidenceit can take half an hour or longerbut it painstakingly searches through the entire disk, building a database, indexing all the text that it finds, and even looking inside Zip archives to see what files were zipped up.

Once the evidence is added, you can use these tools to search the disk image for keywords, e-mail messages, images and more. You can restrict your search to files that were or were not deleted, if you wish, as well as to a particular time range.

Not surprisingly, one of the primary uses of these tools is child pornography investigations. And although the programs can't automatically search out pornography, they have the ability to display a page showing all of the .gifs and .jpegs that were discovered in the image fileand the images of naked people tend to be obvious. You can also import a database of MD5 codes for known child pornography: If the program finds a file on the suspect drive image with a matching MD5 code, an alert will be raised.

Overall, I found FTK significantly easier to use than EnCase. FTK makes it fairly easy to navigate through the file system and quickly spy on the file contents. Whereas EnCase relies heavily on external file viewers, FTK has a wide variety of viewers built into it. You can click on a button labeled Spreadsheets, and FTK will display a list with every found spreadsheet, its file name, the application that created it, and its creation date. Click on the name, and the spreadsheet itself displays in a different file pane. There are also one-button searches for databases, graphics and e-mail messages. Click on an Outlook PST file, and FTK will decode all of its content as well, including sent e-mail, journal entries, tasks, the calendar and deleted items.

On the other hand, FTK's all-in-one design can cause problems. FTK does an excellent job rendering webpages, but that's because the program uses the built-in Windows Control for displaying HTML. This can cause problems with suspect data: At one point, Windows started hammering me with JavaScript error alerts because the JavaScript on a hard drive that I was analyzing was malformed.

Serious investigators, of course, will want both; sometimes one program will find information that the other will miss. Such is the nature of all forensic toolsalthough they will help with an investigation, they do not automate the process.

But with so many good tools for finding things on hard drives, you would think that people or companies throwing them out would do their best to clean them. As we'll see next month, that's rarely the case.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!