Computer forensics top-level procedure

If a computer to be investigated is on, the first decision to be made is whether to turn it off. Generally, one should turn it off unceremoniously, not through an orderly shutdown process, which may involve steps to over- write files. If the computer is networked and the process of turning it off would alert an accomplice, then one has to assess the pros and cons of turn- ing it off.

The next step should be to photograph the screen (if it was on), all con- nections to the computer, and the insides of the cabinet.

Because the process of booting the Windows-based computer will most likely write onto any connected hard disk, the investigator must never boot that computer. Instead, all magnetic media (hard disks, floppy disks, super- floppies, Zip and Jaz disks, and so forth) must be disconnected from the computer and copied individually onto the forensic investigator’s hard disk; this must be done after a digital digest (hash value), using either the MD5 or, preferably, the SHA-1 hashing algorithm, is applied so that the investiga- tor’s copy can be certified to be an exact copy of the original.

Copying one hard disk onto another is fraught with danger unless special care is taken, especially if the source and the target disks (i.e., the suspect’s and the investigator’s disks) are the same size; this is so because it is easy to make the mistake of copying the investigator’s hard disk onto the suspects, rather than the other way around. Ideally, the investigator should have a box dedicated to performing this task without the possibility of error.

Once the suspect’s hard disk is copied onto the investigator’s disk in a manner that can be shown to result in an identical copy of a suspect’s media,6 the actual forensics analysis begins. No special forensic software suite is needed; a judicious collection of numerous freeware tools would be adequate for someone who knows what to do, why, and how. All-inclusive forensic software suites make the forensics analysis easy and efficient and also provide a track record of acceptability by many courts.

The analysis consists of the following logical sequence of steps:

1. Eliminate from analysis all files known to be of no forensics interest, such as the executable portions of popular software. To ensure that what is eliminated is truly, for example, word.exe and not some

1.4 Computer forensics 11

6. This used to be done with software, such as Safeback v3 (http://www.forensics-intl.com/thetools.html), whose sole function was to make such identical copies. This function is included in today’s forensic software suites like Encase from Guidance Software.

other file that has been intentionally renamed with that name, the identification of “known” files is done on the basis of whether or the digital digest of each such file matches exactly the correct digital digest of that file known from some dependable source.

2. Using digital digests of notable files that have been already encoun- tered before in other investigators (e.g., for bomb_recipe.txt), the investigator looks for all files known to be of interest.

3. What is left now is everything else that must be analyzed. The inves- tigator must now analyze the entire remaining hard disk, notably including all unknown files, unallocated disk space, and the slack (space between end-of-file and end-of-cluster marks) for whatever is being sought. It is here that the investigator’s competence and experience comes in. The forensic software has no idea what the investigator is looking for; it is up to the investigator to define the search in an effective manner. It may be for keywords (a simple task), images (also a simple task), or patterns of computer usage (a much harder task).

4. If nothing is found, the investigator may elect to look for evidence of any steganographically hidden data, especially if the computer con- tains telltale indicators that steganography software has been installed or used. Most forensic investigators are quite uninformed or misinformed about steganography (see Section 11.5). In a nutshell:

a. Amateurish steganography such as what is openly available over the Internet7

can be readily detected.

b. Professionally designed steganography that is used extremely sparingly and where the ratio of hidden files to overt files is very small cannot be detected.

5. If still nothing is found, then one usually quits unless the case is one of extreme significance (e.g., a case of national significance) that warrants the ultimate forensic investigation technique intended to find files that have actually been overwritten. This involves forensics microscopy, where the magnetic surface is examined with a high- power microscope that can actually look at individual magnetic par- ticles to infer the minute perturbations indicative of what the magnetization may have been before a “zero” or a “one” was overwritten.

6. The last step is documenting the findings and presenting them.

7. See Steganos, JSteg, Hide and Seek, Steg Tools, and numerous others, all of which can be found at http://www.stegoarchive.com and elsewhere.