Eye On CameraWare -- community

A Whodunit Featuring: Computers?

The most commonly accepted definition of fo·ren·sics n. (used with a sing. verb) is: the use of science and technology to investigate and establish facts in criminal or civil courts of law. Most of us associate forensics with the study of evidence relating to human remains and such to solve crimes.

However, since the advent of the Internet age, a new type of forensics has evolved: Computer Forensics. It, too, studies “remains” of sorts—only it’s the evidence which resides inside people’s computers. Computer forensics can involve several different types of investigations, such as the recovery of data deleted from hard drives, cracking encrypted data, recovering damaged data, and finding file and Web access history.
Many types of criminal and civil proceedings make use of evidence obtained by computer forensics specialists. Criminal prosecutors use computer evidence in cases such as homicide and financial fraud. Civil litigations use it in divorce, discrimination, and harassment cases. Insurance companies use it against fraud. Corporations use it to thwart sexual harassment, theft or misappropriation of trade secrets. Law enforcement officials use it for pre-search warrants and post-seizure handling of computer equipment.

The following are some examples of how computer forensics assisted in criminal investigations:
In late 2001, Wall Street Journal journalist Alan Cullison’s laptop computer was severely damaged during an truck accident on the way to Kabul. In Kabul, Cullison entered a shop looking for replacement computer parts. The salesman directed him to someone who had a laptop, which soon was discovered to have come from an abandoned home of someone involved with Al Qaeda. For $1100 Cullison bought the laptop and a hard drive, and with help from Arabic speakers and computer experts, was able to break password requirements and encryption to 1,750 files, detailing internal politics to the mission of an Al-Qaeda agent whose reported movements mirror those of Richard Reid, the alleged “shoe bomber” from American Airlines flight 63. The Journal handed over copies of the drives to the federal government and published details of their findings in a December 31, 2001 article. In the winter of 1999, during contract negotiations, a Northwest Airlines flight attendant hosted a message board on his personal Web site; among the messages were anonymous messages by Northwest employees urging co-workers to participate in sick-outs, which is illegal by U.S. federal labor laws. After over 300 flights were cancelled that season, Northwest Airlines was permitted by a federal judge to search union office computers and employee personal computers in order to obtain the identities of the anonymous posters. An engineering firm suspected that an insider was transmitting valuable intellectual property out of its network. When a Seattle-based forensics consulting firm investigated the case in June 2000, it couldn’t find the evidence on the local hard drive. After checking mail logs, however, investigators found two e-mails with harmless-looking image attachments sent by an engineer. Those images were hiding two of the company’s most precious engineering specifications using a process called steganography, or the hiding of information within a more obvious kind of communication. After Oracle Corp. in 1992 fired employee Adelyn Lee, the one-time girlfriend of Larry Ellison, Oracle’s billionaire chairman, Ellison received a message purportedly from one of his vice presidents saying “I have terminated Adelyn per your request.” Ellison fired back: “Are you out of your mind! … I did not want to get involved in the decision for obvious reasons.” Lee sued over her firing and settled with Oracle in 1993 for $100,000. But 1994 prosecutors showed she had sent the incriminating e-mail to Ellison herself, forging the name of the Oracle vice president from his own account; consequently, she was ordered to repay the money and sentenced to one year in prison. For a complete story on how computer forensics factored into the recent case of David Westerfield’s conviction of the murder of Danielle Van Dam, click here: http://www.uniontrib.com/news/metro/danielle/20020318-9999_mz1b18police.html

Old Data Can Come Back to Haunt You

You know how no matter what you do, there are certain things you just can’t seem to get rid of? Well, computer files are like that. Even after you delete a file, the file directory simply removes the reference to the file location so that it “disappears.” But it remains on your hard drive indefinitely, until the space is needed and the file is overwritten by another file. This means that although you can’t “get” to it, it is still there, lurking, waiting until the space it occupies becomes needed.
Because of this, deleted or altered text from files can be recovered by searching the hard drive. When a file is saved, the previous version is not permanently overwritten but rather a new version, or copy, of the file is created. The old version remains in the hard drive for an indefinite amount of time.
These versions and deleted files become part of the “free space” of a hard drive, the available space between recognized files. A computer forensics specialist can easily use hard drive scanning software to search for these altered and deleted files.
A major source of forensic evidence for a computer investigator is the swap file area and temporary file locations, both of which are not commonly recognized by the everyday user. The swap file is a space in the hard disk that both Windows and Unix use as a temporary holding place for anything not needed in main memory at a particular time. This means it can stores sensitive information which was not intended to be stored on disk, such as passwords and copies of files. Additionally, Windows also creates a number of temporary files in case the operating system crashes. These are stored in the hard drive at unadvertised locations and unless specifically removed, can remain for an indefinite amount of time.

Other major sources of evidence are network back-ups and emails. Even if one destroys all traces of a file on a personal computer, if the file was ever on a network, there is a good chance that a copy of the file is on a back-up tape. Email copies can also be on tape back-ups, as well as multiple servers worldwide, depending on where it was sent. Deleted email also stays on servers from a day up to a week.
Finally, the registry is another source of forensics evidence. In Windows, the registry is a collective name for two files USER.DAT and SYSTEM.DAT which store convenient properties such as the icons on the desktop and the resolution of the monitor. However, other information is also stored, such as your name, recently browsed Web pages, software installation and un-installation history, serial numbers, passwords, and traces of messages downloaded from newsgroups.

Check out the CameraWare Newsletter next month for the second installment of this article, and learn how to protect your data—and what your rights are in this age of the Internet and computer forensics.

Sources:
Tu Tran. Computer Forensics and Your Rights. Mills College, 2002.
Cullison, Alan and Andrew Higgins. “Files Found: A Computer in Kabul Yields a Chilling Array of al Qaeda Memos.” The Wall Street Journal. 31 December 2001: A1.
Caloyannides, Michael. Computer Forensics and Privacy. Boston, MA: Artech House, 2001.
Radcliffe, Deborah. “Steganography: Hidden Data.” Computerworld. 10 June, 2002.
Fries, Jack. “Beware of What You Say in Email!” IIAA’s Virtual University. January 2002.