3 If you have done nothing illegal, you have nothing to fear: not true anywhere!

1.3



If you have done nothing illegal, you have nothing to fear: not true anywhere!



7



3.



One may have done nothing wrong, but at least some of the many

people with arrest authority might—wrongly—think he or she has.

To prove one’s innocence may take financial resources that far

exceed what a common mortal has and still not succeed; witness the

number of individuals exonerated with DNA forensics, after they

had been executed in the United States. The situation can reasonably

be expected to be far worse in the many countries that have far fewer

safeguards against the miscarriage of justice than the United States

has.



4.



One may have been framed by law enforcement. Sadly, as was illustrated in a recent case in Los Angeles5 when a handcuffed person was

shot to death by police, who then framed him for a crime, such gross

abuses of police authority can occur even in the most advanced

countries, let alone in ones where policemen are emperors in effect.



Furthermore, privacy is not a “cover for crimes,” as some law enforcers

would assert, because

1.



There are some activities, such as having conjugal relations with

their spouse, visiting the lavatory, and so forth, that civilized people

want to keep private. The presumption that one would only want to

keep some activities private out of fear of incrimination is therefore

patently false.



2.



Given that different people hold different religious and other beliefs,

it is often very dangerous for one to allow his or her locally unpopular beliefs to be known by others.



3.



Civilized countries require police to have warrants before any search

or seizure; the same goes for interception of telephone conversations. This does not mean that one has something to hide; it means

that society has decided that the right to privacy supersedes any

police desire to monitor everybody’s house, bedroom, bathroom,

and office. Warrants are issued (in theory at least) by an impartial

judge after police have made a compelling case for each. The idea

that citizens should surrender privacy in order to prevent crime is

why the U.S. Constitution has Fourth and Fifth Amendments. The

framers of the U.S. Constitution recognized that government will

find it easier to try to take citizens’ rights away than to concentrate

on specific law enforcement problems. As all totalitarian regimes

demonstrate, it is easier to treat all people as criminals than it is to

catch the criminals. And, in general, violating citizens’ privacy does

little or nothing to prevent crime.



5. See www.wsws.org/articles/2000/mar2000/lapd-m13.shtml, http://projects.is.asu.edu/pipermail/hpn/2000October/001706.html, and www.worldfreeinternet.net/news/nws185.htm, for example.



8



Computer Forensics



4.



1.4



A pseudonymous Usenet posting in mid-December 2000 argued eloquently that the statement “If you are doing nothing wrong, you

have nothing to worry about” implies an invalid presupposition. It is

similar to the old joke “When did you stop beating your wife?” The

(hopefully incorrect) presupposition there is that you were beating

your wife. The incorrect presupposition with “If you are doing nothing wrong, you have nothing to worry about” is that privacy is about

hiding something. Just as there is no way to answer the beating

question without correctly resolving the incorrect presupposition,

there is no way to answer the “nothing wrong” question without resolving the incorrect presupposition. Privacy is not about hiding

something; it is about keeping things in their proper context. Why do

we need to keep things in their proper context? For a host of reasons.

One is that certain actions performed in the context of one’s home

are legal, but when performed in the context of a public place are

(usually) illegal. Taking a bath or shower, or having sex for instance.

The difference is the context. The action is the same. When one removes the context, things one does every day can suddenly become

illegal.



Computer forensics

Computers have replaced a lot of paper. It is no surprise, therefore, that

instead of subpoenaing or confiscating paper records, one subpoenas and

confiscates computer records these days.

Additionally, e-mail has replaced a lot of paper correspondence, telephone calls, and even idle gossip by the water fountain. To a litigiously

minded person, e-mail is therefore a treasure trove of information because it

contains not only the information that used to be on paper in years past, but

also contains

1.



Information that never made it to paper (such as gossip and telephone conversations);



2.



Information about the information (such as when something was

said or written, when it was modified, who else it was sent to, and

when it was ostensibly deleted, all of which is referred to as “metadata”).



Ultimately, computer forensics is done because it can be done cheaply

and also because it usually pays off.

1.4.1



User rights to privacy?



User rights to privacy are highly country-specific.

In the United States, for example, employer-owned computing resources

in the workplace can be examined at all times by the employer. The concept



1.4



Computer forensics



9



of “reasonable expectation of privacy” applies where an employee can show

that he or she had a reasonable expectation of privacy. This expectation

evaporates into thin air, however, when the employee has had to sign a preemployment document advising each employee that the employer’s computers can be monitored at will by the employer or when the employee is

faced with a splash screen warning at every login attempt to the effect that

usage of the employer’s computers or employer’s network usage constitutes

consent to monitoring.

In the United Kingdom and most European countries, stricter guidelines

apply even to employer-owned computers and networks.



1.4.2



The forensics investigator must know up front



If evidence gathered in a forensics investigation is to be used in legal, or

even administrative, proceedings against someone, then the forensic investigator must know this up front so that the collection and handling of the

data is done in strict adherence to legally sanctioned rules about collection

and the chain of custody.

These rules amount to procedures that must be followed to ensure the

following:

1.



The data claimed to be in the suspect’s computer is provably coming

from the subject’s computer and was in no way altered by the

process of extracting it. If the suspect’s computer was booted (turned

on), for example, then a forensics examiner can no longer claim that

no alteration was made to the suspect’s computer because the

process of booting Windows from someone’s hard disk writes data to

that hard disk (e.g., to the swap file, the desktop.ini file).



2.



The data collected from the suspect’s hard disk (or any other media)

has been handled in a manner that could not possibly have allowed

that data to be contaminated or otherwise changed between the time

it was collected and the times that it was analyzed and presented to a

court or administrative body.



If the forensics examination is held for information gathering purposes,

then the above strict legal requirements need not be followed. Other

requirements may need to be followed, depending on the specifics of the

situation. For example, it may be essential not to alert the subject of a forensics investigation that such an investigation is being done.



1.4.3 Forensics is deceptively simple but requires vast

expertise

Contrary to popular belief, there is no mystery to computer forensics. This is

why a huge cottage industry of self-appointed computer forensics “experts”

has come into existence during the last few years. Sadly, while there are



10



Computer Forensics



numerous experienced and competent computer forensics experts, it is getting increasingly difficult to identify them in this sea of mediocrity.

Even though the basics of computer forensics are very easy, computer

forensics requires experience and competence. The reason for this apparent

contradiction is that whereas anybody can use a forensic software package

to browse through a target disk, experience and competence are required to

determine the following:

1.



What to look for: Computer forensic software merely opens the door

and does not point the investigator towards anything. Like an

experienced detective, the investigator must, based on experience

and knowledge, know what to look for in a nearly limitless sea of

data.



2.



Where to look for what is sought: Going through the few hundred billion

bytes of a typical modern hard disk is pointless unless one knows

where to look. Again, there is no substitute for knowledge and experience. As an example, computer forensic software will not tell the

inexperienced investigator that netscape.hst, which is not readable

with a text editor, contains the history of a user’s activities with the

popular Web browser Natscape Navigator/Communicator. The

experienced investigator has to be familiar with the peculiarities of a

large number of computer software packages to know where each

stores what and for how long.



3.



What indicators to look for that suggest what is hidden and where: Often,

what is of interest is not a word or a fragment of an image but something far more elusive, such as the following:

a.

b.



c.



Indication that a file or a disk has been overwritten. Why was it

overwritten, when, and with which software?

Indication that the disk being investigated contains (or contained) software whose use suggests a sophistication beyond

that of the disk’s owner. Is that owner benefiting from the technical support of others? Who? Why?

Indications of incongruity. The disk’s owner is a shoe salesman

who hates computers, yet his computer has large, digitized

sound files. Why? Are they a cover for steganography?



The worst-case scenario, which plays itself out on a regular basis in

courtrooms around the world, is when an inexperienced computer forensics

person testifies in the court of a technology-challenged judge and jury, who

believe every word that this presumed expert says. Judges and juries (and,

sadly, most defense attorneys who went to law school before computers

became a staple of daily life) believe incorrectly that:

1.



Just because some data was found in a suspect’s computer, the suspect put it there; this is patently false.



1.4



Computer forensics



2.



1.4.4



11



The data about every file in a computer (e.g., date/time stamp of a

file, when it was moved from which folder to which folder, when it

was renamed or deleted) is sacrosanct, believable, and unchangeable

by another person; this, too, is patently false as Section 1.4.6

discusses.



Computer forensics top-level procedure



If a computer to be investigated is on, the first decision to be made is

whether to turn it off. Generally, one should turn it off unceremoniously,

not through an orderly shutdown process, which may involve steps to overwrite files. If the computer is networked and the process of turning it off

would alert an accomplice, then one has to assess the pros and cons of turning it off.

The next step should be to photograph the screen (if it was on), all connections to the computer, and the insides of the cabinet.

Because the process of booting the Windows-based computer will most

likely write onto any connected hard disk, the investigator must never boot

that computer. Instead, all magnetic media (hard disks, floppy disks, superfloppies, Zip and Jaz disks, and so forth) must be disconnected from the

computer and copied individually onto the forensic investigator’s hard disk;

this must be done after a digital digest (hash value), using either the MD5

or, preferably, the SHA-1 hashing algorithm, is applied so that the investigator’s copy can be certified to be an exact copy of the original.

Copying one hard disk onto another is fraught with danger unless special

care is taken, especially if the source and the target disks (i.e., the suspect’s

and the investigator’s disks) are the same size; this is so because it is easy to

make the mistake of copying the investigator’s hard disk onto the suspects,

rather than the other way around. Ideally, the investigator should have a

box dedicated to performing this task without the possibility of error.

Once the suspect’s hard disk is copied onto the investigator’s disk in a

manner that can be shown to result in an identical copy of a suspect’s

media,6 the actual forensics analysis begins. No special forensic software

suite is needed; a judicious collection of numerous freeware tools would be

adequate for someone who knows what to do, why, and how. All-inclusive

forensic software suites make the forensics analysis easy and efficient and

also provide a track record of acceptability by many courts.

The analysis consists of the following logical sequence of steps:

1.



Eliminate from analysis all files known to be of no forensics interest,

such as the executable portions of popular software. To ensure that

what is eliminated is truly, for example, word.exe and not some



6. This used to be done with software, such as Safeback v3 (http://www.forensics-intl.com/thetools.html), whose

sole function was to make such identical copies. This function is included in today’s forensic software suites like

Encase from Guidance Software.



12



Computer Forensics



other file that has been intentionally renamed with that name, the

identification of “known” files is done on the basis of whether or the

digital digest of each such file matches exactly the correct digital

digest of that file known from some dependable source.

2.



Using digital digests of notable files that have been already encountered before in other investigators (e.g., for bomb_recipe.txt), the

investigator looks for all files known to be of interest.



3.



What is left now is everything else that must be analyzed. The investigator must now analyze the entire remaining hard disk, notably

including all unknown files, unallocated disk space, and the slack

(space between end-of-file and end-of-cluster marks) for whatever

is being sought. It is here that the investigator’s competence and

experience comes in. The forensic software has no idea what the

investigator is looking for; it is up to the investigator to define the

search in an effective manner. It may be for keywords (a simple

task), images (also a simple task), or patterns of computer usage (a

much harder task).



4.



If nothing is found, the investigator may elect to look for evidence of

any steganographically hidden data, especially if the computer contains telltale indicators that steganography software has been

installed or used. Most forensic investigators are quite uninformed

or misinformed about steganography (see Section 11.5). In a

nutshell:

a.



Amateurish steganography such as what is openly available

over the Internet7 can be readily detected.



b.



Professionally designed steganography that is used extremely

sparingly and where the ratio of hidden files to overt files is very

small cannot be detected.



5.



If still nothing is found, then one usually quits unless the case is one

of extreme significance (e.g., a case of national significance) that

warrants the ultimate forensic investigation technique intended to

find files that have actually been overwritten. This involves forensics

microscopy, where the magnetic surface is examined with a highpower microscope that can actually look at individual magnetic particles to infer the minute perturbations indicative of what the

magnetization may have been before a “zero” or a “one” was

overwritten.



6.



The last step is documenting the findings and presenting them.



7. See Steganos, JSteg, Hide and Seek, Steg Tools, and numerous others, all of which can be found at

http://www.stegoarchive.com and elsewhere.



1.4



Computer forensics



1.4.5



13



Forensics specifics



As already stated, one does not need all-inclusive forensic software except

for the convenience and the acceptability of their analysis in some nontechnical circles. A good complement of freeware can do the requisite individual

tasks. For example, searching an entire hard disk for keywords is easily done

with SectorSpyXP, which is available online from numerous sources. This is

depicted in Figure 1.1, where the software was asked to find the keyword

“Windows.”

One must be cautioned that often a keyword (e.g., “bomb”) does not

appear intact in any single sector; part of it (e.g., “b”) may be in one sector

and part of it (e.g., “omb”) may be in a distant sector. This is so because

Windows write files on whichever sectors it finds available at the time, and

it may very well break a single file into numerous noncontiguous sectors.

Keyword searching for “BOULAMITE” will take one to the sector that

has the Windows registered owner’s name and affiliation.

All-inclusive forensic software suits like Encase from Guidance Software

can also handle numerous personal digital assistants (PDAs), Redundnt

Array of Inexpensive Disks (RAID) disks, Flash media (e.g., the popular Universal Serial Bus (USB) key-like plug-ins that seem to be replacing floppy

disks as temporary storage media, are formatted like a hard disk with a file

allocation table (FAT), and have their own slack and unallocated space, like

a disk.

It is noteworthy that renaming a file to something less alerting (e.g.,

bomb.jpg to holy.txt) actually works against you. Each file type (such as .jpg

files) has a unique header that is not changed when the file’s name is

changed. In the case of .jpg files, that header is “xFF\xD8\xFF\xFE”; changing the file’s name to holy.txt will only cause that file to be flagged to the



Figure 1.1



Keyword search with SectorSpy XP.



14



Computer Forensics



forensic investigator as an intentionally misnamed file, as shown below,

thereby subjecting it to even more scrutiny. In Figure 1.2, an example from

Encase software, “!Bad signature” means that the file suffixes (.wpg and

.xls) in these files’ names do not match the headers at the beginnings of

these files.

Amusingly, the practice of misnaming files to confuse others appears to

have also been practiced by Microsoft in the case of the logos.sys and

logow.sys files; both of these files have a .sys suffix, suggesting that they are

system files whose removal will prevent the computer from booting; in fact,

they are bitmaps of splash screens (i.e., ads for Microsoft).

Searching for the link files (.lnk) in the following locations will show

which shortcut was created, when, and to which file:

◗



Windows\Desktop;



◗



Windows\Recent;



◗



Windows\Start;



◗



Windows\Send.



Such files could be use to contest defense claims that a suspect had no

idea what a file was or how it got there.

The investigator can also search in print spooler files, because files sent to

a printer are usually spooled in a file on the hard disk before being printed.

The spool file is not intentionally overwritten by Windows. There are two

kinds of printer spool files:

1.



Shadow (.shd) files show the file’s owner, printer name, file name,

and printing method [“raw” or enhanced metafile format (emf)].



2.



The .spl file, which also contains the file to be printed, is created even

if one prints from a floppy disk.



The existence of a file in the printer spool can again contest defense

claims that a suspect had no idea what a file was or how it got there, unless



Figure 1.2



Easy Identification of modified file suffixes.



1.4



Computer forensics



15



the printing action is claimed to have been intended to answer that

question.

Deleted folders and their contents’ names can often be recovered as well,

as long as the data has not been overwritten. Encase and similar software

programs make this process easy, as shown in Figure 1.3.

Files sent to the Recycle Bin (a British-sounding term, as opposed to the

American term trash can, reportedly conjured up by Microsoft to avoid a

legal battle with Apple Computer about its “Trash” icon) can be recovered

even if they have been deleted as long as they have not been overwritten.

Even if they have been overwritten, their names can often be recovered

from the INFO file that is created whenever a file is added to the Recycle

Bin, as shown in Figure 1.4.



Figure 1.3



Recovering deleted folders with Encase.



Figure 1.4



Recovering deleted files even from the Recycle Bin.



16



Computer Forensics



New Technology File System (NTFS) security permissions are irrelevant

and offer no protection from a forensic investigator because the investigator

is not operating within a Windows environment in the first place.

The forensic software can also search for the metadata about files (e.g.,

date of creation) unless the file was created with DOS prior to version 7.

Depending on the software package, operating system, and language

support added, computer forensics is obviously not limited to the Latin

alphabet, but can handle foreign languages as well, as shown in Figure 1.5.

An investigator who is comfortable with a particular foreign language

can do a keyword search in that language just as well as he or she can in

English. Indeed, today’s national security organizations must have the inhouse competence to handle computer forensics in numerous foreign languages, including languages written right to left.

Equally important, a competent forensics investigation should also

include search on metadata, such as when a file appears to have been created, renamed, moved, deleted, overwritten, and so forth. A computer

forensics investigation should also be able to reconstruct, to the extent possible, even deleted “compound files” [i.e., files whose data is shared among

more than one individual files, as is the case with Registry, Microsoft Outlook, and Outlook Express files (.dbx and .pst files), among others]. An

example of an Outlook e-mail file reconstructed with Encase is shown in

Figure 1.6.



1.4.6



Digital evidence is often evidence of nothing



Courts, judges, and juries are increasingly faced with computer forensic evidence rather than physical evidence. Because judges and juries are, on the

average, quite uninformed about the admissibility and believability of what

is presented as evidence, “experts” are usually summoned to testify and

inform the court about these issues; the problem is that most (but not all) of

these computer forensics “experts” have a vested interest in their stock in



Figure 1.5



Foreign-language forensics.



1.4



Computer forensics



Figure 1.6



17



Forensics on Outlook and Outlook Express.



trade, which can be reasonably expected to slant their views in support of

the professed infallibility of computer forensics.

Unlike conventional analog data, such as the shade of gray or the subjective recollection of a witness, digital data, which takes one of two very

unambiguous values (zero or one), is misperceived by the average person as

endowed with intrinsic and unassailable truth.

In fact, quite the opposite is true. Unlike conventional analog data and

evidence, for which experts with the right equipment can often detect tampering, digital data can be manipulated at will, and depending on the

sophistication of the manipulator, the alteration can be undetectable,

regardless of a digital forensics expert’s competence and equipment.

The potential for a miscarriage of justice is vast, given that many defense

lawyers, judges, and juries are unaware of the esoteric details of computer

science. This “dirty little secret” about digital evidence is conveniently softpedaled by the computer forensics industry and by the prosecution, both of

which focus on those other aspects of the process of collecting, preserving,

and presenting digital data evidence that are indeed unassailable, such as

the chain-of-custody portion of handling digital evidence.

Lets take a common example of computer evidence. A suspect’s hard

disk is confiscated and subjected to forensics analysis, and a report generated

for the court states that the hard disk contained this or that file, that these

files dates’ were this and that, and that these files were renamed or printed

on this and that date, thereby negating the suspect’s claim that he did not

know of the existence of these files, and so forth.

A typical judge or jury will accept these facts at face value, but should

not for the following reasons:

1.



The data found on someone’s hard disk (or other mass-storage

media) could indeed have entered that hard disk through any of the