Computer Forensics

By Michael Potaczala

CHS5937

Topics in Forensic Science

12/6/2001
 Table of Contents

1. History of the discipline.......................................................................................................... 1

2. Important achievements in the discipline ............................................................................... 2

3. Historic and current leaders in the field.................................................................................. 2

4. Leading texts and scientific journals dealing with the discipline ........................................... 4

5. Names and backgrounds of research and peer organizations ............................................... 12

6. Certification programs .......................................................................................................... 19

7. The scope of the discipline ................................................................................................... 19

8. Summarize a training program (length, method of training [classroom, internship,

combination]; scope; sources of training; etc.) ............................................................................. 21

9. Various forms of examinations conducted ........................................................................... 22

10. How findings are reported ................................................................................................ 23

11. Scientific principles utilized in the discipline................................................................... 24

12. Instrumentation used in the discipline .............................................................................. 30

13. Problems that have arisen in the discipline (technological flaws, unqualified "experts",

high error rates, etc.) and how they have been addressed............................................................. 31

14. Goals for advancement utilizing future technologies ....................................................... 31

15. History of court admissibility under both Frye and Daubert ............................................ 33

16. An interview with at least one specialist in the discipline ................................................ 36

The roots of computer forensics start with the first time a system administrator had to figure out

how and what a hacker had done to gain unauthorized access to explore the system. This was

mainly a matter of discovering the incursion, stopping the incursion if it was still in progress,

hunting down the hacker to chastise him or her, and fixing the problem allowing the

unauthorized access to begin with. In the beginning, the classic hackers breaking into computer

systems were more interested in how things work than actually being malicious. So, collecting

evidence for a hearing was not a process a system administrator needed to worry about. Just

plug the hole, and often get back to personal hacking projects.

As computers evolved out of academia to businesses and government, there was more data and

resources at risk. Hacker incursions became an issue handled through legal channels. Also, as

computer technology advanced, it became more affordable. This allowed computers to be put

not only on each employee's desk of even small business, but in people's homes. More people

looking for uses for the computers lead to the increase in supply of programs. More programs

made more types of information collected as possible evidence.

Evidence derived from computers has been used in court for almost 30 years. Initially, judges

accepted the evidence as no different from forms of evidence they were already seeing. As

computer technology advanced, the accepted similarities to traditional evidential material

became ambiguous. In 1976, the US Federal Rules of Evidence was passed to address some of

the ambiguities.

A lot has evolved with computers since 1976. One item of significance is the Internet. This

information superhighway has become a major passage of items that fall under legal scrutiny.

Another item is the amount of data an individual computer can hold. Personal computers of the

1
early 1980's had no internal storage and the removable storage only held 360-kilobytes per

diskette. Today, an average personal computer bought for teenager game playing and Internet

cruising hold internally 40 billion bytes of data and removable disks hold from 2 million bytes to

2 billion bytes. Large server computers used by academia, government, and business are starting

with internal storage averaging 100 billion bytes and have the expandability to use storage

devices holding trillions of bytes of data.

This explosion of technology, while providing many times the computing power of the building

size computers of the beginning, have made the field of computer forensics exponentially more

complicated from the relativity simple tasks of evidence gathering only 5 years ago.

2. Important achievements in the discipline

Ability to intercept a Palm Pilot PDA password either by monitoring the traffic between the PDA

and a workstation with a Palm Pilot cradle or by initiating a synchronization update between the

password protected PDA and a second PDA.

Ability to analyze image files to detect if a message is hidden in the file using steganography.

Niels Provos and Peter Honeyman at the University of Michigan have developed a process using

statistically analysis of a JPEG image to detect if there is a steganographic item stored in the

JPEG. Neil Johnson, a researcher at George Mason University, is working on being able to

identify steganographic items in BMP and GIF images files as well as WAV and AU sound files.

3. Historic and current leaders in the field

Tracking current leaders in computer forensics is not an easy task. The people doing the cutting

edge work commonly are employed by agencies like the NSA or CIA. So, even if they can gain

authorization to publish their work, likelihood is it isn't published under their actual name. When

these people are able to publish their wealth of knowledge, is after they have left the employer

2
and all contractual silence is honored. Outside of the government secret agencies, the next place

leaders in the field are found is in the ranks of professors of Computer Science and Engineering

and law enforcement personnel.

These are some of the people making advancements for Computer Forensics:

• Rebecca Gurley Bace

Currently the president of Infidel, Inc., a consulting practice specializing in

intrusion detection and network security technology and strategy. Before

founding Infidel, Inc, she worked for the NSA for 12 years. She led the Computer

Misuse and Anomaly Detection (CMAD) Research program from 1989 through

1995, as a charter member of NSA's Office of Information Security Research and

Technology. She then left the NSA in 1996 to serve as Deputy Security Officer

for the Computing, Information, and Communications Division of the Los

Alamos National Laboratory.

• Peter Sommer

Currently serving as a Visiting Research Fellow at the LSE Computer Security

Research Centre and established expert on computer security advising stock

exchanges and insurance companies on systems risk. As a trained lawyer he is

especially well placed to develop his current research interest in the legal

admissibility of computer related evidence, especially in the context of computer

crime. In December 1998 he was appointed Special Adviser in Electronic

Commerce to the House of Commons Standing Committee of Science and

Technology.

3
 • Gene Spafford

A Professor of Computer Sciences at Purdue University, where he has been on the

faculty since 1987. His current research interests are primarily in the areas of

information security, computer crime investigation and information ethics. He is

also director of the Purdue CERIAS (Center for Education and Research in

Information Assurance and Security), and was the founder and director of the

(now superseded) COAST Laboratory. He is also the interim Information Systems

Security Officer for Purdue University. Related to this, he is the founder and de

facto director of the PCERT (Purdue Computer Emergency Response Team).

• David J. Icove

Presently employed by the Tennessee Valley Authority Police-Public Safety

Service, Risk and Emergency Management Division. He also holds a position as

an Adjunct Assistant Professor at the University of Tennessee in the Laboratory

for Information Technologies. His primary background is working with fire,

arson, and explosion cases.

• Dr. Neil F. Johnson

Currently employed by George Mason University as the Associate Directory of

the Center for Secure Information Systems. His projects include steganography,

covert communications, information assurance, and Cyber Warfare.

4. Leading texts and scientific journals dealing with the discipline

The number of texts available, although sparse, has grown immensely in recent months. This is

a summary of ones I have found and, if not in my possession, brief write-ups available from the

publishers.

4
Computer Fraud & Security. Published by Elsevier Science Ltd.

(http://www.elsevier.com/locate/compfraud)

Topics covered: Current News, Security Reports, Technical aspects, Audit and

financial control methodologies, data encryption, risk management, network

security, contingency planning and disaster recovery, access control, security

software and software protection, authentication and validation

The International Journal of Forensic Computing. Published by Computer Forensics Ltd.

(http://www.forensic-computing.com/)

Topics covered: retrieving and examining evidence on PCs , evidence on

mainframe, microcomputers and distributed systems, computer forensic

methodology and working practices, investigative software, methods and

techniques, password cracking techniques and cryptanalysis, disk imaging

techniques, current legislation and the issue of admissibility, retrieving electronic

mail for evidential use, forensic techniques on the Internet and Intranet, audit

trails and automated methods to detect network misuse, investigating and

combating fraud, evidence on electronic personal organizers, questioned

documents and associated forensic sciences, link analysis, litigation support and

courtroom presentations, disclosure of computer evidence, law enforcement

search procedures, computers, evidence and civil litigation

Journal of Computer Security published by ISO press

(http://www.csl.sri.com/programs/security/jcs/jcshome.html).

Topics covered: presents research and development results of lasting significance

in the theory, design, implementation, analysis, and application of secure

5
 computer systems and networks. It also provides a forum for ideas about the

meaning and implications of security and privacy, particularly those with

important consequences for the technical community. The Journal provides an

opportunity to publish articles of greater depth and length than is possible in the

proceedings of various existing conferences, while addressing an audience of

researchers in computer security who can be assumed to have a more specialized

background than the readership of other archival publications.

Computer Forensics: Computer Crime Scene Investigation. John R. Vacca. Charles River Media.

Dec 2001.

Topics covered: Comprehensive overview of the subject from definitions to data

recovery techniques to auditing methods and services, discusses data seizure and

analysis, preservation of computer evidence, reconstruction of events and

information warfare, case studies and vignettes of actual computer crimes are

used, and CD includes demos of the latest computer forensics and auditing

software.

Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of

Computer Crimes. Albert J. Marcella, Robert S. Greenfield. CRC Press. Dec 2001.

Topics covered: Identifying inappropriate uses of corporate IT, examining

computing environments to identify and gather electronic evidence of

wrongdoing, securing corporate systems from further misuse, Identifying

individuals responsible for engaging in inappropriate acts taken with or without

corporate computing systems, and protecting and securing electronic evidence

from intentional or accidental modification or destruction.

6
Cyber Crime Investigator's Field Guide. Bruce Middleton. CRC Press. Nov 2001.

Topics covered: Questions to ask the client, Steps to follow when you arrive at the

client's site, Procedures for collecting evidence, Details on how to use various

evidence collection and analysis tools, How to recover lost passwords or

documents that are password protected, Commonly asked questions with

appropriate answers, Recommended reference materials, A case study to see the

computer forensic tools in action, Commonly used UNIX/Linux commands, Port

number references for various services and applications, Computer forensic

software tools commands synopsis, Attack signatures, Cisco PIX firewall

commands

Handbook of Computer Crime Investigation: Forensic Tools & Technology. Eoghan Casey.

Academic Press. Nov 2001.

Topics covered: The Other Side of Civil Discovery, The EnCase Process, Incident

Response Tools, NFR Security, Tool Testing and Analytical Methodology,

Windows Analysis, Unix Analysis, Network Analysis, Wireless Network

Analysis, Embedded Systems Analysis, Homicide and Child Pornography,

Internet Gambling, Computer Intrusions.

Computer Forensics: Incident Response Essentials. Warren G. Kruse II, Jay G. Heiser. Addison-

Wesley Pub Co. Sept 2001.

Topics covered: Introduction to Computer Forensics, Tracking an Offender, The

Basics of Hard Drives and Storage, Encryption and Forensics, Data Hiding,

Hostile Code, Your Electronic Toolkit, Investigating Windows Computers,

Introduction to Unix for Forensic Examiners, Compromising a Unix Host,

7
 Investigating a Unix Host, Introduction to the Criminal Justice System, Internet

Data Center Response Plan, Incident Response Triage Questionnaire, How to

Become a Unix Guru, Exporting a Windows 2000 Personal Certificate, How to

Crowbar Unix Hosts, Creating a Linux Boot CD, Contents of a Forensic CD.

Computer Forensics and Privacy. Michael Caloyannides. Artech House. Sept 2001

Topics covered: Identify the specific areas where sensitive and potentially

incriminating data is hiding in personal computers, and explains how to go about

truly removing this data, Install operating systems and application software that

will help to minimize the possibility of security compromises, Ensure computers

that are connected to the Internet are protected from malicious mobile code and

the new fashion of "adware/spyware", Detect whether advanced investigative

tools, such as keystroke storing and relaying hardware and software, are in use in

a computer

Incident Response. Kenneth R. Van Wyk, Richard Forno. O’Reilly & Associates. July 2001.

Topics covered: What Is Incident Response, Incident Response Teams, Planning

the Incident Response Program, Mission and Capabilities, State of the Hack,

Incident Response Operations, Tools of the Trade, Resources, Sample Incident

Report

Incident Response: Investigating Computer Crime. Chris Prosise, Kevin Mandia. McGraw-Hill

Professional Publishing. June 2001.

Topics covered: Monitoring computer systems for evidence of malicious activity,

reacting to such activity when it's detected, coverage of Windows and Unix

systems as well as non-platform-specific resources like Web services and routers,

8
 fundamentals of incident response, processes for gathering evidence of an attack,

tools for making forensic work easier

Recent Advances in Intrusion Detection: Third International Workshop, Raid 2000, Toulouse,

France, October 2-4, 2000: Proceedings (Lecture Notes In). Herve Debar, Ludovic Me, S. Felix

Wu. Springer Verlag. Jan 2001.

Topics covered: logging, data mining, modeling process behavior and IDS

evaluation

Network Intrusion Detection: An Analyst’s Handbook. Stephen Northcutt, Donald McLachlan,

Judy Novak. New Riders Publishing. Sept 2000.

Topics covered: Analysis of TCP/IP traffic, with an eye toward detecting and

halting malicious activity, both manually and automatically, tools for finding

weaknesses and initiating attacks, and the signatures that identify these tools.

There's discussion of the vulnerabilities that exist in services, such as IMAP and

Domain Name System (DNS)

Forensic Computing: A Practitioner’s Guide. Tony Sammes, Brian Jenkinson, A. J. Sammes.

Springer Verlag. Oct 2000.

Topics covered: Forensic Computing, Understanding Information, It Systems

Concepts, PC Hardware and Inside the Box, Disk Geometry, The Treatment of

PCs, The Treatment of Electronic Organizers.

Practical Intrusion Detection Handbook. Paul E. Proctor. Prentice Hall PTR. Aug 2000.

Topics covered: A Historical Perspective, Network-Based Intrusion Detection

Systems, Host-Based Intrusion Detection Systems, Detection Technology and

Techniques, Intrusion Detection Myths, Behavioral Data Forensics in Intrusion

9
 Detection, Intrusion Detection Project Lifecycle, Justifying Intrusion Detection,

Tool Selection and Acquisition Process, Commercial Intrusion Detection Tools,

Legal Issues, Organizations, Standards, and Government Initiatives, Practical

Intrusion Detection

Secret Software: Making the Most of Computer Resources for Data Protection, Information

Recovery, Forensic Examination, Crime Investigation and More. Norbert Zaenglein. Paladin Pr.

July 2000.

Topics covered: computer privacy, hackers and attackers, computer crime and

forensics, ways to obliterate data forever, anonymity in cyberspace, online

investigation, electronic hiding places, steganography, encryption

Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. Eoghan

Casey. Academic Pr. March 2000.

Topics covered: The Language of Cybercrime, Modus Operandi, Motive and

Technology, Applying Forensic Science to Computers, Digital Evidence on

Computer Networks, Digital Evidence on the Internet, Digital Evidence at the

Transport and Network Layers, Digital Evidence on the Data-Link and Physical

Layers, Using Digital Evidence and Behavioral Evidence Analysis in an

Investigation, Computer Crackers, Cyberstalking, Digital Evidence as Alibi,

Laws, Jurisdiction, Search and Seizure

Intrusion Detection (Macmillan Technology Series). Rebecca Gurley Bace. Pearson Higher

Education. Dec 1999.

Topics covered: Practical considerations for selecting and implementing intrusion

detection systems, Methods for handling the results of analysis, and the options

10
 for responses to detected problems, Data sources commonly used in intrusion

detection and how they influence the capabilities of all intrusion detection

systems, Legal issues surrounding detection and monitoring that affect the design,

development, and operation of intrusion detection systems, Understand the history

of the technology, as well as how future changes may affect your systems, Guide

an organization through a full acquisition lifecycle, from initial requirements

definition to product deployment, Choose your systems' responses to detected

problems and tie the results back into the site security management process,

Assess the quality of a proposed or existing intrusion detection system design

High Technology Crime Investigator’s Handbook. Gerald L. Kovacich, William C. Boni.

Butterworth-Heinemann. Sept 1999.

Topics covered: Emphasizes organizational and management issues when dealing

with technology investigations, it uses technology, management concepts and

marketing issues to bridge the investigative process, Provides high tech tools,

Provides advanced methods and applications

Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps,

and Response. Edward G. Amoroso. Intrusion.Net Books. Feb 1999.

Topics covered: commercial tools, strategies for processing security audit trails,

correlation techniques and algorithms, intruder trace back techniques, deception-

based honey pots and traps, and incident response, disaster recovery

Disk Detective – Secrets You Must Know to Recover Information from a Computer. Norbert

Zaenglein. Paladin Pr. Sept 1998.

11
 Topics covered: what types of information can be recovered from IBM-

compatible personal computers and how, includes step-by-step instructions for

recovering information from reformatted disks, overwritten files, retrieving

deleted files, discovering passwords, retracing visited Internet files, Locating e-

mail messages

Computer Crime: A Crimefighter's Handbook. David Icove, Karl Seger & William VonStorch.

O’Reilly. Aug 1995.

Topics covered: Introduction to Computer Crime, What Are the Crimes, Who

Commits Computer Crimes, What Are the Laws, What Is at Risk, Physical

Security, Personnel Security, Communications Security, Operations Security,

Planning How to Handle a Computer Crime, Investigating a Computer Crime,

Prosecuting a Computer Crime, Raiding the Computer Room, The

Microcomputer as Evidence, A Sample Search Warrant.

5. Names and backgrounds of research and peer organizations

Center for Education and Research in Information Assurance and Security

(http://www.cerias.purdue.edu/)

The Center for Education and Research in Information Assurance and Security, or

CERIAS, is the world's foremost University center for multidisciplinary research and

education in areas of information security. Its areas of research include computer,

network, and communications security as well as information assurance.

Computer Operations, Audit, and Security Technology Laboratory

(http://www.cerias.purdue.edu/coast/).

12
 COAST Laboratory is now part of CERIAS. It was a multiple project, multiple

investigator laboratory in computer security research in the Computer Sciences

Department at Purdue University. It functioned with close ties to researchers and

engineers in major companies and government agencies.

Department of Defense Computer Forensics Laboratory (http://www.dcfl.gov/)

The Department of Defense Computer Forensics Laboratory (DCFL) provides the

community with timely, unbiased evidence examination, analysis and operational

support. Teamed with the Department of Defense Law Enforcement and

Counterintelligence Community our unique technical expertise and computer solutions

ensure information superiority for the War fighter.

The Federal Computer Incident Response Center (www.fedcirc.gov)

In support of Presidential Decision Directive 63 , FedCIRC provides a central focal point

for incident reporting, handling, prevention and recognition. The purpose is to ensure

the government has critical services available in order to withstand or quickly recover

from attacks against its information resources.

The need for an incident handling capability that crosses agency boundaries has never

been greater. Global network connectivity is a common place for information exchange

and is crucial for conducting everyday operations. However, the benefits can be

overshadowed by the increase in network vulnerabilities. The number of Internet related

incidents that have occurred in the past year, along with the increase and complexity of

threats, requires agencies to take their incident handling capability seriously.

The report issued by the President's Commission for Critical Infrastructure Protection

(PCCIP) highlights the necessity for the Federal community to deal effectively and

13
rapidly with threats to information technology resources. The Commission has

recommended the establishment of a capability that will coordinate with other Federal

initiatives, when necessary, to analyze and resolve the threats to the critical information

technology infrastructure and aggressively challenge criminal activities that threaten

related IT resources.

FedCIRC is a collaborative partnership of computer incident response, security and law

enforcement professionals working together to handle computer security incidents and to

provide both proactive and reactive security services for the Federal government.

The primary purposes of the FedCIRC are to provide the means for Federal agencies to

work together to handle security ncidents, share related information, solve common

security problems and to collaborate with the National Infrastructure rotection Center

(NIPC) for the planning of future infrastructure protection strategies and dealing with

criminal activities that pose a threat to the critical information infrastructure. FedCIRC

accomplishes this effort by:

• Providing Federal civil agencies with technical information, tools, methods,

assistance, and guidance

• Being proactive and providing liaison activities and analytical support

• Encouraging the development of quality products and services through collaborative

relationships with Federal civil agencies, Department of Defense, academia and

private industry

• Promoting the highest security profile for government IT resources

• Promoting incident response and handling procedural awareness within the Federal

government

14
 • Fostering cooperation among Federal agencies for the effective prevention,

detection, handling and recovery from

• computer security incidents

• Providing the means for communication of alert and advisory information regarding

potential threats and emerging

• incident situations

• Augmenting the incident response capabilities of Federal agencies

• Facilitating the sharing of security-related information, tools, and techniques

FedCIRC is the centralized coordinating facility that brings together, common security

and incident response elements from the Federal government, Law enforcement,

Academia and Private Industry to jointly address threats to components of the critical

infrastructure.

Economic Crime Investigation Institute: Computer Forensics Research Development Center

(www.ecii.edu/cfrdc.html)

The Computer Forensics Research and Development Center (CFRDC) of Utica College

opened May 7, 1999. It is the result of a study on the state-of-the-art in computer

forensics that was conducted by Chet Hosmer (President of WetStone Technologies, Inc.)

and Dr. Gary R. Gordon, (Professor of Economic Crime Programs at Utica College) and

funded by the Air Force Research Laboratory/Information Directorate. The study

identified a crucial need for an organization to facilitate the research and development of

a new generation of computer forensic tools and methods. The CFRDC brings together

key organizations from the military, law enforcement, commercial industry, and

academe, to help rapidly advance the emerging field of forensic information sciences.

15
 The center is located at Utica College and is governed by a Board of Advisors. Dr.

Gordon is the Director and Chet Hosmer is the Research Advisor.

Information Directorate of the Air Force Research Laboratory (www.rl.af.mil)

The Information Directorate of the Air Force Research Laboratory is a vibrant confluence

of information specialists; electrical and computer engineers, computer scientists,

mathematicians, physicists and a supporting staff. We are dedicated to exploring,

building, exploiting, and brokering the science and technology associated with meeting

America's aerospace information technology needs for the 21st century. We are located at

the Griffiss Business and Technology Park in Rome, New York. The Information

Directorate was previously know as Rome Laboratory. The name was changed as part of

the Air Force's consolidation of its four research laboratories into a single Air Force

Research Laboratory in 1997.

The Information Directorate of the Air Force Research Laboratory develops systems,

concepts and technologies to enhance the Air Force's capability to successfully meet the

challenges of the information age. We develop and integrate programs to acquire data.

We find better ways to store, process and fuse data to make it into information. Finally,

we create means to deliver and present tailored information to allow the military

decision-maker to have the total sphere of information needs for successful operations

worldwide. Our research and development is an ongoing process made necessary by the

rapidly changing technology available to the world community and the ever changing

world geopolitical problem set presented to America and her allies.

Florida Association of Computer Crime Investigators, Inc. (http://www.facci.org/)

16
 The Florida Association of Computer Crime Investigators (FACCI) is a not-for-profit

association which was formed for the purpose of providing training, resource sharing,

legal updates, and networking opportunities to aid Florida law enforcement agencies and

corporations in conducting computer crime investigations.

FACCI was formed in early 1990 by individual law enforcement officers, prosecutors

and corporate security representatives in response to concerns about the use of computers

and other high technology by very diverse types of criminals. FACCI's founding

members envisioned a multi-disciplined team approach to the ever-increasing plethora of

computer and computer-supported crime. Emphasis was, and is, on defining the processes

of identifying when such crimes have occurred, investigating them, and developing

sufficient admissible evidence to obtain a conviction in court.

Embodied in the original concept was a membership comprised of highly trained and

self-motivated individuals who could assist law enforcement with high-tech crime,

negating the perpetual problem of agencies having to "go begging" for help when high-

tech crimes occur. It was also envisioned that FACCI would work with our legislators

concerning legal issues from the law enforcement and prosecutorial perspective. FACCI's

mission also includes fostering and encouraging like organizations in other states, and

networking with other organizations outside the State of Florida

High Technology Crime Investigation Association (http://www.htcia.org/)

The High Technology Crime Investigation Association (HTCIA) is designed to

encourage, promote, aid and effect the voluntary interchange of data, information,

experience, ideas and knowledge about methods, processes, and techniques relating to

investigations and security in advanced technologies among its membership.

17
The International Association of Computer Investigative Specialists (www.cops.org)

IACIS is an international volunteer non-profit corporation composed of law enforcement

professionals dedicated to education in the field of forensic computer science. IACIS

members represent Federal, State, Local and International Law Enforcement

professionals. Regular IACIS members have been trained in the forensic science of

seizing and processing computer systems.

IACIS is dedicated to the education and certification of law enforcement professionals in

the field of computer forensic science. Virtually all law enforcement agencies have

encountered criminals that use computers in the commission of a crime, or that commit

computer crimes. Many agencies do not have officially trained personnel to deal with

computer evidence in accordance with the laws of search and seizure, and the rules of

evidence. IACIS exists to create and establish procedures, train personnel, and certify

forensic examiners in the recovery of evidence from computer systems.

IACIS offers professional training in the seizure and processing computer systems. This

training incorporates forensic methods for searching seized computers in accordance with

the rules of evidence and laws of search and seizure. This includes evidence that has been

hidden, concealed, encrypted, protected with passwords, software time-bombs, trojan

horses, TSR's or other destruction devices that could destroy either the evidence, the

physical computer, or both. IACIS provides an opportunity to network with other law

enforcement officers trained in computer forensics, to share and learn from other

experiences, and develop a pool of expert assistance to draw upon. IACIS members

involved in research and development have designed specialized software, evidence

18
 searching tools and programs that are only available to IACIS trained law enforcement

professional.

6. Certification programs

• Certified Computer Forensic Examiner by The International Association of Computer

Investigative Specialists (www.cops.org).

• 3-day Computer Forensics Training Course by New Technologies Inc (www.forensics-

intl.com).

• Computer Crimes Investigations by Institute of Police Technology and Management

(www.iptm.org).

• Certified Computer Crimes Investigator, Certified Computer Forensic Technician,

Certified Computer Crime Prosecutor, Certified Computer Crime Attorney, Certified

Network Security Professional by High Tech Crime Network (www.htcn.org)

• Red Hat Professional Consulting Forensic Training (www.redhat.com)

7. The scope of the discipline

The scope of computer forensics covers a wide field, which continues to grow as computer

technology proliferates its way into every aspect of modern life. The base of computer

forensics is recovering data from floppy disks, hard drives, and removable drive cartridges.

Recovering data can be just finding it among the active files. Often, it will also include

searching the media for files that have been deleted and been listed as unallocated space.

When dealing with someone, who is actively attempting to hide information, scouring media

space the operating system has registered as free or corrupted.

Within the files found on the media, the scope of what can be found continues to grow. Files

early in the discipline were mostly limited to text documents, spreadsheets, and bulky

19
images. Now on the file level, forensic complications of compression, encryption, password

protection, and steganography have been added to the mix. The type of data being found in

files has increased also. The operating systems now have configuration files and memory

swap files. Now, practically program has its own set of temporary files. Printing is now

done mainly via a queue-based system, so there are spool files with possible evidential value.

The average web browser has a history file, cookie file, a file of user saved web page

addresses, and a cache of images and texts viewed.

On the hardware side recent additions include smart cards with 4 to 64 kilobytes of data

space to current USB dongles with up to 64 megabytes of data space. Handheld devices like

electronic organizers and personal digital assistants can have megabytes of data. Some

currently found includes address books, appointment calendars, documents, e-mail,

handwriting, passwords, phone book, text messages, voice messages, and web browsing

associated files. Some even contain Global Positioning System connections leaving behind a

trail where the PDA has been.

Another place evidential data has the possibility of being recovered is on the printers now

available. Some have large caches of memory from which documents have the potential of

being retrievable. Printers intended for large network setups occasionally also have hard

drive type media on board for storage of files queued to print. The printer head, toner

cartridge, or ink cartridge may also prove useful as physical evidence to show a printout

came from a specific printer.

A branch of computer hardware, which grew out of the need to share data more quickly and

the want for centralized servers to store data, is the computer network. As these networks

grew and interconnected, the Internet evolved. The interconnection of all these computers

20
 opened up new routes for people to attempt to access and destroy the information stored on

them. This created the need to have utilities to monitor network traffic and the people to

understand what the utilities are showing them. Additional challenges are coming on-line as

large wireless networks are being brought into service. In some cases, entire college

campuses are being outfitted with a wireless network grid and some metropolitan areas are

considering and quietly testing citywide wireless networking to offer to their populations.

The intersecting scope tree is where computers are being used so evidence is left behind.

These include auction fraud, child exploitation, computer intrusion, death investigation,

domestic violence, counterfeiting, email used for threats, harassment, and stalking, extortion,

gambling, identify theft, narcotics, prostitution, and piracy of software, music, images, and

video.

8. Summarize a training program (length, method of training [classroom, internship,

combination]; scope; sources of training; etc.)

IACIS Certified Forensic Computer Examiner certification

Preparation for a written and practical exam is provided by 80 hours of classroom and

hands-on. After the first 40 hours of class time, a written exam is given. If this test is

passed, a certification of Certified Electronic Evidence Collection Specialist is earned.

After the second 40 hours of class time, a practical exam is given. Six floppy disks with

evidence and technical issues are first. Then a hard drive is given. All seven pieces of

media must be returned unaltered and documentation of all evidence and technical needs

to be submitted. Upon success, the CFCE certification is bestowed.

The exams can be taken without attending the 80 hour workshop.

21
9. Various forms of examinations conducted

When examining a computer setup, there are two general categories the examination falls into:

live/real-time examination or an off-line duplication. Which of these types is necessary depends

on the situation. When dealing with a network intrusion or a server and network setup, which

cannot be made unavailable, live examination is the route taken. If total control can be taken of

the computer to be examined, then off-line duplication is the path used.

In a live or real-time examination, often the goal is to trace and trap network activities of a

system compromise. This involves initially verifying if an intrusion has actually taken place, and

if so, determining how and when the intrusion happened. An additional goal, which can prove to

be more difficult, is to pinpoint the location of the intruder. The primary difficulty of achieving

this goal based in the fact the intruder could be anywhere on the planet. If the intruder is not

someone part of the compromised network system, tracking him or her will likely require the

cooperation of multiple organizations connected to the Internet as well as navigating any legal

barriers as the search for the intruder crosses state and national borders. Due to the legal and

human complexities of tracking down a network intruder, often they go untraced unless the

network system broken into compromises a nation’s security, or the intruder was able to access

or destroy items of substantial monetary value. As supporting evidence of an intrusion, the audit

log files of each machine compromised or an attempt at compromise, will be examined.

Depending on the operating system and the settings on each system, audit log files can vary from

being worthless to showing everything that was done on and to a machine.

The other situation when a live examination often takes place is when data of evidential value are

stored on a network server, which cannot be taken out of service either due to significant

monetary loss or risk to life. Servers falling into this category are ones for large service

22
companies like at banks or the servers of a hospital. In this case, the files suspected of having

evidential value are copied from the server to media the investigators can take with them.

The ideal situation is one where full control of a computer system is handed over to the

investigator. The first step before scouring for possible evidence is to make a byte for byte copy

of the media being investigated. If the computer has a 20-gigabyte hard drive, a hard drive of at

least equivalent size, if not brand, is used to copy the data from the suspect computer. In some

cases, software will make a copy of a hard drive by moving the data from the suspect hard drive

to burnable CD-ROMs. The idea behind this is to leave the suspect system as unaltered as

possible. This leaves evidential information such as time-date stamps on files, file ownership,

and last access information available to the investigator.

Once the copy of the suspect media is made, an array of methods can be used to carry out the

examination. The method used often depends on the examiner and the shop employing him or

her. However done, the goal of the exam is to search the media’s files, unallocated space,

unused space, and media formatting for information of probative value.

10. How findings are reported

When carrying out an examination, the log kept by the examiner is a step by step narrative of

what is done to gather information from the media starting with when the media to be examined

arrived and who it was delivered by. With the chain of custody taken care of, the log would then

detail how the media is handled, how it is protected from being altered, and what process is used

for making a forensic copy of the media. The log would continue addressing what conditions the

media is being examined under—machine time, operating system, software tool set, etc. Then as

each tool is used to process the media, a description of the tool used, the results of using the tool,

23
and any printable output from the tool would be added to the log. In the end, anyone who can

follow the steps of the log should be able to duplicate the results of the exam.

After the examination is complete, a report written documenting the data found is produced from

the details of the step-by-step log. Depending on the type of case, creation of the report of data

found may be delayed until the attorney who requested the examination requests the report.

11. Scientific principles utilized in the discipline

The principles and methods used fall into two primary categories--one, dealing with data on a

workstation or server computer, and a second for dealing with data on an active network.

Data used and held in computer systems is all stored digitally. On its basic level, all data is

stored as a collection of ones and zeros. Storing these collections in specific ways lets us store

documents, music, programs, and operating systems. As long as no extreme circumstances

befall computer storage media, the ones and zeros are unchanged expect when altered by a

computer. Cases where data can be altered without a computer are exposing media to cold

below 4 degrees Celsius, exposing media to heat above 37 degrees Celsius, introducing the

media into fluctuating magnetic field, or physically altering the media the data is stored on. As

long as the media has undamaged, the ability to retrieve the data on it is next determined by if the

format the data was written can be determined. The format used to write data to media will vary

depending on the media and the operating system or program used to write the data.

Most media specific data format differences are set my manufactures of the media, so it is fairly

constant and often technical information easily available. Operating system media data

formatting difference are set by the writers of the operating system. Often, these formats’

technical information is also easily available. A difficulty is in unrelated operating systems often

use significantly different formats.

24
On the media level, common device data formats are:

• FAT12

o Originally a format used by DOS for devices up to 30 megabytes

o Now primarily used by Microsoft on floppy disks

• FAT16

o Used by later versions of DOS and Windows95a for devices up to 2

gigabytes

• FAT32

o Used by Windows95b and Windows98 for hard drives

o Also used by Windows 2000

• NTFS

o Up through version 4 used by Windows NT

o Version 5 used by Windows 2000

• EXT, EXT2, EXT3

o Use by Linux

• ISO9660

o Used for CDROMS

• HPFS

o Used by OS/2

• SYSV

o Used by Sun Solaris

• UDF

o Used by DVD-ROMs

25
 • BEFS

o Use by the BE operating systems

• NWFS

o Used by Novell Netware

• XFS

o Used by Silicon Graphics operating system

How ever the media data format is determined, once it is known, the examiner only needs to

apply the format to the data on the media and all data stored there can be sectioned into the

individual parts. These individual parts can also have specific formatting determined by the

program that wrote to the media. Revealing the formatting of individual items, also known as

files, is the next step to retrieving the data.

The program writing the data will determine a file's data format. The format of a data file can

vary from being plain text to being encrypted with a password bypass being needed to access the

file. The occurrence of difficulties like passwords and encryption will often depend on the

sophistication of the computer user. While, many common programs like MS Word, MS Excel,

and Quicken have individual file formats, they also have password and encryption capabilities,

but many users either don't realize this or don't see a reason to use it. The commercial programs

often have their file format details available to the public, their password hiding schemes and

encryption algorithms have to be reverse engineered.

Another aspect of processing data on media is the files the operating system considers trashed or

deleted. Unless the computer user takes specific steps, deleting a file does not actually remove

the data from the media. What it does is just set a flag to the operating system signifying the

space is now available for use. Some operating systems will not reuse deleted file space until all

26
the unused free space is in use. Whether an operating system does this or not, there is great

potential for retrieving probative information by collecting the 'trashed' files.

Additional information can be gained from available files besides the known data saved too

them. When a file is written to a media device, it is often written as a block of data. These

blocks can vary in size from 512 bytes to 64 kilobytes. The space after the end of a file not used

when a block is written out is known as slack space. Depending on the operating system, either

zeros or random sections of the computer's active memory is used to fill this space. This is

known as memory slack space. Some operating systems also write out multiple blocks at once,

due to design or media formatting. If all the blocks to be written extents farther then the end of

the file, they are just shown as used, but nothing is written to them. This space is disk slack

space. Each of these can be of great value. Memory slack space can hold things like

unencrypted passwords. Disk slack space can hold portions of deleted files not overwritten.

When dealing with data being collected from a network, the primary device used is known as a

packet sniffer. This device can come in many forms--from a program run on a regular

workstation to a dedicated piece of hardware. The principle of a packet sniffer is intercepts

every piece of data crossing the network it is attached to and makes copies for analysis.

A packet sniffer's job is fairly routine since there is a limited number of formats data available

for moving information over a computer network. While it is possible to create a nonstandard

protocol for moving data on a network, the level of expertise necessary to do so makes it an

uncommon issue.

The most common protocol encountered is called TCP/IP. The name is two of the primarily

used protocols of a large suite of protocols. In the current version of TCP/IP, which is version 4,

the common protocols are:

27
• TCP (Transmission Control Protocol): used to move data in pieces, known as packets, from

one machine to another. TCP specifically verifies data makes it to the destination.

• IP (Internet Protocol): the addressing scheme for machines using the protocol suite.

• UDP (User Datagram Protocol): used to move data packets from one machine to another.

UDP does nothing to verify the information makes it to the destination.

• ICMP (Internet Control Message Protocol): used for low-level operations. This included

routing information, time to get a packet from source to destination, and what gateways a

packet goes through from source to destination.

• IGMP (Internet Group Management Protocol): used for multicasting--the sending of packets

to multiple destinations.

• SLIP (Serial Line Internet Protocol): used to connect a workstation to a server via a modem.

• PPP (Point-to-Point Protocol): used to connect a workstation to server via a modem. Newer

than SLIP--provides data compression to emulate higher connection speeds and better packet

error checking.

• PPPOE (Point-to-Point Protocol Over Ethernet): similar to PPP but modem used is to

connect workstation directly to a DSL connection--often as part of phone or cable television

Internet service.

• SMTP (Simple Mail Transport Protocol): used to move email between machines.

• SNMP (Simple Network Management Protocol): used for distributed network management.

Allows for setting up and gathering usage statistics of network devices.

• ARP (Address Resolution Protocol): used to map an IP address to a network card.

• RARP (Reverse Address Resolution Protocol): used so a machine can query to find out its IP

address.

28
Other common network protocols include:

• IPX (Internet Packet eXchange): primary used by Novell Netware servers.

• SNA (System Network Architecture): protocol used by IBM to link mainframes together.

• DECnet: protocol developed at Digital Equipment Corporation to link machines using

Digital's proprietary operating systems.

• OSI (Open System Interconnection): protocols developed by the International Standards

Organization. A complex and complete set of protocols for every kinds of network

implementation. Was designed after TCP/IP, and has some similarities to it.

• NetBIOS: protocol developed by IBM. Used as initial communication protocol with Token

Ring networks.

• SMB (Session Message Block): Developed by Microsoft and Intel in 1987 and used for

communication with Microsoft Windows for Workgroups.

• NetBEUI (NetBIOS Enhanced User Interface): Enhanced version of the NetBIOS protocol

done by Microsoft and Novell.

• XNS (Xerox Network Systems): developed by Xerox, but did get the manufacture support

expected, so seldom seen any more.

Many packet sniffers, especially commercial ones, can detect and decode most, if not all,

standard network protocols. The sophisticated ones can collect packets going between two

points on a network and display an ongoing listing of the information being passed. The some

types of information, which can be intercepted, include:

• Files being transferred to and from the target.

• Commands being issued on the target.

• Output being returned to a machine issuing commands.

29
• Evidence of covert packet scanning programs running on local network machines.

12. Instrumentation used in the discipline

When dealing with a network intrusion, the item of great use is the packet sniffer. To examine

for evidential data off-line, a number of tools are available. Generally, which tools are used is

based on the computer system and operating system of the examination computer. For

examiners using a Microsoft Windows based operating system, a common tool is EnCase. Some

of its capabilities are:

A graphical user interface that enables examiners to easily manage large volumes of

computer evidence and view all relevant files, including "deleted" files, file slack and

unallocated data. The integrated functionality of EnCase allows the examiner to perform

all functions of the computer forensic investigation process, from the initial "previewing"

of a target drive, the acquisition of the evidentiary images, the search and recovery of the

data and the final reporting of findings, all within the same application.

For examiners using a Linux based operating system, a tool available and similar to EnCase is

ForensiX. Unfortunately, sale of this software has recently been withdrawn due to concerns of it

violating the Digital Millennium Copyright Act. Without this tool, Linux is still a powerful

system to the computer forensic examiner. The operating system itself provides many tools that

can be used for forensic media duplication and examination.

Other tools of interest coming on the market are devices specifically designed for making fast

duplications of media and devices put between the examining computer and the interface to the

media to guarantee the suspect media cannot be altered via examination. This tool provides

forensic examination when copying media of tremendous size is not possible or practical, but an

off-line examination is still possible.

30
13. Problems that have arisen in the discipline (technological flaws, unqualified "experts",

high error rates, etc.) and how they have been addressed

• Untrained personnel collecting data

System administrators are often the first people tapped to collect information of a

network break in or investigating possible wrong doing by a computer user of an

organization. While system administrators are knowledgeable in troubleshooting issues

on the systems they manage, they often have little, if any background, on collecting

information so it retains its forensic value. Also, without the legal background, they may

collect information in such a way to make it inadmissible in court or worse, considered an

illegal act on the administrator’s part.

• Crime scene first responders altering or destroying digital evidence

Many law enforcement personnel do not have the training or background to know what to

do or not to do with computer equipment to maintain forensics integrity of the data. The

person using the computer device may have opportunity to destroy or alter data if the first

responder does not realize to stop the person or a program left running to destroy

evidence.

14. Goals for advancement utilizing future technologies

The items I have addressed so far have been for traditional computer setups—desktop

workstations and servers with networking interconnecting them. With the miniaturization of

electronic components down to near the size of a couple of atoms, the number of computer

systems that can become part of an investigation is blossoming.

Laptop computers, while not new, are seeing increasing popularity as a supplement to a desktop

computer, if not a replacement. They often have the same computing power as a desktop

31
computer and can have just as much storage capacity. Due to the compact format of the

computer, opening it up physically has the potential to be more destructive than with desktop

models. And specialize hardware adapters are needed to access the hard drive media from a

laptop with a desktop computer.

The item probably in circulation the most at present is the Personal Digital Assistant (PDA). A

number of companies make these devices. In many cases, the operating system on the PDA

varies company to company, and in some cases model to model. The types of potential evidence

on these devices includes address books, appointment calendars, documents, e-mail, phone

books, test messages, and phone messages. Most of these devices can restrict access with a

password. Since much of digital media stored on PDA’s is on a memory chip continually

powered by batteries, being able to bypass password restrictions to the device and on individual

files is a challenge in progress.

Another challenge currently making itself a significant speed bump in computer investigations is

the amounts of data modern media can hold. Only 5 years ago, the largest hard drive available

was 1 gigabyte. Currently, 100-gigabyte hard drives are available to the general public. Reports

indicate 400-gigabyte hard drives will be available soon. For removable media, floppy disks of

720-kilobytes or 1.4-megabytes were the bane of computer forensics a few short years ago.

Today, the range of removable media goes from a floppy disk able to hold 120-megabytes to

removable hard disk cartridges holding 2.2-gigabytes. As DVD-ROM burners become in the

price range of the general public, a removable media holding currently 4.7-gigabytes and the

potential for holding 17-gigabytes is in the near future as collected media for investigation.

With larger media being available, methods to search it quicker for potential evidence will be

necessary. The area that provides the possibility for this is parallel processing sets of computers.

32
Linux provides this capability with an operating system package addition doing clustering.

Packages providing this service are the Beowulf project, MOSIX, Legion, Cplant, and PARIS.

These parallel processing cluster techniques will allow less expensive, and possibly surplus

computers, to be used to create the equivalent of a small supercomputer. Besides allowing faster

searching of media, it will also assist in guessing passwords at a highly accelerated rate.

15. History of court admissibility under both Frye and Daubert

The admissibility of computer forensics appears to be an area the U.S federal and state courts

have been lightly touching on. Of the cases I could find related to computer information or a

computer expert being part of a court proceeding, Daubert and Frye was mentioned sparely in

reference to them. The sparse appellate court opinions on computer evidence have dealt with

trying to apply existing laws to the computer aspect not if the science of computer forensics is

admissible. The other majority of cases before the appellate courts dealing with computers

involves whether the computer equipment was legally seized. If the impression giving by my

interviewee, Sgt. Stenger, is more than a central Florida phenomenon, then the reason the

computer forensics is not being challenged is because the lawyers don’t understand it enough to

make an argument to attempt to challenge it against Frye or Daubert. Or probably better for the

field, believe it rock solid enough that challenging it would be ineffective.

These are case examples are of challenges to computer evidence when attempting to work within

the current laws:

Case 93-8661. U.S. Court of Appeals, 5th Circuit. Steve Jackson Games v. U.S. Secret Service

This case deals with if intercepting email on a server before read by the intended

recipient constitutes an unlawful intercept under the Federal Wiretap Act. The judges

33
 Higginbotham, Jones, and Barksdale held it was not and upheld the decision of the U.S.

District court for the Western District of Texas.

Case 97-4001. U.S. Court of Appeals, 4th Circuit. USA v. Michael Bruce Sassani

This case deals with if the FBI had established probable cause to obtain the search

warrant which led to the confiscation of computer equipment and digital media

containing over 16000 pornographic images and 56 of them qualifying as child

pornography. His actually argument was that the profile of a child pornographer used in

obtaining the search warrant did not pass the Daubert test. The judges Niemeyer,

Butzner, and Michael affirmed the FBI did not violate the 4th amendment with the search

warrant.

Case 06-00-00019-CR. Texas 6th Court of Appeals. Broderick v. State (10/26/2000).

According to online information with Ontrack.com, the appellate court affirmed the trial

court’s admission of a duplicate of the defendant’s hard drive, in place of the original.

The court concluded that the state’s best evidence rule did not preclude admission

because the computer expert testified the copy of the hard drive exactly duplicated the

context of the original hard drive.

These are cases addressing the admissibility of computer forensic evidence and the programs

used to obtain it:

Cause 00-1-0026-8. State Superior Court, Okanogan County. State of Washington v. Leavell.

This was a case where Mr. Leavell was facing charges pertaining to child pornography.

The defendant’s attorney attempted to have the computer evidence ruled inadmissible on

two grounds. First being the software used, EnCase, was providing the ‘expert

testimony’ and could not be cross-examined. Second being EnCase did not hold up to

34
 Frye. Judge Allan ruled against the first on the grounds the program was a tool of the

examiner, not the actual examiner, quoting State v. Hayden (90 Wash.App. 100; 950 P.2d

1024). On the second, the judge ruled EnCase did meet Frye because it was a tool

available commercially and widely used for recovering computer evidence. Among the

software’s users the state produced as a witness a Microsoft computer forensic

investigator. The judge also cited United States v. Scott-Emuakpor (2000 WL 288443),

backing the person who used the software and testifying to the result did not need be

qualified as an expert in the field of computer forensics.

Case 99-2362-KHV. United States Federal District Court, Kansas. Mathew Dickey v. Steris

Coporation (Pretrial hearing 4/14/2000).

In this civil matter, overruled objections from the Plaintiff of the inclusion of testimony

of a computer forensics investigator using Encase. The Plaintiff, Dickey, had brought an

in limine motion seeking to exclude the testimony of an Ernst & Young computer expert

for the Defendant based on results of Dickey’s own computer forensic investigation using

EnCase. The Defendant then attempted to have the Plaintiff’s expert unqualified as an

expert due to her admitting being unfamiliar with the EnCase software. The Judge

overruled the Defendant’s motion, but did allow for the Plaintiff’s expert to be questioned

in court on her unfamiliarity with the EnCase software.

Case SCR28424. California Superior Court, Sonoma County. People v. Rodreguez. (Pretrial

hearing 1/11/2001)

In this case, a contested hearing took place where the court subjecting EnCase to lengthy

pretrial evidentiary hearing to establish its foundation as a valid and accepted process to

recover computer evidence for admission into court. The defense challenged on two

35
 grounds. First that EnCase should be subject to a Frye. Second that the EnCase Report

itself should not be admitted into evidence. Upon conclusion of the hearing, the defense

conceded EnCase was “appropriate and accepted” methodology under the Frye test for

recovering computer evidence. The defense stilled attempted to have the EnCase Report

not admitted into evidence, claiming the Prosecution could not properly authenticate the

document. The Judge overruled the defense’s objection.

16. An interview with at least one specialist in the discipline

1) Who are you?

Sgt. Kevin Stenger

2) Who is your current employer?

Orange County Sheriffs Office

3) How long have you been with your current employer?

15 years

4) How long have you been doing computer forensic investigations?

Since 1996

5) Is computer forensic investigation your only responsibility? If not, what are your other

common responsibilities and which is your primary?

I am the supervisor of the Economic Crimes Squad for the Sheriffs Office. This

function is my primary one. I am currently the only person assigned to the unit

who has the necessary training to perform the function of computer forensics.

6) What degree(s) do you hold?

36
 I have a bachelors degree in Business from the University of Central Florida with

a major in Accounting. I am currently in UCF's graduate certificate program for

computer forensics.

7) What certification(s) do you hold?

I currently hold the following from the International Association of Computer

Investigative Specialists. DPC, DOS Processing Certificate; DSC DOS Seizure

Certificate; CFCE, Certified Computer Forensic Examiner. I am completing my

certification as an EnCE, Encase Certified Examiner.

I am a member of International Association of Computer Investigative Specialists,

the Information Technology Sharing Group, and was recently made an associate

member of the Scientific Working Group on Digital Evidence.

8) What computer forensic investigation training have you had?

I have had basic computer investigations through IACIS. I have also attended

advanced training through them. I have attended intermediate Encase training

from Guidance Software. I have attended forensic classes through UCF as well.

I also receive training through a local association of computer investigators run

by the US Attorneys Office.

I am an instructor of Computer Forensics for the Sheriffs Office, a coach and

instructor for IACIS and a part time instructor for Guidance Software.

9) What led you to become involved in computer forensic investigations?

37
 I have always had an interest in computers. In 1986 I discovered that IACIS was

holding its basic computer forensic class in Orlando enabling me to attend.

10) What are the common tools and utilities you use to carry out a computer

investigation?

Tools used to carry out an investigation and seizure are seldom more complicated

then a simple computer tool kit.

Computer hardware varies from department to department. We commonly use

Antec server cases with the fastest Intel processor available at the time of

purchase. Removable IDE drive trays, SCSI CD and CDRW's to cut down on IRQ

conflicts. Up to date video, sound cards and SCSI cards.

Software also varies. My unit uses such tools as Quickview Plus, Norton Utilities,

MacOpener and Data Sniffer. For imaging we use Safeback. A combination

image and processing utility commonly used is Encase from Guidance Software.

Password cracking software is from AccessData.

11) What 'tools' would you want to add to you computer investigation kit if money was

not an issue?

I would like to add a complete set of linux/unix command line tools.

12) How many computer investigations would you estimate you have done?

Over 60.

13) What is the average time to complete a small, medium, and large computer

investigation and what kind of case would you consider each of those sizes?

38
 In forensics what you are processing the computer for ie sex crimes, drug

information, gambling, hacking etc does not necessarily give you and idea of how

long it will take you to do the case. The length of a case is usually determined by

how many computers are seized, the type of operating system being used, the size

of the hard drives and number of floppies, CDs, tapes etc. Things can also be

complicated by such things as encryption. The amount of evidence on a hard

drive can also slow an investigation. It is not uncommon to discover tens of

thousands of illegal porn pictures on some sex crimes investigations.

14) What is the average number of computer investigation you will have in progress at

once?

Usually three.

15) What has been the technical issue has given you the most difficultly when doing a

computer investigation?

The hard drive password feature on IBM Travelstar hard drives. This can only be

bypassed by trained personnel in a clean room using special equipment.

16) How many computer investigations have led to you testifying in court?

None. To date all cases have pled before going to trial.

17) When testifying in court or during a deposition for a computer investigation, what

common ways have lawyers used to discredit your investigation?

Computer Forensics is still new to the legal community. On my first and to date

only deposition I was excused by the attorney who stated that he did not know

what questions to ask me.

39
18) Has there been an unusual/unexpected way a lawyer has attempted to discredit your

computer investigation?

See question 17.

19) Has a lawyer ever managed to discredit one of your computer investigations?

See question 17.

20) Of your computer investigations, is there a case that is most memorable to you?

I assisted in the investigation of a sex offender. This case was notable in that he

had over 26,000 jpg pictures alone.

I also investigated a case where an ex husband was accused of rape by his ex

wife. The husband insisted that while he did have sex with his wife it was with her

consent. For proof he stated that he had taped the encounter using the video

camera on his computer and provided it to the detective. The movie file was

located for the time and date of the incident. This proved to be evidence which

cleared the husband. During the entire first part of the encounter he was tied up

by the ex wife.

40
 References

“Case Law”. Rehman Technology Services, Inc. 12/3/2001.

<http://www.surveil.com/case_law.htm>

"CFCE". The International Association of Computer Investigative Specialists. 9/21/2001.

11/22/01. <http://www.iacis.com/cfce.htm>

"David Icove, Karl Seger & William VonStorch". O'Reilly. 11/8/2001.

<http://www.oreilly.com/catalog/crime/author.html>

"David J. Icove". Laboratory for Information Technologies, University of Tennessee. 11/8/2001.

<http://www.ee.utk.edu/~icove>

“Detecting Steganographic Content on the Internet”. Center for Information Technology

Integration, University of Michigan. 8/31/2001.

<http://www.citi.umich.edu/techreports/reports/citi-tr-01-11.pdf>

“Electronic Discovery and Computer Forensics Case Law (Organized by topic)”. Ontrack.com.

10/26/2001. <http://www.ontrack.com/dtnews/casetopic.doc>

“EnCase Legal Journal, 2nd ed”. Guidance Software. 10/2001.

<http://www.encase.com/html/LegalJournal.pdf>

“Faculty Members and Researchers”. Center for Secure Information Systems, George Mason

University. 11/28/2001. <http://www.ise.gmu.edu/~csis/node4.html>

“Forensic Software”. Guidance Software. 11/26/01.

<http://www.encase.com/html/forensic_software.html>

Garfinkel, Simson, and Gene Spafford. Practical Unix & Internet Security, 2nd edition.

Cambridge: O'Reilly, 1996.

<http://www.cerias.purdue.edu/homes/spaf/>

"JCS Home Page". Journal of Computer Security. 11/23/2001.

<http://www.csl.sri.com/programs/security/jcs/>

Kirch, Olaf, and Terry Dawson. Linux Network Administration Guide, 2nd edition. Cambridge:

O'Reilly, 2000.

“Linux clustering cornucopia”. LinuxWorld.com. 11/29/2001.

<http://www.linuxworld.com/linuxworld/lw-2000-03/lw-03-clustering_p.html>

Lunn, Dorothy A. "Computer Forensics-An Overview". SANS Institute. February 20, 2001.

11/7/2001. <http://www.sans.org/infosecFAQ/incident/forensics.htm>

Mandia, Kevin, and Chris Prosise. Incident Response: Investigating Computer Crime. New

York: Osborne/McGraw-Hill, 2001.

McCullagh, Declan. “Secret Messages Come in .Wavs”. Wired News. 2/20/2001.

<http://www.wired.com/news/politics/0,1283,41861,00.html>

“NetBEUI”. Webopedia.com. 11/30/2001.

<http://www.webopedia.com/TERM/N/Netbeui.html>

"New Riders | Author Profiles - Rebecca Gurley Bace". New Riders. 11/8/2001.

<http://www.newriders.com/books/author.cfm?isbn=1578701856>

Northcutt, Stephen, and Judy Novak. Network Intrusion Detection: An Analyst's Handbook, 2nd

edition. Indiana: New Riders, 2001.

“PC Magazine: DVD and CD-ROM: 21st Century Storage”. PC Magazine Online. 11/29/2001.

<http://www.zdnet.com/pcmag/features/cdrom/_open.htm>
“Privacy and Security Issues with PalmOS-based PDAs”. Daniel J. Rocco. 11/29/2001.

<http://www.cc.gatech.edu/people/home/rockdj/PalmOSSecurity.pdf>

"Profile Mr. Peter Sommer". The LSE Computer Security Research Centre. 11/23/2001.

<http://csrc.lse.ac.uk/sommer.htm>

Scambray, Joel, Stuart McClure, and George Kurtz. Hacking Exposed: Network Security Secrets

& Solutions, 2nd edition. New York: Osborne/McGraw-Hill, 2001.

Sommer, Peter. "Computer Forensics: an introduction". Virtual City Associates. 1997.

11/7/2001. <http://www.virtualcity.co.uk/vcaforens.htm>

State of Washington v. Leavell, Cause No. 00-1-0026-8, Telephonic suppression hearing

(10/20/2000).

Stevens, W. Richard. Unix Network Programming. New Jersey: PTR Prentice Hall, 1990.

United States Department of Justice: National Institute of Justice. Electronic Crime Scene

Investigation: A Guide for First Responders. Washington, 2001.