Computer Forensics

Tuesday 24 January 2006

Russell May, Manager of Special and Partner Projects, Guidance Software Inc.


Some eighty people attended our first talk of the New Year. Russell May, introduced himself and gave a quick summary of his background, which included twenty-eight years experience in the West Midlands police force culminating in a spell as head of the High-Tech Crime Unit. Russell now works for Guidance Software, which specialises in developing software to assist in retrieving digital information for forensic purposes.

Russell then outlined the basic rules that must be followed when examining computers and other digital devices. These basic principles that must be abided by are enshrined in the ACPO (Association of Chief Police Officers) Guidelines on Computer Evidence. They are used in countries other than the UK, including the United States. These guidelines MUST be followed for evidence to be accepted in court.

  • Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage medium which may subsequently be relied upon in court.
  • Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
  • Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. (In a court case, the defence would be entitled to require access to this.)
  • Principle 4: The onus is on the person in charge of the investigation (the case officer) to ensure that the law and these principles are adhered to.

A forensic analyst will make a bit-by-bit copy of the contents of the storage medium. The original should then be sealed and stored in a safe place while all analysis is carried out on the copy. If it is necessary to power up the machine, the analyst will either use a copy of the machine’s hard drive or use a virtual machine. On many operating systems, the act of booting the machine leads to many files being created or modified on the machine’s hard disc, and this could mean violating Principle 1 if the original hard disc is used.

The analyst will retrieve evidence and present it in a readable form, suitable for use in court. The contents of the machine will be examined for other evidence, such as money, keys, or drugs concealed in the machine, or additional hard discs that have been disconnected so that a casual user of the machine would not know that they existed.

It is important to ensure that the suspect device cannot be written to; this can be a problem with Windows machines as they will not recognise read-only hard discs, so a hardware write-blocking device needs to be used. Disc images are examined for hidden or deleted files and partitions; these can be recovered and data that may be of value can be retrieved.

Photographic evidence is also collected - this would be photographs of the computer hardware, how it was laid out, and how the various components were connected to one another. This is used to a) document how a system had been set up (such as evidence of a facility for mass-producing illegal copies of CDs or DVDs) and b) to re-create the configuration of components if they have been disconnected.

One of the key messages from this talk was that forensics should not be taken in isolation - it is part of the body of evidence that has to be amassed for a prosecution to be brought.

Following this explanation, Russell explained some of the ways in which information and illicit images might be concealed and used the EnCase tool to demonstrate their retrieval.

Some key points from the demonstration were:

  1. On DOS / Windows systems, Fdisk only removes partition information - it does not physically delete files. A hard disc that has had Fdisk run on it may still contain data, as files may have only been logically rather than physically deleted. A disc editor can reveal the presence of files even though the operating system ‘thinks’ they no longer exist.
  2. Files can be searched for by header, rather than by name. A particular type of file (such as a jpg image file) will have a particular type of header that identifies the file type. This is independent of the file name. For example, an image file containing pornographic material could be disguised by renaming it with a different extension. However, the file’s header information would still reveal that it was an image file. A tool such as EnCase can identify such files.
  3. It is possible to search archives (such as Zip files) and OLE containers to reveal layered images (such as a Word document in which one ‘harmless’ image is positioned on top of a ’suspect’ image to hide it).
  4. File signature analysis is used to find ‘disguised’ files, such as a .jpg file (image) disguised as a dll.
  5. On a machine where virtual memory is in use, the swap file can be examined for unsaved changes.