What must be proven before charges can be brought against a suspected offender? What are the initial steps carried out when commencing a forensic examination? Ian Kennedy continues his look at computer forensics.

(Read part 1 of this article here)

Proving a crime was committed

Under UK law a person cannot be charged for murder simply because it has been proved that they killed another without also establishing beyond all reasonable doubt that they also intended to carry out the act.

Similarly, charging a person with, say, possessing a computer holding thousands of files which contain indecent pictures of children requires that it be proved beyond all reasonable doubt that they had knowledge of the files' contents.

In legal terms this distinction is known by the Latin terms, actus reus (guilty act) and mens rea (guilty mind).

Consider the scenario whereby an offender, Fred, is searching for illegal pictures on the internet using his computer that is running Microsoft Windows XP Professional.

Once he finds a site that interests them, he browses it for while, saving pictures locally as he goes to a specified folder. When he is done he then renames the files to have the Word document extension .DOC in at attempt to hide the files from discovery.

When questioned by police on the matter, Fred claims that any pictures on his computer are there as a result of a series of pop-ups he encountered and that he had no interest in such material.

Initial steps

Before getting into what has actually happened on Fred's computer, a forensic copy must be made from the original exhibit to minimize any contact with the exhibit.

Once this has been done and it has been verified to be an accurate copy, the total number of sectors on the single hard disk found reported by our examination software is checked against that identified by the manufacturer.

They are found to match so we conclude that there are no hidden sectors that may contain hidden evidence on the disk. Analysis of the partitions present on the disk reveal there to be a single partition present that occupies the bulk of the space available on the disk. The unused areas of the disk are checked and found to contain no data.

Finally, the operating system, time zone settings, installation date and registered owner are extracted from the registry files to assist us in making informed decisions later about where we may expect to find various standard files and registry settings.

Tracing what happened

Even the simple Fred scenario presented will leave a rich series of traces that can be harvested by a trained forensic computer analyst. The default behaviour of most internet browsers will leave a cache or folder containing temporary copies of pictures downloaded to construct a web page for viewing whilst online.

At this stage the presence of these files is not enough to charge Fred even with possession as we need to establish if he sought out the pictures or had knowledge of their presence on his computer.

Many common file types have both a known file extension and what is called a file signature or header. In files containing pictures in Graphic Interchange Format (GIF) format, for example, the file header commences as either GIF87 or GIF89a.

By running a process that compares the file extension for such files with the associated file signature any mismatches can be identified.

Thus Fred's attempt to hide his files by renaming them will be flagged up as a mismatch. The renaming of a standard file type in this way to another is indicative of the fact that Fred had knowledge as to the files' contents.

So, were these files genuine pop-ups that Fred encountered but then decided to keep in a secretive manner?

To answer this we turn our attention to the internet history files that by default logs almost every click Fred makes whilst using the internet. Fred has been using Microsoft's Internet Explorer, which creates and maintains a series of files called index.dat.

These record amongst other things the website addresses he visited, the username he was logged into his computer with and the date and time of the visit. For the purposes of this public paper, I have used a scenario where Fred has searched for and then browsed sites containing pictures of Mickey Mouse.

Any resources downloaded for a page are also recorded (such as pictures for a web page). As if that was not enough, when Fred double clicks on a file type that is associated with an application on the computer (such as a GIF or DOC) another entry is made in one of the log files to show that file was opened.

From these logs it is possible to extract Fred's browsing activity such as his submissions to the Google search engine. We can also harvest the very keywords he submitted to Google to run the query.

We see that Fred has indeed been search for illegal pictures from the internet and has paginated through several pages of search hits as indicated by the incrementing start= value. Having found a website of interest Fred has gone on to browse the site.

Other entries in the logs indicate that in between browsing access has been made to files stored locally on the computer in the My Pictures folder.

To confirm that this access was a file save operation we turn our attention to the registry file called NTUSER.DAT. Each user account on a computer running Windows XP Professional has one of these files associated with it. This file is an Alladin’s cave of information about the associated user and their use of the computer.

In Fred's case we focus on the area of the file that records access to the common Save dialog. For reasons of efficiency many of the resources used by a Windows application such as Internet Explorer share common resources held in Dynamic Link Libraries (DLLs) installed with Windows. The Save dialog box is an example of one such resource as the same basic functionality is required in many Windows applications.

Each time the Save dialog resource is used (ie: to save a file with a given filename) an entry is recorded in the NTUSER.DAT file in a most recently used (MRU) list much like the recent documents list that is available from the start menu by default. Accessing this file on Fred’s computer reveals that he did indeed save a number of pictures locally to his hard disk.

In this way we can show manual interaction was required to save the file by interacting with the dialog box.

In review, we have established that a number of files of an illegal nature were found in the internet cache area of the hard disk and that copies of these files were found in another folder. These copies were also found to have been renamed to a file extension not normally associated with picture files.

Fred's internet history logs show that a number of searches were submitted to the Google search engine and that a significant amount of browsing of a site containing pictures of an illegal nature was undertaken. The registry file NTUSER.DAT revealed that these files were manually saved to the hard disk.

Reporting on findings

In combination the above activity provides evidence of both actus reus and mens rea and would form the basis for charges being brought against Fred for his activities. At this stage a technical report outlining the findings would be produced. This would need to both technically concise and written in a manner that would facilitate it's comprehension by a lay person.

It must be remembered that at the end of the day the Court that must clearly understand the implications of any activity discovered on a digital device if it is to make informed decisions about the guilt of a suspected offender.

Ian Kennedy MBCS CITP CEng is forensic computer analyst at Kent Police.