Shell Game

In computer forensics, knowing where to look is as important as knowing what you're looking for.

If you've ever seen the CBS show "CSI" ("Crime Scene Investigation") then you know that "forensics" means the science behind collecting and interpreting data in a criminal investigation.

Fans of the show know that catching a killer can revolve around analyzing and interpreting the most incredibly minute—even seemingly arcane, superfluous, and most of all, disgusting—details, such as the correlation between the development stages of maggot larvae (found on a corpse, of course) and time, in order to assess the time of death of a body.

Ambient Data
If the alleged criminal left evidence of the crime in a computer, perhaps in e-mail or Word documents, then finding evidence might not be so difficult. But criminal investigators often turn up computers whose owners took steps to destroy incriminating evidence. And that's when things get more difficult.

Michael R. Anderson, president of New Technologies Inc. (NTI), a Gresham, Ore. tech institute that teaches courses on computer forensics, tells of one case involving a CEO whose bank had just merged with another. There was room for just one CEO, a problem for this soon-to-be-superfluous chief executive.

"This guy saw the train coming down the track, and he went in just before they dismissed him and—in the hour before the board meeting—accessed, modified and tried to destroy about 300 files without the proper tools," says Anderson. Properly deleting something, he notes, requires not only the right tools, but knowledge about everywhere that information is stored. "Most people aren't aware of temporary files, that when you create a Microsoft Word document, there can be 14 temporary files, and so 14 slack dumps," says Anderson. After some fast computer forensics work, the erstwhile CEO got nabbed.

The upside to much forensics work, Anderson notes—thes false assumption that "deleting" a file actually erases it—aids computer forensics examiners. Anderson has a term for it: ambient data, or all of the data stored in non-traditional computer storage areas and formats.

Understanding ambient data is a prerequisite to forensics work. For instance, just booting up a computer and opening files can fill the swap file with new data, perpetually edging out partial copies of files that may provide valuable evidence. As I said in my last column, that's why it's so important to first collect and freeze the evidence before analyzing it.

Ambient data comes in many forms. Your operating system (OS) may copy one word processing file to multiple places to make things run faster. On the desktop, Windows often makes temporary copies of open Office documents, and each can be added to the swap file or tucked away elsewhere. (See "Where Data Resides.")

The Tools
The gold standard for computer forensics examination is The Coroner's Toolkit (TCT), a group of programs for post-intrusion analysis of a Unix system. Now, an HTML-based "Autopsy Forensics Browser" has just been released—also free—which expands the usefulness of TCT. "Up until this [time], TCT did not support Windows," notes John Tan, a security expert with @Stake Inc. in Cambridge, Mass. The Autopsy browser, created by Brian Carrier at @Stake, adds a graphical interface to TCT via HTML, allowing an investigator to browse forensics images from the file and directory, iNode, and block levels, or search images by using keywords.

Graphical-based forensics tools are also hitting the market. EnCase, from Guidance Software Inc., lets the user run a computer forensics investigation from evidence acquisition to end-report generation. "We have some freeware tools that compete with [EnCase]," says Tan, noting that EnCase tends to keep pace with additional features. But EnCase is "more of an end-user thing, aimed at law enforcement. It's very graphically oriented, so it takes some complexity out of evidence collection," he says.

Purists argue about whether data collection should be done with GUI-based tools or command-line prompts. Given the dearth of forensics software two years ago, any progress is good.

PDD, another free forensics tool by "Kingpin," is a Windows-based tool used for memory imaging and forensics acquisition of Palm PDA device data. As handheld devices become corporate tools, as well as potential weak points in the physical security scheme—they allow sensitive data to easily walk out the door—being able to include Palm images (where applicable) in an overall computer forensics investigation is essential.

"We've used PDD in trial mode here [at @Stake]," says Tan. "We were able to go in and acquire all the most recently dialed phone numbers" from the Palm, he said.

Where Data Resides

File Slack
File slack is the slack that occurs whenever a file is saved. Windows, for instance, uses clusters of predetermined length, but files rarely match these cluster sizes. So there's extra space—but it's not blank. Instead, when the computer needs to pad the cluster to make it the right size, it marks the end of the "real" information in the cluster and then dumps in data from its memory to make up the difference. With the right tools, that data can be unearthed, revealing all sorts of information, including passwords, log-on names, fragments of messages or documents. According to New Technologies, a large hard disk can contain up to 700MB of data stored in file slack. To a forensics examiner, that's a gold mine.

Swap File
The swap file is an adjunct to RAM. Frequently used files are stored in a specific place on the hard disk for easy retrieval by the computer's RAM, which keeps only the most-used files active. Those that are used less can be "swapped out" to the swap file, a kind of virtual memory. The swap file often contains exact copies of files, which can then be easily retrieved.

Unallocated Space
Unallocated space is simply files that have been erased. When you erase a file in Windows, the OS doesn't actually erase the file, it just releases the space as a place to put information in the future. Until then, the data is still there, but the computer pretends that it's "deleted." Retrieving data still there is easy. Unallocated space exists on just about every kind of storage medium, including hard drives, floppy disks and Zip disks.

Temporary Files
Don't forget temporary files. As anyone who's ever turned on the "show hidden files" feature in Windows knows, one session with a Windows document might result in 20 temporary files—all of them an exact copy (with edits along the way) of the file originally opened. Though the user might not see those temporary files on his desktop, they've been written to the hard disk—and to RAM, swap files and left in unallocated space. So those 20-odd near-identical versions mean 20 more chances for investigators to find what they're looking for.

Password Cracking
If files are available immediately, or if files have been retrieved but they're encrypted—either through an external file compression or encryption program, or the source program's built-in password control—then the passwords need to be cracked. That often isn't difficult, especially if it's a common file type often used in office environments, such as a Microsoft Word, Excel or PowerPoint document, Acrobat file, ACT! file, instant message, or any of the popular e-mail clients.

In addition, password-protected Zip archives with at least a few files inside can usually be compromised so that their contents can be "unzipped," especially if one of the zipped files is also available in unzipped format (for comparison). But if there's no well-known vulnerability that can be compromised, the passwords of many files can also be arrived at through application of brute force techniques that use dictionaries to try and find a match. I don't know about your passwords, but most of the ones I've heard would have been pretty easy to guess without any dictionary.


Not Always Free
If your company wants to pursue its forensics analysis further, open-source software must become a consideration. "When you go into court to testify, if you're using an open-source product, you have access to the source code, you know when it went in and what it did," says Tan.

The same may not be true with commercial software. If the legal opposition starts to talk about how the guts of the software work, you'll have to bring in and pay for a developer or expert from the software vendor to testify about what goes into their software, and how it works. Of course if you're not an expert in the open-source software you're using, you might have to do the same for the free product.

But when it comes to tools, remember that it's the user more than the particular tool that ensures the job gets done properly.

"We have some competitors on the tool side, who pitch that one tool does it all," says Anderson. As in many facets of life, that just doesn't hold, he says. "That would be like a doctor having one scalpel, or a landscape guy just having one lawn mower—good luck with the edging."

If you're trying to recover a file that someone deleted, then indeed one or two tools might do a thoroughly effective job of attacking the hard drive and fishing out the relevant information.

But if you're trying to do a forensics analysis—analyze an electronic crime scene—then very often many different tools will be needed, along with someone with higher-level knowledge.

Data Hiding
Just as a good computer forensics specialist knows where to look within the computer to maximize the chance of retrieving evidence, so, too, will a good computer criminal know how to minimize his tracks.

No matter the tools used, sometimes evidence of a crime just can't be recovered, says Anderson. How does he know? Because he helps teach a quarterly course called "Data Hiding."

"You can do a lot of this data hiding with no tools and it will essentially defeat the government's attempts to get it," he says. In a normal forensics course, he says, by the end of the class people walk out elated, armed with myriad bits of arcane knowledge about how they can root out forensics data from swap files and unallocated space. "But in the ‘Data Hiding' class, we start with something and end up with no answer—and they're totally defeated, you just see them limp out the doors," he notes.

Call it the computer crime version of a perfect murder.