The BTK Killer, Study notes of Forensics

Download The BTK Killer and more Study notes Forensics in PDF only on Docsity! The BTK Killer Dennis Rader was arrested in February 2005 and charged with committing ten murders since 1974 in the Wichita, Kansas, area. The killer, whose nickname stands for “bind, torture, kill,” hadn’t murdered since 1991, but he resurfaced in early 2004 by sending a letter to a local newspaper taking credit for a 1986 slaying. Included with the letter were a photocopy of the victim’s driver’s license and three photos of her body. The BTK killer was back to his old habit of taunting the police. Three months later another letter surfaced. This letter detailed some of the events surrounding BTK’s first murder victims. In 1974, he strangled Joseph and Julie Otero along with two of their children. Shortly after those murders, BTK sent a letter to a local newspaper in which he gave himself the name BTK. In December 2004, a package found in a park contained the driver’s license of another BTK victim along with a doll covered with a plastic bag, its hands bound with pantyhose. The major break in the case came when BTK sent a message on a floppy disk to a local TV station. “Erased” information on the disk was recovered and restored by forensic computer specialists, and the disk was traced to the Christ Lutheran Church in Wichita. The disk was then quickly linked to Dennis Rader, the church council president. The long odyssey of the BTK killer was finally over. Andrew W. Donofrio Key Terms bit byte central processing unit (CPU) cluster file slack hard disk drive (HDD) hardware latent data Message Digest 5 (MD5)/Secure Hash Algorithm (SHA) motherboard operating system (OS) partition RAM slack random-access memory (RAM) sector software swap file temporary files unallocated space visible data random-access memory (RAM) The volatile memory of the computer; when power is turned off, its contents are lost. Programs and instructions are loaded into RAM while they are in use. central processing unit (CPU) The main chip within the computer; also referred to as the brain of the computer. This microprocessor chip handles most of the operations (code and instructions) of the computer. motherboard The main system board of a computer (and many other electronic devices) that delivers power, data, and instructions to the computer’s components. 582 CHAPTER 17 It is important not to confuse software with the physical media that it comes on. When you buy an application such as Microsoft Office, it comes on a compact disc (CD). The CD containing this suite of applications is typically referred to as software, but this is technically wrong. The CD is external com- puter media that contains the software; it is a container for and a medium to load the set of instructions onto the hard disk drive (the hardware). Hardware Components Motherboard The main circuit board in a computer (or other electronic devices) is referred to as the motherboard. Motherboards contain sockets for chips (such as the CPU and ROM, discussed shortly) and slots for add- on cards. Examples of add-on cards are a video card to connect the com- puter to the monitor, a network card or modem to connect to an internal network or the Internet, and a sound card to connect to speakers. Sockets on the motherboard typically accept things such as random- access memory (RAM) or the central processing unit (CPU). The keyboard, mouse, CD-ROM drives, floppy disk drives, monitor, and other peripher- als or components connect to the motherboard in one way or another. System Bus Contained on the motherboard, the system bus is a vast com- plex network of wires that carries data from one hardware device to an- other. This network is analogous to a complex highway. Data is sent along the bus in the form of ones and zeros (or, more appropriately stated, as electrical impulses representing an “on” or “off” state—this two-state computing is also known as binary computing. Central Processing Unit (CPU) The central processing unit (CPU), also referred to as a processor, is the brain of the computer; it is the part of the computer that actually computes. It is the main (and typically the largest) chip that plugs into a socket on the motherboard. Basically, all operations performed by the computer are run through the CPU. The CPU carries out the program steps to perform the requested task. That task can range from opening and working in a Microsoft Word document to performing ad- vanced mathematical algorithms. Read-Only Memory (ROM) This rather generic term describes special chips on the motherboard. ROM chips store programs called firmware, used to start the boot process (in which the computer starts up before the system is fully functioning) and configure a computer’s components. This technology is referred to as the BIOS, for basic input-output system. The operation of the BIOS is relevant to several computer forensics procedures, particularly the boot sequence. As will become clear later, it is important not to boot the ac- tual computer under investigation to the original hard disk drive. This would cause changes to the data, thus compromising the integrity of evidence. The BIOS allows investigators to control the boot process to some degree. Random-Access Memory (RAM) Random-access memory (RAM) stores software programs and instructions while the computer is turned on; it takes the physical form of chips that plug into the motherboard. Most of the data on a computer is stored on the hard disk drive (HDD). However, if the com- puter had to access the HDD each time it wanted data, it would run slowly and inefficiently. Instead, the computer, aware that it may need certain data at a moment’s notice, stores the data in RAM. This takes the burden off the computer’s processor and hard disk drive (HDD). RAM is referred to as hard disk drive (HDD) Typically the main storage location within the computer, consisting of magnetic platters contained in a case. Computer Forensics 583 volatile memory because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer. Hard Disk Drive (HDD) Generally speaking, the hard disk drive (HDD) is the primary component of storage in the personal computer (see Figure 17–2). It typically stores the operating system, programs, and data files created by the user, such as documents, spreadsheets, accounting information, or a company database. Unlike RAM, the HDD is permanent storage and retains its information even after the power is turned off. HDDs work off a controller that is typically part of the motherboard, but sometimes takes the form of an add-on (expansion) card plugged into the motherboard. Input Devices Input devices are used to get data into the computer or to give the computer instructions. Input devices constitute part of the “user” side of the computer. Examples include the keyboard, mouse, joystick, and scanner. Output Devices Output devices are equipment through which data is obtained from the computer. Output devices are also part of the “user” side of the computer, and provide the results of the user’s tasks. They include the monitor, printer, and speakers. Key Points • Computer forensics involves preserving, acquiring, extracting, and in- terpreting computer data. • Software programs are applications that carry out a set of instructions. • The central processing unit (CPU) is the brain of the computer—the main chip responsible for doing the actual computing. • The motherboard is the main circuit board within a computer. FIGURE 17–2 An inside view of the platter and read/write head of a hard disk drive. Courtesy Corbis RF cluster A group of sectors in multiples of two; typically the minimum space allocated to a file. bit Short for binary digit; taking the form of either a one or a zero, it is the smallest unit of information on a machine. byte A group of eight bits. sector The smallest unit of data addressable by a hard disk drive, generally consisting of 512 bytes. partition A contiguous set of blocks that are defined and treated as an independent disk. operating system (OS) Software that allows the user to interact with the hardware and manages the file system and applications. 584 CHAPTER 17 • Read-only memory (ROM) chips store programs that control the boot (startup) process and configure a computer’s components. • Random-access memory (RAM) is volatile memory, which is lost when power is turned off. Programs are loaded into RAM because of its faster read speed. • The hard disk drive (HDD) is typically the primary location of data stor- age within the computer. Storing and Retrieving Data As mentioned earlier, most of the data in a computer is stored on the hard disk drive (HDD). However, before beginning to understand how data is stored on the HDD, it is first important to understand the role of the operating system (OS). An OS is the bridge between the human user and the computer’s electronic components. It provides the user with a working environment and facilitates interaction with the system’s components. Each OS supports certain types of file systems that store data in different ways, but some support the methods of others. Formatting and Partitioning the HDD Generally speaking, before an OS can store data on a HDD, the HDD must first be formatted, or prepared to accept the data in its current form. Be- fore the HDD can be formatted, a partition must be defined. A partition is nothing more than a contiguous set of blocks (physical areas on the HDD in which data can be stored) that are defined and treated as an indepen- dent disk. Thus, a hard disk drive can hold several partitions, making a sin- gle HDD appear as several disks. Partitioning a drive can be thought of as dividing a container that begins as nothing more than four sides with empty space on the inside. Imagine that we then cut a hole in the front of the container and place in- side two drawers containing the hardware to open and close the drawers. We have just created a two-drawer filing cabinet and defined each drawer as a contiguous block of storage. A partitioning program then defines the partitions that will later hold the data on the HDD. Just as the style, size, and shape of a filing cabinet drawer can vary, so too can partitions. After a hard drive is partitioned, it is typically formatted. The format- ting process initializes portions of the HDD, so that they can store data, and creates the structure of the file system. There are various types of file sys- tems—methods for storing and organizing computer files and data so they are easier to locate and access. Each has a different way of storing, re- trieving, and allocating data. At the conclusion of these processes, we say that the drive is logically defined. The term logically is used because no real divisions are made. If you were to crack open the HDD before or after partitioning and format- ting, to the naked eye the platters would look the same. Mapping the HDD As shown in Figure 17–3, disks are logically divided into sectors, clusters, tracks, and cylinders. A sector is the smallest unit of data that a hard drive can address; sectors are typically 512 bytes in size (a byte is eight bits; a bit is a single one or zero).1 A cluster usually is the minimum space allocated Computer Forensics 587 table clean—for example, by reformatting it—the data itself would not be gone. Both the database tracking the locations of the safe-deposit boxes and the file system table tracking the location of the data in the cluster are maps—not the actual contents. Key Points • The computer’s operating system (OS) is the bridge between the human user and the computer’s electronic components. It provides the user with a working environment and facilitates interaction with the system’s components. • Formatting is the process of preparing a hard disk drive to store and retrieve data in its current form. • A sector is the smallest unit of data that a hard drive can address. A cluster usually is the minimum space allocated to a file. Clusters are groups of sectors. • A FAT is a file allocation table. It tracks the location of files and folders on the hard disk drive. Putting It All Together Let’s now see how all of the parts of a computer come together to allow a user to access and manipulate data. When a person presses the power but- ton, the power supply wakes up and delivers power to the motherboard and all of the hardware connected to the computer. At this point the flash ROM chip on the motherboard (the one that contains the BIOS) conducts a power-on self test (POST) to make sure everything is working properly. The flash ROM polls the motherboard to check to see that the hardware that is attached, then reads from itself the boot order, thus determining from what device it should boot. Typically the boot device is the HDD, but it can also be a floppy disk, CD, or USB drive. If the boot device is the HDD, the HDD is then sent control. It locates the first sector of its disk (known as the master boot record), determines its layout (partition(s)), and boots an operating system (Windows, Mac OS, Linux, Unix). The user is then presented with a computer work environ- ment, commonly referred to as a desktop. Now ready to work, the user double-clicks an icon on the desktop, such as a Microsoft Word shortcut, to open the program and begin to type a document. The CPU processes this request, locates the Microsoft Word program on the HDD (using a predefined map of the drive called a file system table), and carries out the programming instructions associated with the application. The CPU also loads Microsoft Word into RAM via the system bus and sends the output to the monitor by way of the video con- troller, which is either located on or attached to the motherboard. As the user types, data from the keyboard is loaded into RAM. When the user is finished, he or she might print the document or simply save it to the HDD for later retrieval. If printed, the data is copied from RAM, processed by the CPU, placed in a format suitable for printing, and sent through the system bus to a printer. If the document is saved, the data is copied from RAM, processed by the CPU, passed to the HDD controller by way of the system bus, and written to a portion of the HDD. The HDD’s file 588 CHAPTER 17 system table is updated so it knows where to retrieve that data later. This is a very simplistic overview of the boot process. Forensic examiners must possess a much more in-depth understanding of the boot process. The preceding example illustrates how three components of the com- puter perform most of the work: the CPU, RAM, and system bus. The ex- ample can get even more complicated as the user opens more applications and performs multiple tasks simultaneously (multitasking). Several tasks can be loaded into RAM at once, and the CPU is capable of juggling them all. This allows for the multitasking environment and the ability to switch back and forth between applications. (To further enhance this ability, RAM can use a portion of the HDD as virtual memory, which can be very foren- sically valuable—but more on this later.) All of this is orchestrated by the operating system and is written in the language of the computer—ones and zeros. Processing the Electronic Crime Scene Processing the electronic crime scene has a lot in common with processing a traditional crime scene. The investigator must first ensure that the proper legal requirements (search warrant, consent, and so on) have been met so that the scene can be searched and the evidence seized. The investigator should then devise a plan of approach based on the facts of the case and the physical location. Documenting the Scene The scene should be documented in as much detail as possible before disturbing any evidence, and before the investigator lays a finger on any computer components. Of course there are circumstances in which an investigator might have to act quickly and pull a plug before documenting the scene, such as when data is in the process of being deleted. Crime-scene documentation is accomplished through two actions: sketching and photographing. The electronic crime scene is no different. The scene should be sketched in a floor plan fashion (see Figure 17–4) and then overall photographs of the location taken. In a case in which several computers are connected together in a network, a technical network sketch should also be included if possible (covered in greater detail in the next chapter). After investigators photograph the overall layout, close-up photographs should be shot. A close-up photograph of any running computer monitor should be taken. All the connections to the main system unit, such as peripheral devices (keyboard, monitor, speakers, mouse, and so on), should be photographed. If necessary, system units should be moved delicately and carefully to facilitate the connections photograph (see Figure 17–5). Close-up photographs of equipment serial numbers should be taken if practical. At this point, investigators must decide whether to perform a live ac- quisition of the data, perform a system shutdown (as in the case of server equipment), pull the plug from the back of the computer,2 or a combination thereof. Several factors influence this decision. For example, if encryption is being used and pulling the plug will encrypt the data, rendering it unreadable without a password or key, pulling the plug would not be Computer Forensics 589 FIGURE 17–4 Rough sketch made at a crime scene, with necessary measurements included. prudent. Similarly, any data that exists in RAM and has not been saved to the HDD will be lost if power to the system is discontinued. Regardless of how investigators decide to proceed, the equipment most likely will be seized. Exceptions exist in the corporate environment, where servers are fundamental to business operations. After the photographs and sketches are complete, but before discon- necting the peripherals from the computer, a label should be placed on the cord of each peripheral, with a corresponding label placed on the port to which it is connected. A numbering scheme should be devised to identify the system unit if several computers are at the scene (Figure 17–6). The combination of sketching, photographing, and labeling should adequately 592 CHAPTER 17 FIGURE 17–7 Screen shot of EnCase Software. Courtesy EnCase, www.encase.com devices (keyboard, monitor, speakers, mouse, and so on), and (3) equipment serial numbers. • Two situations in which an investigator would not unplug a computer at an electronic crime scene are (1) if encryption is being used and pulling the plug will encrypt the data, rendering it unreadable without a password or key, and (2) if data exists in RAM that has not been saved to the HDD, and will thus be lost if power to the system is discontinued. • The primary goal in obtaining data from a HDD is to do so without altering even one bit of data. To this end, a Message Digest 5 (MD5)/ Secure Hash Algorithm (SHA) takes a “fingerprint” of a hard disk drive (HDD) before and after forensic imaging. Analysis of Electronic Data Analysis of electronic data is virtually limitless and bound only to the level of skill of the examiner. The more familiar an examiner is with computers, operating systems, application software, data storage, and a host of other disciplines, the more prepared he or she will be to look for evidentiary data. Because computers are vast and complex, discussing each area, file, directory, log, or computer process that could potentially contain eviden- tiary data is beyond the scope of one chapter—and may be beyond the scope of an entire book. What follows are some of the more common areas of analysis. While reading this section, reflect on your own knowledge of computers and consider what other data might be of evidentiary value and where it might be found. swap file A file or defined space on the HDD to which data is written, or swapped, to free RAM for applications that are in use. visible data All data that the operating system is presently aware of, and thus is readily accessible to the user. Computer Forensics 593 Visible Data The category of visible data includes all information that the operating system is presently aware of, and thus is readily accessible to the user. Here we present several common types of visible data considered in many in- vestigations. This list is by no means exhaustive and can include any infor- mation that has value as evidence. Data/Work Product Files One place to find evidence is in documents or files produced by the suspect. This category is extremely broad and can in- clude data from just about any software program. Microsoft Word and WordPerfect word-processing programs typically produce text-based files such as typed documents and correspondence. These programs, and a host of other word-processing programs, have replaced the typewriter. They are common sources of evidence in criminal cases, particularly those involving white-collar crime. Also relevant in white-collar crime and similar financial investigations are any data related to personal and business finance. Programs such as QuickBooks and Peachtree accounting packages can run the entire finan- cial portion of a small to midsize business. Similarly, personal bank account records in the computer are often managed with personal finance software such as Microsoft Money and Quicken. Moreover, criminals sometimes use these programs as well as spreadsheet applications to track bank accounts stolen from unsuspecting victims. Forensic computer examiners should fa- miliarize themselves with these programs, the ways in which they store data, and methods for extracting and reading the data. Advances in printer technology have made high-quality color printing both affordable and common in many homes. While this is a huge benefit for home office workers and those interested in graphic arts, the technol- ogy has been used for criminal gain. Counterfeiting and check and docu- ment fraud are easily perpetrated by most home computer users. All that is required is a decent ink-jet printer and a scanner. Including the com- puter, a criminal could set up a counterfeiting operation for less than $1500. Examiners must learn the graphics and photo-editing applications used for such nefarious purposes. Being able to recognize the data pro- duced by these applications and knowing how to display the images is key to identifying the evidence. Swap File Data When an application is running, the program and the data being accessed are loaded into RAM. A computer’s RAM can read data much faster than the hard disk drive, which is why the programs are loaded here. RAM, however, has its limits. Some computers have 256 MB of RAM, others 512 MB, and still others as much as a gigabyte or two. Regardless of the amount, though, most operating systems (Windows, Linux, and so on) are programmed to conserve RAM when possible. This is where the swap file comes in. The operating system attempts to keep only data and applica- tions that are presently being used in RAM. Other applications that were started, but are currently waiting for user attention, may be swapped out of RAM and written to the swap file on the hard disk drive.4 For example, a manager of a retail store may want to type a quarterly report based on sales. The manager starts Microsoft Word and begins his report. Needing to incorporate sales figure data from a particular spread- sheet, he opens Microsoft Excel. Depending on what is running on the computer, the original Word document may be swapped from RAM to the swap space on the HDD to free up space for Excel. As the manager goes 594 CHAPTER 17 RAM module (chip) Swap space Swapping of data between RAM and the hard drive's swap space or page file FIGURE 17–8 As user switches between applications and performs multiple tasks, data is swapped back and forth between RAM and the computer’s hard drive. This area on the hard drive is referred to as swap space. back and forth between the programs (and maybe checks his e-mail in between) this swapping continues. Data that is swapped back and forth is sometimes left behind in the swap space. Even as this area is constantly changed, some of the data is orphaned in unallocated space, an area of the HDD discussed later in this chapter. Swap file can be defined as a particular file or even a separate HDD partition, depending on the operating system and file system type. Data in the swap space can be read by examining the HDD through forensic soft- ware or a utility that provides a binary view, such as Norton Disk Editor or WinHex (see Figure 17–8). Temporary Files Any user who has suffered a sudden loss of power in the middle of typing a document can attest to the value of a temporary file. Most programs automatically save a copy of the file being worked on in a temporary file. After typing a document, working on a spreadsheet, or working on a slide presentation, the user can save the changes, thus pro- moting the temporary copy to an actual file. This is done as a sort of backup on the fly. If the computer experiences a sudden loss of power or other cat- astrophic failure, the temporary file can be recovered, limiting the amount of data lost. The loss is limited because the temporary file is not updated in real time. Rather, it is updated periodically (typically defaulted to every ten minutes in most programs), depending on the application’s settings. Temporary files can sometimes be recovered during a forensic exami- nation. Some of the data that may have been orphaned from a previous version may be recoverable, if not the complete file. This is true even when a document has been typed and printed, but never saved. The creation of the temporary file makes it possible for some of this “unsaved” data to be recovered during analysis. Another type of temporary file valuable to the computer investigator is the print spool file. When a print job is sent to the printer, a spooling process delays the sending of the data so the application can continue to work while the printing takes place in the background. To facilitate this, a temporary print spool file is created; this file typically includes the data to temporary files Files temporarily written by an application to perform a function. unallocated space The area of the HDD that the operating system (file system table) sees as empty (containing no logical files) and ready for data. Simply stated, it is the unused portion of the HDD, but is not necessarily empty. Computer Forensics 597 HDD Cluster 1024 Bytes Sector (512 Bytes) Sector (512 Bytes) 412 512 D A T A RAM Slack 0's or Data from RAM File Slack (Orphaned Data) 100 Bytes FIGURE 17–10 File slack. File slack, on the other hand, can contain a lot of old, orphaned data. To illustrate this point, let’s take the 100-byte file example a bit further. Let’s say that prior to the 100-byte file being written to the HDD and occupying one cluster (two sectors totaling 1024 bytes), a 1,000-byte file occupied this space but was deleted by the user. When a file is “deleted” the data still remains behind, so it is probably a safe bet that data from the original 1000-byte file remains in the slack space of the new 100-byte file now oc- cupying this cluster. This is just one example of why data exists in file slack and why it might be valuable as evidence. In one final attempt to illustrate this point, let us again build on our safe-deposit box analogy. Suppose a person rents two safe-deposit boxes, each box representing a sector and the two combined represent- ing a cluster. If that person places the deed to his house in the first box, the remaining space in that box would be analogous to RAM slack. The space in the second box would be the equivalent of file slack. The only difference is that unlike the empty spaces of the safe-deposit box, the slack space of the file most likely contains data that might be valuable as evidence. The data contained in RAM and file slack is not really the concern of the operating system. As far as the OS is concerned, this space is empty and therefore ready to be used. Until that happens, however, an examination with one of the aforementioned tools will allow a look into these areas, thus revealing the orphaned data. The same is true for unallocated space. Unallocated Space Latent evidentiary data also resides in unallocated space. What is unallocated space, how does data get in there, and what is done to access this space? If we have an 80-GB hard drive and only half of the hard drive is filled with data, then the other half, or 40 GB, is unallocated space (see Figure 17–11.) Returning to our safe-deposit box analogy, if the entire bank of safe- deposit boxes contains 100 boxes, but only 50 are currently in use, then the other 50 would be the equivalent of unallocated space. The HDD’s unallo- cated space typically contains a lot of useful data. The constant shuffling of 598 CHAPTER 17 Data occupying sectors that the operating system is aware of Unallocated space FIGURE 17–11 Simplistic view of a hard drive platter demonstrating the concept of unallocated space. files on the HDD causes data to become orphaned in unallocated space as the logical portion of the file is rewritten to other places. Some examples of how data is orphaned may help. Defragmenting Defragmenting a HDD involves moving noncontigu- ous data back together. Remember that the HDD has minimum space reservation requirements. Again, if a file requires only 100 bytes of space, the operating system might allocate much more than that for use. If the file grows past what has been allocated for it, another cluster is required. If, however, a different file occupies the next cluster in line, then the operat- ing system will have to find another place for that first file on the drive. In this scenario, the file is said to be fragmented because data for the same file is contained in noncontiguous clusters. In the case of the HDD, the shuf- fling of files causes data to be orphaned in unallocated space. Ultimately, fragmentation of numerous files can degrade the perfor- mance of a HDD, causing the read/write heads to have to traverse the plat- ters to locate the data. Defragmenting the HDD takes noncontiguous data and rearranges it so it is in contiguous clusters. Building yet again on our safe-deposit box analogy, if a renter eventually needs to store more prop- erty than his original box can hold, the bank will rent him a second box. If, however, all the boxes around his are occupied and the only free one is in another section of the room, then his property is “fragmented. ” The bank would have to “defrag” the safe-deposit boxes to get the property of users with more than one box into adjacent boxes. Swap File/Swap Space Recall that a computer uses the HDD to maxi- mize the amount of RAM by constantly swapping data in and out of RAM to a predetermined location on the HDD, thus freeing valuable RAM. The constant read and write operations of RAM cause a constant change in the swap file or swap space. Data can become orphaned in unallocated space from this constant swapping to and from the HDD. Computer Forensics 599 Deleted Files The deletion of files is another way that data becomes orphaned in unallocated space. Data from deleted files can manifest itself in different ways during a forensic examination. The actions that occur when a file is deleted vary among file systems. However, generally speak- ing, the data is not gone. For example, consider what happens when a user or program deletes a file in a Windows operating system with a FAT file system. When a file is deleted the first character in the file’s directory en- try (its name) is replaced with the Greek letter sigma. When the sigma re- places the first character, the file is no longer viewable through conventional methods and the operating system views the space previously occupied by the file as available. The data, however, is still there. This example doesn’t account for the actions of the Windows Recycle Bin. When the Windows operating system is set up to merely place the deleted file in the Recycle Bin, the original directory entry is deleted and one is created in the Recycle folder for that particular user. The new Recy- cle folder entry is linked to another file, the info or info2 file, which includes some additional data, such as the location of the file prior to its deletion should the user wish to restore it to that location. Detailed discussions of the function of the Recycle Bin are beyond the scope of this chapter, but suffice it to say that, even when the Recycle Bin is emptied, the data usu- ally remains behind until overwritten. Moreover, Windows NTFS parti- tions and Linux EXT partitions handle deleted files differently, but in both cases data typically remains. What if a new file writes data to the location of the original file? Gen- erally speaking, the data is gone. This is, of course, unless the new file only partially overwrites the original. In this instance we return to the unallo- cated space orphaned data scenario. If a file that occupied two clusters is deleted, and a new file overwrites one of the clusters, then the data in the second cluster is orphaned in unallocated space. Of course yet a third file can overwrite the second cluster entirely, but until then the data remains in unallocated space. Let us once again look to our safe-deposit box analogy. If, for example, the owner of two safe-deposit boxes stopped renting them, the bank would list them as available. If the owner didn’t clean them out, the contents would remain unchanged. If a new owner rented one of the boxes, the con- tents from the former owner would be replaced with the new owner’s pos- sessions. The second box would therefore still contain orphaned contents from its previous owner. The contents would remain in this “unallocated box” space until another renter occupies it. Key Points • The types of computer evidence can be grouped under two major sub- headings: visible and latent data. • Visible data is data that the operating system is aware of, and thus eas- ily accessible to the user. It includes any type of user-created data, such as word-processing documents, spreadsheets, accounting records, databases, and pictures. • Temporary files created by programs as a sort of backup on the fly can prove valuable as evidence. Data in the swap space (used to conserve the valuable RAM within the computer system) can also yield eviden- tiary data. 602 CHAPTER 17 15. Name two situations in which an investigator would not immediately unplug a computer at an electronic crime scene? 16. What is the primary goal in obtaining data from a HDD? 17. What is the purpose of a Message Digest 5 (MD5)/Secure Hash Algorithm (SHA)? Why would a forensic computer examiner run such an algorithm? 18. Why would investigators want to copy blank or unused portions of the HDD? 19. List and define the two main types of evidentiary computer data. 20. What is swap space? 21. In which of the following places would a computer forensic investigator not look for latent data? a. RAM slack b. file slack c. unallocated space d. temporary files 22. What is slack space? 23. What is fragmentation? What effect does fragmentation have on a hard disk drive (HDD)? Application and Critical Thinking 1. If a file system defines a cluster as six sectors, how many bits of information can be stored on each cluster? Explain your answer. 2. Criminalist Tom Parauda is investigating the scene of a crime involving a com- puter. After he arrives, he photographs the overall scene and takes close-up shots of all the connections to the single computer involved, as well as photos of the serial numbers of the computer and all peripheral devices. Tom then labels the cord to each peripheral device, then disconnects them from the computer. After making sure that all data in RAM has been saved to the hard disk drive, he unplugs the computer from the wall. What mistakes, if any, did Tom make? 3. You are investigating a case in which an accountant is accused of keeping fraudulent books for a firm. Upon examining his computer, you notice that the suspect uses two different accounting programs that are capable of reading the same types of files. Given this information, where would you probably begin to search for latent data on the computer and why? Case Analysis 1 Suspicious circumstances surrounding the death of Ms. Smith in a home fire led the police to suspect her husband of murder. Evidence later recovered from Mr. Smith’s computer proved key in solving the case. 1. What did police hope to prove by examining the Microsoft Word files on Mr. Smith’s computer? Why did they believe this would implicate him in his wife’s murder? 2. How were the documents titled insurance1.doc and WRL1604.tmp important to tying Mr. Smith to his wife’s death? Computer Forensics 603 Case Analysis 2 When police seized a laptop from a van parked suspiciously outside a local shopping mall, they discovered a counterfeiting ring that employed modern technology to perpetrate this age-old crime. 1. What physical evidence most strongly implicated the driver of the van in a currency counterfeiting operation? What aspect of this evidence confirmed these suspicions? 2. What files located on the suspect’s computer indicated that the suspects were producing more than counterfeit currency? What conclusion did the investi- gators draw from the existence of these files? Web Resources Computer Forensics, Cybercrime and Steganography Resources (Links to books, articles, Web sites, and other resources dealing with computer forensics) www.forensics.nl Digital Evidence (Links to articles on computer and Internet forensics) www.crimeandclues.com/digital.htm Digital Evidence Collection and Handling (Article about dealing with computer information seized at a crime scene) www.faculty.ncwc.edu/toconnor/426/426lect06.htm Computer Forensics World (Online community of computer forensics professionals, with links to articles and other resources on computer forensics) www.computerforensicsworld.com The Electronic Evidence Information Center (Links to articles and audio/video presentations on topics in computer forensics) www.e-evidence.info/biblio.html Do’s and Don’ts of Forensic Computer Investigations (Basic advice on conducting computer forensics) www.eweek.com/article2/0,1759,1646899,00.asp Recovering and Examining Computer Forensic Evidence (Article that discusses the process and techniques of computer forensics) www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm Endnotes 1. One million bytes is referred to as a megabyte (MB), while 1 billion bytes is termed a gigabyte (GB). 2. Pulling the plug should always be done by removing the plug from the back of the computer. If the plug is removed from the wall and a battery backup (UPS) is in place, the UPS might cause an alert to the system and keep the unit powered on. 3. In this instance, bit is both metaphorical and literal. Every bit of information is needed, so we must get it all. So too every bit, as in the smallest unit of data storage—a one or a zero—must be imaged. 4. Actually, the more appropriate term is probably paging as opposed to swap- ping. This is because entire programs are typically not swapped in and out of memory to the swap space; rather, pages of memory are placed there. Case Reading 1 Computer Forensic Analysis Answers the Question “Arson or Accident?” 604 CHAPTER 17 Brief The home of John Smith was destroyed by a fire, which was later determined to be the result of arson. During the fire, Smith’s wife, Jane, died. Investigators learned that insurance policies taken against both the home and the life of Jane Smith were recently increased, so Smith stands to receive a very large monetary settlement. This fact, and problems with his purported Courtesy Peter Arnold, Inc. Computer Forensics 607 Brief A detective submits a laptop computer for examination and explains that it was seized in connection with a case of counterfeiting and fraud. According to the detective, patrol officers happened upon a large sport-utility vehicle, occupied by one male driver, parked in the lot of a local mall. According to the officers, the driver and the circumstances appeared suspicious. After investigating further, the officers located a laptop computer, color printer, and scanner in the rear of the vehicle. All equipment was hooked up and running. Additionally, the officers located gift certificates for one of the stores within the mall, which apparently were printed inside the vehicle. Finally, two $100 bills bearing exactly the same serial number were located in the driver’s wallet. In response to questioning, the driver admitted using the system to print bogus gift certificates and counterfeit cash, which he then redeemed inside the mall. Prior to submission at the computer forensics laboratory, the equipment was processed for fingerprints at the state Bureau of Criminal Identification (BCI). Analysis Request Locate any evidentiary data with respect to the crimes of counterfeiting and fraud. Demonstrate any connection between the recovered printed documents and the electronic equipment seized from the vehicle. Forensic Image Acquisition 1. The computer system was documented and its case was opened and a single IDE hard disk drive (HDD) was located and documented. The HDD was removed from the system and the computer system unit was booted to the BIOS setup program. The system date and time were verified. Case Reading 2 Counterfeiting and Fraud: A Forensic Computer Investigation Courtesy Getty Images, Inc. 608 CHAPTER 17 2. The HDD was then placed in a forensic workstation, connected to the system using a hardware write-blocking device to ensure that the suspect HDD was not altered in any way. 3. A forensic image of the HDD was acquired using EnCase Version 5. The integrity of this image was verified using the MD5 algorithm inherent in the EnCase program. A date and time analysis was done on all the files, revealing no dates later than the date of the execution of the search warrant. Analysis 1. Deleted files were recovered. 2. A file signature analysis was run. 3. All files, including dates and times, logical and physical sizes, and complete location path, were documented by the EnCase program. 4. The operating system and file system type were documented: Windows XP using an NTFS file system. 5. All graphics files were viewed, including ones previously deleted. 6. A graphics finder script was run against unallocated space. The script searched this area to locate file signatures of known graphics files. 7. All print spool files were located and examined. Findings 1. A file titled 100front.jpg was located in the directory C:\Documents and Settings\user1\My Documents. This file is an image of the front of a $100 bill. The serial number on this image matched the serial number of the suspected counterfeit $100 bills found on the suspect. 2. A file titled 100back.jpg was located in the directory C:\Documents and Settings\user1\My Documents. This file is an image of the back of a $100 bill. 3. A file titled GapGiftCert1.jpg was located in the directory C:\Documents and Settings\user1\My Documents. This file is an image of the front of a gift certificate for The Gap, a retail store. 4. A file titled GapGiftCert2.jpg was located in the directory C:\Documents and Settings\user1\My Documents. This file is an image of the back of a gift certificate for The Gap, a retail store. 5. A file titled thumbs.db. was located in the directory C:\Documents and Settings\user1\My Documents. This file, when viewed as a compound file, displayed several images, namely the images in items 1–4. 6. In the folder C:\Documents and Settings\User1\My Recent Documents, link files were found to the following: a. C:\Documents and Settings\user1\My Documents\100front.jpg b. C:\Documents and Settings\user1\My Documents\100back.jpg c. C:\Documents and Settings\user1\My Documents\GapGiftCert1.jpg d. C:\Documents and Settings\user1\My Documents\GapGiftCert2.jpg 7. The submitted scanner and printer were connected to a laboratory computer system and the aforementioned evidentiary files were copied onto the HDD of that system. Several printouts of the images were made. Additionally, test items were Computer Forensics 609 scanned and printed. All exemplars produced from the laboratory computer system were submitted to the state Bureau of Criminal Identification. The original counterfeit currency and gift certificates were also submitted to BCI for comparison to the exemplars. BCI was asked to locate any distinguishing characteristics produced by the printer and scanner submitted in this case. Conclusion Based on the forensic examination of the computer data submitted in this case, it can be stated within a reasonable degree of scientific certainty that a user of this computer knowingly produced counterfeit currency and counterfeit gift certificates.