home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WINMX Assorted Textfiles
/
Ebooks.tar
/
Text - Tech - Hacking - Recovering and Examining Computer Forensic Evidence.txt
< prev
next >
Wrap
Text File
|
2003-02-22
|
29KB
|
461 lines
Recovering and Examining Computer Forensic Evidence by Noblett et al. (Forensic Science Communications, October 2000)U.S.
Department of Justice
Federal Bureau of Investigation
October 2000 Volume 2 Number 4
Recovering and Examining
Computer Forensic Evidence
Michael G. Noblett
Senior Associate
Booz-Allen & Hamilton
Falls Church, Virginia
Mark M. Pollitt
Unit Chief
Computer Analysis and Response Team
Federal Bureau of Investigation
Washington, DC
Lawrence A. Presley
Training Instructor
Forensic Science Training Unit
Quantico, Virginia
Read about . . .
Introduction
Computer Forensic Science
Background
A New Relationship
Forensic Results
Common Goals
Examining Computer Evidence
Conclusion
References
Introduction
The world is becoming a smaller place in which to live and work. A
technological revolution in communications and information exchange has
taken place within business, industry, and our homes. America is
substantially more invested in information processing and management than
manufacturing goods, and this has affected our professional and personal
lives. We bank and transfer money electronically, and we are much more
likely to receive an E-mail than a letter. It is estimated that the
worldwide Internet population is 349 million (CommerceNet Research Council
2000).
In this information technology age, the needs of law enforcement are
changing as well. Some traditional crimes, especially those
concerning finance and commerce, continue to be upgraded
technologically. Paper trails have become electronic trails. Crimes
associated with the theft and manipulations of data are detected
daily. Crimes of violence also are not immune to the effects of the
information age. A serious and costly terrorist act could come from
the Internet instead of a truck bomb. The diary of a serial killer
may be recorded on a floppy disk or hard disk drive rather than on
paper in a notebook.
FBI computer evidence examiners
review the contents of a computer
hard drive.
Just as the workforce has gradually converted from manufacturing goods to
processing information, criminal activity has, to a large extent, also
converted from a physical dimension, in which evidence and investigations
are described in tangible terms, to a cyber dimension, in which evidence
exists only electronically, and investigations are conducted online.
Computer Forensic Science
Computer forensic science was created to address the specific and
articulated needs of law enforcement to make the most of this new form of
electronic evidence. Computer forensic science is the science of
acquiring, preserving, retrieving, and presenting data that has been
processed electronically and stored on computer media. As a forensic
discipline, nothing since DNA technology has had such a large potential
effect on specific types of investigations and prosecutions as computer
forensic science.
Computer forensic science is, at its core, different from most traditional
forensic disciplines. The computer material that is examined and the
techniques available to the examiner are products of a market-driven
private sector. Furthermore, in contrast to traditional forensic analyses,
there commonly is a requirement to perform computer examinations at
virtually any physical location, not only in a controlled laboratory
setting. Rather than producing interpretative conclusions, as in many
forensic disciplines, computer forensic science produces direct
information and data that may have significance in a case. This type of
direct data collection has wide-ranging implications for both the
relationship between the investigator and the forensic scientist and the
work product of the forensic computer examination.
Background
Computer forensic science is largely a response to a demand for service
from the law enforcement community. As early as 1984, the FBI Laboratory
and other law enforcement agencies began developing programs to examine
computer evidence. To properly address the growing demands of
investigators and prosecutors in a structured and programmatic manner, the
FBI established the Computer Analysis and Response Team (CART) and charged
it with the responsibility for computer analysis. Although CART is unique
in the FBI, its functions and general organization are duplicated in many
other law enforcement agencies in the United States and other countries.
An early problem addressed by law enforcement was identifying resources
within the organization that could be used to examine computer evidence.
These resources were often scattered throughout the agency. Today, there
appears to be a trend toward moving these examinations to a laboratory
environment. In 1995, a survey conducted by the U.S. Secret Service
indicated that 48 percent of the agencies had computer forensic
laboratories and that 68 percent of the computer evidence seized was
forwarded to the experts in those laboratories. As encouraging as these
statistics are for a controlled programmatic response to computer forensic
needs, the same survey reported that 70 percent of these same law
enforcement agencies were doing the work without a written procedures
manual (Noblett 1995).
Computer forensic examinations are conducted in forensic laboratories,
data processing departments, and in some cases, the detective's squad
room. The assignment of personnel to conduct these examinations is based
often on available expertise, as well as departmental policy. Regardless
of where the examinations are conducted, a valid and reliable forensic
examination is required. This requirement recognizes no political,
bureaucratic, technological, or jurisdictional boundaries.
There are ongoing efforts to develop examination standards and to provide
structure to computer forensic examinations. As early as 1991, a group of
six international law enforcement agencies met with several U.S. federal
law enforcement agencies in Charleston, South Carolina, to discuss
computer forensic science and the need for a standardized approach to
examinations. In 1993, the FBI hosted an International Law Enforcement
Conference on Computer Evidence that was attended by 70 representatives of
various U.S. federal, state, and local law enforcement agencies and
international law enforcement agencies. All agreed that standards for
computer forensic science were lacking and needed. This conference again
convened in Baltimore, Maryland, in 1995, Australia in 1996, and the
Netherlands in 1997, and ultimately resulted in the formation of the
International Organization on Computer Evidence. In addition, a Scientific
Working Group on Digital Evidence (SWGDE) was formed to address these same
issues among federal law enforcement agencies.
Back to the top
A New Relationship
Forensic science disciplines have affected countless criminal
investigations dramatically and have provided compelling testimony in
scores of trials. To enhance objectivity and to minimize the perception of
bias, forensic science traditionally has remained at arms length from much
of the actual investigation. It uses only those specific details from the
investigation that are necessary for the examination. These details might
include possible sources of contamination at the crime scene or
fingerprints of individuals not related to the investigation who have
touched the evidence. Forensic science relies on the ability of the
scientists to produce a report based on the objective results of a
scientific examination. The actual overall case may play a small part in
the examination process. As a case in point, a DNA examination in a rape
case can be conducted without knowledge of the victim's name, the subject,
or the specific circumstances of the crime.
Conversely, computer forensic science, to be effective, must be driven by
information uncovered during the investigation. With the average storage
capacity in a personally owned microcomputer approaching 30 gigabytes (GB;
Fischer 1997), and systems readily available that have 60-GB storage
capacity or more, it is likely to be impossible from a practical
standpoint to completely and exhaustively examine every file stored on a
seized computer system. In addition, because computers serve such wide and
varied uses within an organization or household, there may be legal
prohibitions against searching every file. Attorney or physician computers
may contain not only evidence of fraud but probably also client and
patient information that is privileged. Data centrally stored on a
computer server may contain an incriminating E-mail prepared by the
subject as well as E-mail of innocent third parties who would have a
reasonable expectation of privacy.
As difficult as it would be to scan a directory of every file on a
computer system, it would be equally difficult for law enforcement
personnel to read and assimilate the amount of information contained
within the files. For example, 12 GB of printed text data would create a
stack of paper 24 stories high. For primarily pragmatic reasons, computer
forensic science is used most effectively when only the most probative
information and details of the investigation are provided to the forensic
examiner. From this information, the examiner can create a list of key
words to cull specific, probative, and case-related information from very
large groups of files. Even though the examiner may have the legal right
to search every file, time limitations and other judicial constraints may
not permit it. The examination in most cases should be limited to only
well-identified probative information.
Forensic Results
Forensic science has historically produced results that have been judged
to be both valid and reliable. For example, DNA analysis attempts to
develop specific identifying information relative to an individual. To
support their conclusions, forensic DNA scientists have gathered extensive
statistical data on the DNA profiles from which they base their
conclusions. Computer forensic science, by comparison, extracts or
produces information. The purpose of the computer examination is to find
information related to the case. To support the results of a computer
forensic examination, procedures are needed to ensure that only the
information exists on the computer storage media, unaltered by the
examination process. Unlike forensic DNA analysis or other forensic
disciplines, computer forensic science makes no interpretive statement as
to the accuracy, reliability, or discriminating power of the actual data
or information.
Beyond the forensic product and the case-related information needed to
efficiently perform the work, there is another significant difference
between most traditional forensic science and computer forensic science.
Traditional forensic analysis can be controlled in the laboratory setting
and can progress logically, incrementally, and in concert with widely
accepted forensic practices. In comparison, computer forensic science is
almost entirely technology and market driven, generally outside the
laboratory setting, and the examinations present unique variations in
almost every situation.
Common Goals
These dissimilarities aside, both the scientific conclusions of
traditional forensic analyses and the information of computer forensic
science are distinctive forensic examinations. They share all the legal
and good laboratory practice requirements of traditional forensic sciences
in general. They both will be presented in court in adversarial and
sometimes very probing proceedings. Both must produce valid and reliable
results from state-of-the-art procedures that are detailed, documented,
and peer-reviewed and from protocols acceptable to the relevant scientific
community (ASCLD/LAB 1994).
As laboratories begin to examine more computer-related evidence, they must
establish policies regarding computer forensic examinations and, from
these policies, develop protocols and procedures. The policies should
reflect the broad, community-wide goal of providing valid and reproducible
results, even though the submissions may come from diverse sources and
present novel examination issues. As the laboratory moves from the policy
statement to protocol development, each individual procedure must be
well-documented and sufficiently robust to withstand challenges to both
the results and methodology.
However, computer forensic science, unlike some of its traditional
forensic counterparts, cannot rely on receiving similar evidence in every
submission. For instance, DNA from any source, once cleared of
contaminants and reduced to its elemental form, is generic. From that
point, the protocols for forensic DNA analysis may be applied similarly to
all submissions. The criminal justice system has come to expect a valid
and reliable result using those DNA protocols. For the following reasons,
computer forensic science can rarely expect these same elements of
standardized repetitive testing in many of its submissions:
Operating systems, which define what a computer is and how it works,
vary among manufacturers. For example, techniques developed for a
personal computer using the Disk Operating System (DOS) environment may
not correspond to operating systems such as UNIX, which are multi-user
environments.
Applications programs are unique.
Storage methods may be unique to both the device and the media.
Typical computer examinations must recognize the fast-changing and diverse
world in which the computer forensic science examiner works.
Back to the top
Examining Computer Evidence
Computer evidence represented by physical items such as chips, boards,
central processing units, storage media, monitors, and printers can be
described easily and correctly as a unique form of physical evidence. The
logging, description, storage, and disposition of physical evidence are
well understood. Forensic laboratories have detailed plans describing
acceptable methods for handling physical evidence. To the extent that
computer evidence has a physical component, it does not represent any
particular challenge. However, the evidence, while stored in these
physical items, is latent and exists only in a metaphysical electronic
form. The result that is reported from the examination is the recovery of
this latent information. Although forensic laboratories are very good at
ensuring the integrity of the physical items in their control, computer
forensics also requires methods to ensure the integrity of the information
contained within those physical items. The challenge to computer forensic
science is to develop methods and techniques that provide valid and
reliable results while protecting the real evidenceùthe informationùfrom
harm.
To complicate the matter further, computer evidence almost never exists in
isolation. It is a product of the data stored, the application used to
create and store it, and the computer system that directed these
activities. To a lesser extent, it is also a product of the software tools
used in the laboratory to extract it.
Computer forensic science issues must also be addressed in the context of
an emerging and rapidly changing environment. However, even as the
environment changes, both national and international law enforcement
agencies recognize the need for common technical approaches and are
calling for standards (Pollitt 1998). Because of this, a model (see Figure
1) must be constructed that works on a long-term basis even when
short-term changes are the rule rather than the exception. The model that
we describe is a three-level hierarchical model consisting of the
following:
An overarching concept of the principles of examination,
Policies and practices, and
Procedures and techniques.
Principles of examinations are large-scale concepts that almost always
apply to the examination. They are the consensus approaches as to what is
important among professionals and laboratories conducting these
examinations. They represent the collective technical practice and
experience of forensic computer examiners.
Organizational policy and practices are structural guidance that applies
to forensic examinations. These are designed to ensure quality and
efficiency in the workplace. In computer forensic science, these are the
good laboratory practices by which examinations are planned, performed,
monitored, recorded, and reported to ensure the quality and integrity of
the work product.
Procedures and techniques are software and hardware solutions to specific
forensic problems. The procedures and techniques are detailed instructions
for specific software packages as well as step-by-step instructions that
describe the entire examination procedure (Pollitt 1995).
As an overall example, a laboratory may require that examinations be
conducted, if possible and practical, on copies of the original evidence.
This requirement is a principle of examination. It represents a logical
approach taken by the computer forensic science community as a whole, and
it is based on the tenet of protecting the original evidence from
accidental or unintentional damage or alteration. This principle is
predicated on the fact that digital evidence can be duplicated exactly to
create a copy that is true and accurate.
Creating the copy and ensuring that it is true and accurate involves a
subset of the principle, that is, policy and practice. Each agency and
examiner must make a decision as to how to implement this principle on a
case-by-case basis. Factors in that decision include the size of the data
set, the method used to create it, and the media on which it resides. In
some cases it may be sufficient to merely compare the size and creation
dates of files listed in the copy to the original. In others, it may
require the application of more technically robust and mathematical
rigorous techniques such as a cyclical redundancy check (CRC) or
calculating a message digest (MD).
CRC and MD are computer algorithms that produce unique mathematical
representations of the data. They are calculated for both the original and
the copy and then compared for identity. The selection of tools must be
based on the character of the evidence rather than simply laboratory
policy. It is likely that examiners will need several options available to
them to perform this one function.
An examiner responsible for duplicating evidence must first decide an
appropriate level of verification to weigh time constraints against large
file types. The mathematical precision and discriminating power of these
algorithms are usually directly proportional to the amount of time
necessary to calculate them. If there were 1 million files to be
duplicated, each less than 1 kilobyte in size, time and computational
constraints would likely be a major determining factor. This circumstance
would probably result in a decision to use a faster, but less precise and
discriminating, data integrity algorithm.
Having decided how best to ensure the copy process will be complete and
accurate, the next step is the actual task. This is a subset of the policy
and practice, that is, procedures and techniques. These most closely
represent the standard cookbook approach to protocol development. They are
complete and contain required detailed steps that may be used to copy the
data, verify that the operation was complete, and ensure that a true and
accurate copy has been produced.
Again, as Figure 1 illustrates, a principle may spawn more that one
policy, and those policies can accept many different techniques. The path
an examiner takes in each case is well-documented and technologically
sound for that particular case. It may not, however, be the same path the
examiner takes with the next case. Traditional forensic examinations, such
as the DNA examination of blood recovered from a crime scene, lend
themselves to a routine and standardized series of steps that can be
repeated in case after case. There is generally no such thing as generic
computer evidence procedures. The evidence is likely to be significantly
different every time a submission is received by the laboratory and will
likely require an examination plan tailored to that particular evidence.
Although this situation may present a recurrent consideration of
management checks and controls within the laboratory setting, it is a
consideration that must be addressed and improved if this emerging
forensic discipline is to remain an effective and reliable tool in the
criminal justice system.
Back to the top
Conclusion
Valid and reliable methods to recover data from computers seized as
evidence in criminal investigations are becoming fundamental for law
enforcement agencies worldwide. These methods must be technologically
robust to ensure that all probative information is recovered. They must
also be legally defensible to ensure that nothing in the original evidence
was altered and that no data was added to or deleted from the original.
The forensic discipline of acquiring, preserving, retrieving, and
presenting data that has been processed electronically and stored on
computer media is computer forensic science.
This article examined issues surrounding the need to develop laboratory
protocols for computer forensic science that meet critical technological
and legal goals. Computer forensic scientists need to develop ongoing
relationships with the criminal justice agencies they serve. The reasons
for these relationships include the following:
In their efforts to minimize the amount of data that must be recovered
and to make their examinations more efficient and effective, computer
forensic scientists must have specific knowledge of investigative
details. This is a clear requirement that is generally more demanding
than traditional forensic science requests, and it places more reliance
on case information.
Courts are requiring that more information rather than equipment be
seized. This requires cooperative efforts between law enforcement
officers and the computer forensic scientist to ensure that the
technical resources necessary for the execution of the search warrant
are sufficient to address both the scope and complexity of the search.
Computers may logically contain both information identified in the
warrant as well as information that may be constitutionally protected.
The computer forensic scientist is probably the most qualified person to
advise both the investigator and prosecutor as to how to identify
technical solutions to these intricate situations.
Developing computer examination protocols for forensic computer analysis
is unique for several reasons:
Unlike some traditional forensic analyses that attempt to gather as much
information as possible from an evidence sample, computer forensic
analysis attempts to recover only probative information from a large
volume of generally heterogenous information.
Computer forensic science must take into account the reality that
computer forensic science is primarily market driven, and the science
must adapt quickly to new products and innovations with valid and
reliable examination and analysis techniques.
The work product of computer forensic science examinations also differs
from most traditional forensic work products. Traditional forensic
science attempts to develop a series of accurate and reliable facts. For
example, the DNA extracted from blood found at a crime scene can be
matched to a specific person to establish the fact that the blood was
shed by that person to the exclusion of all other individuals. Computer
forensic science generally makes no interpretive statement as to the
accuracy or reliability of the information obtained and normally renders
only the information recovered.
Computer forensic science protocols should be written in a hierarchical
manner so that overarching principles remain constant, but examination
techniques can adapt quickly to the computer system to be examined. This
approach to computer forensic protocols may differ from those developed
for many traditional forensic disciplines, but it is necessary to
accommodate a unique forensic examination.
References
American Society of Crime Laboratory Directors/Laboratory Accreditation
Board (ASCLD/LAB). ASCLD/LAB Manual. American Society of Crime Laboratory
Directors/Laboratory Accreditation Board, Garner, North Carolina, 1994,
pp. 29û30.
CommerceNet Research Council. 2000 Industry Statistics. Available at
http://www.commerce.net/research/stats/wwstats.html
Fischer, L. M. I.B.M. plans to announce leap in disk-drive capacity, New
York Times (December 30, 1997), p. C-2.
Noblett, M. G. Report of the Federal Bureau of Investigation on
development of forensic tools and examinations for data recovery from
computer evidence. In: Proceedings of the 11th INTERPOL Forensic Science
Symposium, Lyon, France. The Forensic Sciences Foundation Press, Boulder,
Colorado, 1995.
Pollitt, M. The Federal Bureau of Investigation report on computer
evidence and forensics. In: Proceedings of the 12th INTERPOL Forensic
Science Symposium, Lyon, France. The Forensic Sciences Foundation Press,
Boulder, Colorado, 1998.
Pollitt, M. Computer Evidence Examinations at the FBI. Unpublished
presentation at the 2nd International Law Enforcement Conference on
Computer Evidence, Baltimore, Maryland, April 10, 1995.
Back to the top
FORENSIC SCIENCE COMMUNICATIONS OCTOBER 2000 VOLUME 2 NUMBER 4
CURRENT ISSUEBACK ISSUESSEARCH
ALL ISSUESJOURNAL
DESCRIPTIONEDITORS
INSTRUCTIONS
FOR AUTHORSLINKSHANDBOOK OF
FORENSIC SERVICESLAB HOMEFBI
PUBLICATIONS