British Computer Society West Yorkshire Branch West Yorkshire Branch

Serving North & West Yorkshire

Home
Events
Newsletters
Committee
Contact us

"Computer Forensics"

Tuesday 24 January 2006, 5:45 pm (refreshments) for a 6:30 pm start
Speaker: Russell May BSc(Hons) CITP CEng MBCS EnCE
[Guidance Software Inc]
Venue: Met Hotel, Leeds.

Computer Forensics
Russell May BSc(Hons) CITP CEng MBCS EnCE,
Manager of Special and Partner Projects (Europe, Middle East, Africa, India, Russia),
Guidance Software Inc.

Our first talk of the New Year clearly generated significant interest, as we had some eighty people attend.  The speaker for the evening, Russell May, introduced himself and gave a quick summary of his background, which included twenty-eight years experience in the West Midlands police force culminating in a spell as head of the High-Tech Crime Unit.  Russell now works for Guidance Software, a company based in Pasadena, California, which specialises in developing software to assist in retrieving digital information for forensic purposes.

Russell then outlined the basic rules that must be followed when examining computers and other digital devices. There are a number of basic principles that must be abided by.  These are enshrined in the ACPO (Association of Chief Police Officers) Guidelines on Computer Evidence, and are used in countries other than the UK, including the United States.  These guidelines MUST be followed for evidence to be accepted in court. 

Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage medium which may subsequently be relied upon in court.

Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved.  An independent third party should be able to examine those processes and achieve the same result.  (In a court case, the defence would be entitled to require access to this.)

Principle 4: The onus is on the person in charge of the investigation (the case officer) to ensure that the law and these principles are adhered to.

A forensic analyst will make a bit-by-bit copy of the contents of the storage medium.  The original should then be sealed and stored in a safe place while all analysis is carried out on the copy.

If it is necessary to power up the machine, the analyst will either use a copy of the machine's hard drive or use a virtual machine.  On many operating systems, the act of booting the machine leads to many files being created or modified on the machine's hard disc, and this could mean violating Principle 1 if the original hard disc is used.

The analyst will retrieve evidence and present it in a readable form, suitable for use in court. 

The contents of the machine will be examined for other evidence, such as money, keys, drugs or other substances concealed in the machine, or additional hard discs that have been disconnected so that a casual user of the machine would not know that they existed or be able to access the contents.

It is important to ensure that the suspect device cannot be written to; this can be a problem with Windows machines as they will not recognise read-only hard discs, and so a hardware write-blocking device needs to be used.

Disc images are examined for hidden or deleted files and partitions.  Any hidden or deleted files or partitions can be recovered and data that may be of value can be retrieved. 

Photographic evidence is also collected - this would be photographs of the computer hardware, how it was laid out, and how the various components were connected to one another.  This is used to a) document how a system had been set up (such as evidence of a facility for mass-producing illegal copies of CDs or DVDs) and b) to re-create the configuration of components if they have been disconnected, and it is then decided to power-up the system as part of the investigation.

One of the key messages from this talk was that forensics should never be taken in isolation - it is part of the body of evidence that has to be amassed for a prosecution to be brought.

Following this explanation, Russell demonstrated some of the capabilities of the EnCase tool developed and marketed by Guidance Software to show some of the tool's capabilities and demonstrate some of the ways in which information and illicit images might be concealed.  Some of the key points from the demonstration were:

1. On DOS/Windows systems, Fdisk only removes partition information - it does not physically delete files.  A hard disc that has had Fdisk run on it may still contain much of the data, as files may have only been logically rather than physically deleted.  A disc editor can reveal the presence of files even though the operating system 'thinks' they no longer exist.

2. Files can be searched for by header, rather than by name.  A particular type of file (such as a jpeg image file) will have a particular type of header that identifies the file type.  This is independent of the file name.  For example, an image file containing pornographic material could be disguised by renaming it with a different extension.  However, the file's header information would still reveal that it was an image file rather than text or a Word document.  A tool such as EnCase can identify such files.

3. It is possible to search archives (such as Zip files) and OLE containers to reveal layered images (such as a Word document in which one 'harmless' image is positioned on top of a 'suspect' image to hide it).

4. File signature analysis is used to find 'disguised' files, such as a .jpg file (image) disguised as a dll.

5. On a machine where virtual memory is in use, the swap file can be examined for unsaved changes.
British Computer Society Disclaimer of liability