Seeking Computer Forensics Information For A Novel
Apologies for the length of this post.
I am in the process of writing a crime novel which requires
some computer forensics techniques at a late stage in the
The book isn't focused on the computer forensics specifically
(i.e. its not CSI where the entire focus is on the forensics
and if they aren't 100% accurate the point of the show is lost),
so I only really need enough information about the processes to
make it believable without slowing down the pace too drastically
with pages of meticulous description (which I'm sure would also
not stand up to heavy scrutiny by people like yourselves).
I have browsed through a lot of the posts on these forums and read
the content from some of the links pages, but a lot of the time the
information is perhaps a little too complicated for my needs.
If someone is able to help me out by answering the below questions
then it would be greatly appreciated (you can either reply here or
if you wish send me a PM and we can organise to correspond via email
if that is your preference - if you feel uncomfortable sharing the
information such as the last question in public).
As I said to Jamie in an email to check if it was alright to post, I
am currently unpublished etc. (which is all very cliched), but if I
do manage to get the novel completed and published then I would be
happy to acknowledge anyone who has given me a hand (or this website
if that is preferred).
The questions I need answered are below.
In the 'Abilities of Law Enforcement' post
( http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=55 )
it is continually mentioned that simply booting up a computer is a bad
idea and corrupts evidence. What are the exact implications of this? Is
it simply then that the defence could argue the evidence was tampered
with in some way, or does it actually affect the data in some way?
Given that you cannot simply start up the computer to access the files
and information, what is the preferred method to get the data and ensure
that it remains legally viable?
From the post 'Setting up a forensics lab - recommendations?' ( http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=48 )
I gather that documenting everything you do from the moment you get the
computer is a must, but it also mentions having stand-alone rooms and
stand-alone networks to do the actual analysis.
What is actually done on these machines?
Also, I read about a method to access emails that have been deleted from
Outlook ( http://www.htcia.org/pdf_files/vol3iss3.pdf ) by corrupting the
Outlook Mail Storage area (apparently the restore tool then restores some
of the old deleted emails as well?). Has anyone actually tried this and can
confirm that it would work?
It sounds to me like doing so would require booting up the computer. Is there
another more 'forensic' way to gather this information?
One last question:
Earlier I had to do some research to figure out how to break into a simple
home machine with a Windows password - which I believe is notoriously easy to
do. I tried to research how to do it and found a page written by some script
It suggested that you simply needed to enter DOS mode and delete the *.pwl files.
Then when you try to login, Windows will not find the file, assume it is the first
time you are logging in and let you select a password.
This sounds particularly insecure - even for Windows. Even if this alone will
actually work, I think there would be an uphill battle to convince readers it
I'd prefer to take the word of someone on these forums who might actually know
what they're talking about, rather than a teenage kid that logs into his sister's
laptop and calls himself a hacker.
Would this method actually work? Is there a more advanced way that sounds a little
more convincing that I could include instead?
To answer your questions:
1. Booting up a computer (or shutting one down), specifically into a Windows operating system, alters data in that the operating system updates multiple system files in the process. If the opposition can argue that several files have been changed since the examiner had the computer it makes it that much easier to argue the entire case is corrupt. Some applications can also be scheduled to run on shutdown or startup. Data wiping programs often can be set up this way and an examiner certainly does not want to trigger these.
2. There are a several ways to copy (acquire) data. You certainly want to do this first as you donâ€™t want to use the original media any longer than necessary. All media fails eventually and you donâ€™t want it to happen while you are using it. The first method is to boot the subject pc into a dos environment. In DOS the system does nothing without the operatorâ€™s command. The examiner can copy drives using forensic acquisition programs locally (to other drives installed in the same system), or across network or parallel cables to another computer. DOS acquisitions are slower than those done in Windows however as DOS is a 16 bit OS and Windows is a 32 bit OS. Many examiners use Linux programs as well for the same reasons. For the reasons mentioned above you canâ€™t simply put a hard drive in your system and boot up into windows, but with a write blocking device you can. It is a bridge that may be installed on an ide or scsi channel, or as many of the newer ones, attached via firewire. This is a firewire device that prevents any writes to the device itâ€™s attached to. This allows much faster acquisitions.
Forensic computers are used primarily to copy (acquire) hard drives or devices including floppy disks, cd/dvd roms, USB thumb drives, flash memory, etc. Then the examiner will analyze the data and report the findings. A forensic pc needs to be fast with a lot of memory, and have a good forensic application with lots of file viewers installed. This is necessary to view all the file types one may encounter in an examination. It should also not be hooked up to the internet, not that evidence files could be very easily corrupt, but again it just removes the possibility so that the argument canâ€™t start.
3. Iâ€™ll withhold comment on the method you mention for accessing deleted outlook messages, just because I havenâ€™t personally used this technique. But it would not be necessary to boot the application. Most forensic programs allow you to â€œexportâ€ out folders to run additional analysis on such as this. You still havenâ€™t changed your working copy at all. Just created another copy to work with on your computer.
4. The method you mention for breaking into a Windows system appears to relate to a windowâ€™s 95 or 98 system. Getting in to one of those was actually easier than that, when confronted with the login window just hit cancel and you go right in. Windows XP and 2000 systems are much more secure. It is however not an issue for a forensic examiner. Since you are working through a forensic application you are looking at the file system, not trying to log in. You will be able to access all the files and folders. There are forensic applications that are available to enable one to boot from the forensic image. This allows the examiner to â€œseeâ€ the system just as the user did, what was on the desktop, what favorites did they have, etc. I have never used this feature as all of that is readily available if you know where to look for it.
Good luck with your book, sounds like an interesting project,
As I got to the end of writing this post I saw Greg has done one as well, which is really very good.
Donâ€™t discount the word of that a teenage kid that logs into his sister's laptop (some of the little buggers are good hackers ).
Couldn't agree with you more Andy,
Hey…I liked "WarGames" !
Man-sized modems, no spam, big hair…a golden age 🙂
Thanks for the help guys.
I'll process the information and see if any more questions come up 🙂
Most of what I have explained can be found in greater detail by Google searches. A great man once said â€˜Google is you friendâ€™ (â€¦ It might have been Harlan) and he's right.
I understand how it can be annoying to have people asking simple questions that can be solved easily, so I do try to find information for myself before I ask. It was just in this case most of what I could find pretty much assumed knowledge of some of the basic-level stuff I was asking about.
Once again, thanks…
All passwords are on the little pull out drawer under the secretaries desk, this week the password is "pencil".
Shhhhh…don't tell everyone!
OK, I'll be serious from now on. Just one comment about CSI…they don't always get it right, at least not from a computer forensics perspective…