This article can also be found in the Premium Editorial Download "Information Security magazine: Top forensics tools for tracking down cybercriminals."

Download it now to read this article plus other related content.


    Requires Free Membership to View

Armed with computer forensics tools, Oregon State Police detective Stephen Payne helped uncover an Internet crime ring. The culprits, a group of teen-agers and adults, sent thousands of e-mails spoofing Citibank and other financial institutions asking customers for banking and other personal information.

Several recipients responded; the thieves created fake ATM cards embedded with the victims' data, withdrew cash and bought iPods over the Internet. A company shipping the devices notified police, who tracked down some of the criminals. Payne's investigation into their computers led to more suspects.

Using Guidance Software's EnCase, Payne cracked files on six computers protected by the Windows XP Professional Encrypting File System. He uncovered chat room sessions in which the group's 15-year-old ringleader instructed the others.

"He had the computer smarts and was teaching the others, who were recording their chat room sessions, I assume only to be able to go over what they learned," Payne says. Payne used keyword-search capabilities in EnCase and AccessData's Forensic Toolkit to ferret out online delivery confirmation pages from a shipping company. EnCase also allowed him to construct a chronology of events, which helped lead to two convictions in the case.

"Without that keyword search ability, you're really not able to see the silver needle in the golden haystack," he says.

Another Oregon law enforcement official, Jeff Snyder, computer forensics examiner and manager of the Multnomah County central parole office, relies on New Technologies' Stealth Suite to thwart sex offenders' illicit online activity. One such offender reformatted his hard drive, figuring it would eliminate any trace of his illegal behavior, but Snyder found several hundred child and adult pornography images and a couple hundred e-mails to children buried inside.

Stealth Suite allows Snyder's team to make a mirror image of a drive before they examine it so as to not taint the evidence--an important step, he says.

"If you do anything that changes even one byte on that drive, then you have to explain in court how whatever procedure you used either didn't damage the evidence or change it," he says. In some cases, though, an examiner may not be able to duplicate the drive and needs to work on a live system: "You may be in an environment where it's not practical to shut down a business when you're looking at a machine."

The Stealth Suite also gives Synder's team the ability to search sector by sector on a drive or disk, which helps them dig into a computer's "slack space," where they can find a treasure trove of information.

"That's the essence of computer forensics work--to go into places where the operating system makes notes to itself that a user doesn't have any control over," he says.

--Marcia Savage
In addition, all ASCII and Uni-code strings are indexed and export-able. This ties in seamlessly with the password recovery tool as all text strings found within the evidence can be ported into a dictionary for password-cracking purposes. UTK's password recovery tool is capable of decrypting Microsoft NTFS-EFS and Office, .zip, NTLM and PDF files--just about any type of encrypted file that could be used as evidence.

Included with UTK is Access-Data's Forensic Toolkit (FTK), which has been around since 1998 and has gained quite a bit of popularity among law enforcement officials and the private sector. Its capability for dealing with e-mail--more and more becoming the silver bullet of evidence--is second to none.

FTK's ability to quickly catalog e-mail on an evidence image in just about any stored format--and further extract embedded images and elements in a highly searchable fashion--makes it the premier forensic tool for such analysis. FTK is also adept at handling graphics and creating reports that display them in an easy-to-understand and organized manner.

Typical of a commercial tool, FTK can manage a case from acquisition to completion, and includes polished and flexible reporting capabilities that can be easily installed onto an auto-play CD-ROM for distribution.

e-fense's Helix
e-fense's Helix, created by forensics specialist Drew Fahey, is an open-source Linux LiveCD distribution designed specifically for digital forensics and based on the popular Knoppix distribution. It contains many forensics- and security-related tools designed to aid in the recovery and analysis of digital evidence from live and post-mortem (powered off) systems. As it's Linux-based, it has the ability to analyze Linux file systems like Ext2/Ext3, and even the less common ones like ReiserFS, JFS and XFS.

What makes Helix different from other Linux LiveCDs are the measures it takes to preserve all of the drives and partitions present on a system. A common problem with other LiveCDs is that they mount swap partitions when they boot, possibly altering data. Helix will not mount any swap partitions (any auto-mounted partitions are read-only), which preserves data, MAC (Modified, Accessed, Changed/Created) times and other such file metadata. This allows Helix to acquire evidence without the use of a hardware write-block device.

Helix will also auto-play on live Windows systems, on which its self-contained binaries and executables can be used for acquisition of both volatile data, like RAM, and stored data on a variety of media.

This was first published in December 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: