PRESERVING COMPUTER INTEGRITY
by Rick Albee
This is how the conversation usually goes...
CEO: "Why can't you testify to the date that porn was downloaded on the company computer?"
Me: "Because the date-stamps showing the "File Modified" and "Last Accessed" dates are several days after you confiscated the computer from the employee."
CEO: "You can tell that!"--embarrassed pause--"What difference does that make?"
Me: "Did your own people download the porn to the computer, after it was confiscated?"
CEO: "Of course not!"
Me: "According to the forensics, somebody accessed that file after the computer was no longer in the hands of your employee. You've given them a perfect defense."
At this point, there is generally a big sigh of resignation that says (although not in so many words), "We really screwed up, didn't we?" Had the question been spoken, my answer would be that they had, indeed, really screwed up.
I recently completed a forensic computer examination for a large corporation. The above conversation is essentially what occurred. Unfortunately, in their haste to assist me, they actually hindered the investigation by allowing their in-house I.T. (Information Technology) personnel to "help." In these types of investigations, the biggest favor you can do for a client is to preserve the integrity of the computer, thus preserving the evidence for a trained forensic computer examiner.
- If the computer is ON, leave it on; if it is OFF, leave it off. Each time an operating system boots up it writes to several hundred files, and overwrites data crucial to the investigation. I use tools specifically designed to acquire the data without booting into Windows. This data is retrievable if it is not over-written by the boot process.
- Never allow company personnel to access the computer. This changes the date that files were last accessed and/or written to, stores contaminated data in files that are only accessible by forensic experts, and taints the evidentiary value of all data. I never boot into Windows; there is no way to do so and insure the hard drive's integrity as Windows writes to several hundred files during each boot process.
- Never allow a copy to be made of the hard drive. A forensic copy differs from a Windows or DOS copy, which only copies existing, logical files--not the entire physical hard drive. I make a bit-by-bit copy of the entire physical hard drive, including slack (that data remaining in the unused portion of each sector) and unallocated space (that space not assigned a FAT--File Allocation Table), where much of the needed data resides.
If you and your client follow these few simple suggestions, you will go a long way to insuring the best possible computer examination.
Equally important to preserving the computer's integrity, is being certain that we do not violate the Privacy Protection Act. I recently turned down a job because the company had allowed an employee to install their personally owned Internet software, and access the Internet as if the computer were private property. The employee had an obvious expectation of privacy, and no waiver from the company is sufficient to thwart that expectation.
In conclusion, the old adage still holds true: If you need an electrician, don't hire a plumber. Forensic computer work is unlike anything else in the computer field; just like any other specialty, it requires special tools and training.