Chapter 6: Duplication and Preservation of Digital Evidence

Computer evidence is odd, to say the least. It lurks on computer hard disk drives, zip disks, and floppy diskettes at three different levels. Two of these levels are not visible to the computer user. Such evidence is fragile and can easily be destroyed through something as simple as the normal operation of the computer. Electromagnets and planted destructive Trojan horse programs are other hazards that can permanently destroy computer evidence within seconds. There is no other type of evidence that presents the investigator with as many potential problems and challenges. In the old days, defense lawyers didn’t know much about computer evidence. As a result, cross-examination by the defense wasn’t as strong a few years ago as it is today. However, things are changing because lawyers are becoming educated due to the current popularity of electronic document discovery in the legal community. Times have changed and it is all the more important to do things by the book.

PRESERVING THE DIGITAL CRIME SCENE

The computer investigator not only needs to be worried about destructive processes and devices being planted by the computer owner, he or she also needs to be concerned about the operating system of the computer and applications. Evidence is easily found in typical storage areas (spreadsheet, database, and word processing files). Unfortunately potential evidence can also reside in file slack, erased files, and the Windows swap file. Such evidence is usually in the form of data fragments and can be easily overwritten by something as simple as the booting of the computer and/or the running of Microsoft Windows. When Windows starts, it potentially creates new files and opens existing ones as a normal process. This situation can cause erased files to be overwritten and data previously stored in the Windows swap file can be altered or destroyed. Furthermore, all of the Windows operating systems (Windows 95, 98, 2000, and especially XP) have a habit of updating directory entries for files as a normal operating process. As you can imagine, file dates are important from an evidence standpoint.

Another concern of the computer investigator is the running of any programs on the subject computer. Criminals can easily modify the operating system to destroy evidence when standard operating systems commands are executed. Perpetrators could modify the operating system such that the execution of the DIR command destroys simulated evidence. Standard program names and familiar Windows program icons can also be altered and tied to destructive processes by a crafty high-tech criminal.

Even trusted word processing programs such as Microsoft Word and WordPerfect™ can become the enemy of the cyber cop. It works this way: When word processing files are opened and viewed, temporary files are created by the word processing program. These files overwrite the temporary files that existed previously and potential evidence stored in those files can be lost forever. There’s a point to all of this. Computer evidence processing is risky business and is fraught with potential problems. Of course, any loss of crucial evidence or exculpatory material falls on the shoulders of the computer investigator. What will your answer be, if the defense attorney claims the data you destroyed proved the innocence of his or her client? You better have a good answer.

Many inherent problems associated with computer evidence processing vanish when tried and proven processing procedures are followed. The objective of this part of the chapter is to keep Murphy’s law from ruining your case. When it comes to computer evidence processing, Murphy is always looking over your shoulder. He stands ready to strike at just the wrong moment.

Your first objective, after securing the computer, should be to make a complete bit stream back-up of all computer data before it is reviewed or processed. This should normally be done before the computer is operated. Preservation of evidence is the primary element of all criminal investigations and computer evidence is certainly no exception. These basic rules of evidence never change. Even rookies know that evidence must be preserved at all costs. As stated previously, evidence can reside at multiple levels and in bizarre storage locations. These levels include allocated files, file slack, and erased files. It is not enough to do a standard back-up of a hard disk drive. To do so would eliminate the back-up of file slack and erased file space. Without backing-up evidence in these unique areas, the evidence is susceptible to damage and/or modification by the computer investigator. Bit stream back-ups are much more thorough than standard back-ups. They involve the copying of every bit of data on a storage device and it is recommended that two such copies be made of the original when hard disk drives are involved. Any processing should be performed on one of the back-up copies. As previously recommended, the original evidence should be preserved at all costs. After all, it is the best evidence.

The need for forensic bit stream image back-ups was identified back in late 1989 during the creation of the first computer forensic science training courses at the Federal Law Enforcement Training Center. The first program created to perform this task was named IMDUMP and was developed by Michael White, who was employed by Paul Mace Software. That program proved to be helpful until approximately 1991, when most of the Paul Mace utilities were sold to another software company. Lacking the continued support for IMDUMP, Chuck Guzis at Sydex, Inc. in Eugene, Oregon, agreed to develop a specialized program that would meet law enforcement’s bit stream back-up needs from an evidence standpoint. Chuck has come to be known as the father of electronic crime scene preservation; the resulting program, SafeBack, has become a law enforcement standard. In addition, it is used by numerous government intelligence agencies, military agencies, and law enforcement agencies worldwide. Unlike normal back-up programs, the SafeBack program copies and preserves all data contained on the hard disk. It even goes so far as to circumvent attempts made to hide data in bad clusters and even sectors with invalid Cyclic Redundancy Codes (CRCs). As of this writing, there are no other back-up programs that have these features—added specifically to help law enforcement deal with such issues.

Another bit stream back-up program, called SnapBack, is also available and is used by some law enforcement agencies primarily because of its ease of use. It is priced several hundreds of dollars higher than SafeBack and its original design was not for evidence processing. It was designed as a network back-up utility for use by system administrators. SafeBack was designed from the ground up as an evidence-processing tool and is priced to fit law enforcement budgets. It has error-checking built into every phase of the evidence back-up and restoration process. Thus, the important thing is to make a bit stream back-up of all computer data before you begin processing. SafeBack and SnapBack seem to be the answer concerning computer hard disk drives.

The importance of bit stream image back-ups cannot be stressed enough. To process a computer hard disk drive for evidence without a bit stream image back-up is like playing with fire in a gas station. The basic rule is that only on rare occasions should you process computer evidence without first making an image back-up. The hard disk drive should be imaged using a specialized bit stream back-up product and the floppy diskettes can be imaged using the standard DOS DISKCOPY program. Directions should be followed exactly, regarding the use of the bit stream back-up software. When DOS DISKCOPY is used, it is recommended that the MS DOS Version 6.22 be used and the /V (data verification) switch should be invoked from the command line. To avoid getting too technical for the purposes of this chapter, specifics regarding the uses of these back-up programs will be avoided. However, instruction manuals should be studied thoroughly before you attempt to process computer evidence. Ideally, you should conduct tests on your own computers beforehand and compare the results with the original computer evidence. Being comfortable with the software you use is an important part of computer evidence processing. Know your tools. Practice using all of your forensic software tools before you use them in the processing of computer evidence. You may only get one chance to do it right.