|< Day Day Up >|| |
The increase in computer-related crime has led to development of special tools to recover and analyze computer data. A combination of hardware and software tools has been developed using commercial off-the-shelf utilities integrated with newly developed programs. Procedures have been defined and implemented to protect the original computer data. Processes have been developed to recover hidden, erased, and password-protected data. To that end, all recovery and analysis work is performed on image copies of the original.
Because there is a wide variety of computers, peripherals, and software available, including many different forms of archival storage (Zip, Jaz, disk, tape, CD-ROM, etc.),[i] it is important that a wide variety of equipment be available for recovery and analysis of evidence residing on a computer’s hard disk and external storage media. Recovered data must be analyzed, and a coherent file must be reconstructed using advanced search programs specifically developed for this work.
For example, these techniques were recently used to recover data from several computers that indicated a large check forgery ring was in operation throughout California and personal and business identities were being stolen without the knowledge of the victims. Case files going back over 5 years were cleared with the information obtained.
In another case, proprietary intellectual property was found on the suspect’s computer and was being used for extortion. In the case of a murdered model, the murderer’s computer address book was recovered and is now being used to determine if he might be a serial killer. Another case involved a stalker who had restricted pager information on his victim, which was recovered from the suspect’s computer.
With the preceding cases in mind, the primary goal of this chapter is to illustrate the reconstruction of past events with as little distortion or bias as possible. Many analogies can be drawn from the physical to the virtual realms of detective work—anyone who has seen a slaying on a police show can probably give a reasonably good account of the initial steps in an investigation. First, you might protect and isolate the crime scene from outside disturbances. Next, comes recording the area via photographs and note taking. Finally, a search is conducted to collect and package any evidence found.
[i]John R. Vacca, The Essential Guide To Storage Area Networks, Prentice Hall, 2002.
|< Day Day Up >|| |