EXPERIMENTING WITH FORENSICS TOOLS

With so many different ways to leave behind a trail of incriminating evidence, you may want to examine your own hard disk for ways that someone could use your data against you.

Free forensics tools

To experiment with a variety of free forensics tools, visit AntiOnline (http://www.antionline.com) or the New Technologies site (http://www.forensics-intl.com/download.html). For example, the dirsnp program can recover previously deleted files, the dd program can read individual sectors off a disk and display their contents, and the readit program can search a file for a particular word or phrase, such as "nuclear missile," "nerve gas," or the name of your boss's mistress.

Since recovered files often contain non-alphanumeric characters (such as smiley faces, triangles, or odd mathematical symbols), the filter program can screen out such useless characters, allowing you to see more clearly the actual data buried inside. To preserve the contents of a suspect's computer, the disable program can turn off the keyboard.

Commercial forensics tools

To learn about some of the tools law enforcement agencies might use against you, visit the Digital Intelligence Inc. website (http://www.digitalintel.com), which sells a unique forensics tool called Drivespy. Drivespy accesses physical drives using pure BIOS (Int13 or Int13x) calls. Not only does this allow Drivespy to access both DOS and non-DOS partitions, but it also ensures that you won't risk having the operating system modify or erase data (such as modifying the swap file) during normal use.

Drivespy lets you do the following:

• Examine hard disk partitions using a built-in Sector (and Cluster) hex viewer

• Copy files to a designated work area without altering file access or modification dates

• Unerase files to a designated work area without altering file access or modification dates

• Search drives, partitions, and files for text strings or data sequences

• Store all the slack space of an entire partition to a file for examination

• Save and restore one or more contiguous sectors to or from a file

For those who need more power than Drivespy offers, Digital Intelligence also sells dedicated computer forensics workstations (whimsically dubbed FRED, for Forensic Recovery of Evidence Device) and a portable version called FREDDIE (for Forensic Recovery of Evidence Device Diminutive Interrogation Equipment). If you ever see the police hauling a FRED or FREDDIE into your computer room, you'll know that they'll be able to copy data from any hard disk or any other removable storage device, such as Zip disks; create images of your entire hard disk; connect directly to your computer and monitor any communications that your friends may be trying to send to you; examine any visible and hidden partitions for data; and capture video images from a camera to record the appearance and location of equipment at the scene of the crime.

You can also visit Guidance Software (http://www.guidancesoftware.com) to learn about its EnCase program. Not only can EnCase examine MS-DOS/Windows computers, but it can also examine Macintosh and Linux computers. EnCase can hook up to a target computer and scan the target computer's hard disk for graphic files (useful for hunting down child pornographers). Once it has retrieved all these graphic files and copied them to another computer, it can display or print the contents of these graphic files.

While searching graphic files may help find child pornography images, searching text and other files can help find evidence against ordinary criminals or terrorists. Since their information is likely to be stored in word processor documents or email messages, EnCase can search a hard disk for all files that contain certain words or phrases. Once EnCase finds a file containing a specific word or phrase, it can list or copy those files for further examination.

To learn how the American and British governments may be using computer forensics tools to catch criminals, visit the websites of the Electronic Crimes Task Force (http://www.ectaskforce.org) and U.K.'s National Hi-Tech Crime Unit (http://www.nhtcu.org/nhtcu.htm).