2.2 Evolution of Investigative Tools

2.2 Evolution of Investigative Tools

In the early days of computer crime investigation, it was common for digital investigators to use the evidentiary computer itself to obtain evidence. One risk of this approach was that operating the evidentiary computer could alter the evidence in a way that is undetectable. Although programs such as dd on UNIX existed in the 1980s and could be used to capture deleted data stored on a hard drive, these tools were not widely used and most digital evidence examinations at that time were performed at the file system level, neglecting deleted data.

It was not until the early 1990s, that tools like SafeBack and DIBS were developed to enable digital investigators to collect all data on a computer disk, without altering important details. At around the same time, tools such as those still available from Maresware and NTI were developed by individuals from the US Internal Revenue Service (IRS) to help digital investigators process data on a computer disk. The Royal Canadian Mounted Police (RCMP) also developed specialized tools for examining computers. As more people became aware of the evidentiary value of computers, the need for more advanced tools grew. To address this need, integrated tools like Encase and FTK were developed to make the digital investigator's job easier. These tools enable more efficient examination, by automating routine tasks and display data in a graphical user interface to help the user locate important details. Recently, there has been renewed interest in Linux as a digital evidence examination platform and tools such as The Sleuthkit and SMART have been developed to provide a user-friendly interface. More sophisticated tools utilizing powerful microscopes are available to recover overwritten data from hard drives, but these are prohibitively expensive for most purposes.

Unfortunately, many individuals are still unaware of the need for these tools. Although courts have been lenient on investigators who mishandle digital evidence, this is changing as awareness of the associated issues grows. Gates Rubber Co. v. Bando Chemical Indus. Ltd. provides an example of one court that criticized an investigator for improper digital evidence handling. Instead of using specialized digital evidence processing tools, the investigator copied individual files from the computer and was criticized by the court for not using "the method which would yield the most complete and accurate results."

There has been a similar progression in the evolution of tools for collecting evidence on communication systems. In the late 1980s, Clifford Stoll described how he made paper printouts of network traffic in an effort to preserve it as evidence (Stoll 1989). Network monitoring tools like tcpdump and Ethereal can be used to capture network traffic but they are not specifically designed for collecting digital evidence. Commercial tools such as Carnivore, NetIntercept, NFR Security, NetWitness, and SilentRunner have been developed with integrated search, visualization, and analysis features to help digital investigators extract information from network traffic. As described in Part 3 of this book, there are other forms of evidence on computer networks, many of which do not have associated evidence collection tools, making this a very challenging area for digital investigators. Rather than relying on tools, networks often require an individual's ingenuity to collect and analyze evidence.

There has been a similar progression in the evolution of tools for collecting evidence on embedded computer systems. It is common for digital investigators to read data from pagers, mobile phones, and personal digital assistants directly from the devices. However, this approach does not provide access to deleted data and may not be possible if the device is password protected or does not have a way to display the data it contains. Therefore, tools such as ZERT, TULP, and Cards4Labs have been developed to access password protected and deleted data (van der Knijff 2001). More sophisticated techniques involving electron microscopes are available to recover encrypted data from embedded systems but these are prohibitively expensive for most purposes.

Over the years, bugs have been found in various digital evidence processing tools, potentially causing evidence to be missed or misinterpreted. To avoid the resulting miscarriages of justice that may result from such errors, it is desirable to assess the reliability of commonly used tools. The National Institute of Standards and Testing are making an effort to test some digital evidence processing tools. ^[2] However, testing even the most basic functionality of tools is a time intensive process making it difficult to keep up with changes in the tools. Also, it is unlikely that a single group can test every tool including those used to collect evidence from networks and embedded systems. Additionally, in some instances, it may not be possible to create standard tests for the advanced features of various tools, because each tool has different features.

Another approach that has been suggested to reduce the complexity of tool testing is to allow people to see the source code for critical components of the software (Carrier 2002). Providing programmers around the world with source code allows tool testers to gain a better understanding of the program and increases the chances that bugs will be found. It is acknowledged that commercial tool developers will want to keep some portions of their programs private to protect their competitive advantage. However, certain operations, such as copying data from a hard drive, are sufficiently common and critical to require an open standard. Ultimately, given the complexity of computer systems and the tools used to examine them, it is not possible to eliminate or even quantify the errors, uncertainties, and losses and digital investigators must validate their own results using multiple tools.

^[2]http://www.cftt.nist.gov/