FindArticles > Internal Auditor > August, 2001 > Article > Print friendly
Computer Forensics Gear
Mark BiglerA wide range of tools are available to internal auditors charged with investigating illicit computer-related activity.
OHN WANTED TO GET EVEN WITH MANAGEMENT FOR NOT APPROVing his bonus. He typed an anonymous, threatening letter to the company president on his computer, printed a hardcopy, and then placed it in the mail. To cover his tracks, John exited the word processing program without saving the document on his hard drive. No incriminating evidence, he thought. Wrong! Several copies of the letter were saved automatically by the computer's word processing package and operating system. When John was later identified as a suspect for this incident, company auditors seized his computer, performed forensics procedures, and found the information they were looking for. The "smoking gun" existed in the form of digital evidence on his computer.
This scenario is just one example of a situation where internal auditors may be called upon to perform electronic forensics procedures. Computers are often used in committing crimes or acts contrary to company policy, and finding the smoking gun may require the auditor to delve deeply into the company's systems.
Depending on the nature of the act, evidence can be found in many different locations. For instance, auditors investigating an abusive e-mail may find evidence in an e-mail virus scanner server, a mail server, the miscreant's PC, or the victim's workstation. Mainframe and database systems contain transaction logs that may also provide evidence. Without the proper equipment, however, the evidence-gathering process can be daunting.
To facilitate the preservation, collection, analysis, and documentation of evidence, internal auditors can use a number of different technology tools. The following hardware and software devices comprise some of the options available to auditors charged with performing computer forensic investigations.*
PRESERVING THE EVIDENCE
Material gathered from an investigation may be used in a criminal or civil court action; or, it might be examined by an independent expert to provide further details for the company's files. Regardless of what follows the auditor's computer forensics work, one of the most critical elements of the investigative process is the preservation of the evidence.
Computer evidence is very fragile and susceptible to damage from many sources. The best way to preserve data files is to make two "bit-stream" backup copies of the target computer's hard drive and any other seized storage media. Programs such as New Technologies Inc.'s (NTI) SafeBack and Guidance Software's EnCase can be used for this purpose. Both products are well-known in the court system and among computer forensics experts.
A backup storage device such as a DAT, CD-R, DVD-R, or Iomega Jaz drive should be used to record the bit-streamed data. After making the two copies, auditors should place one of them in an evidence locker and use the other for their analyses. The copy used for forensic procedures can be restored to a "clean" computer with a sufficiently large hard drive for examination.
If budget permits, a mobile backup system can be obtained complete with all the necessary hardware and software. Systems such as Computer Forensics Ltd.'s DIBS and Digital Intelligence Products Inc.'s FRED include a mobile backup unit and all necessary software to make bit-stream copies. Computer Forensics also offers a DIBS desktop computer solution, complete with forensic recognition, collection, analysis, and documentation software modules.
FILE RECOVERY
Recognizing what constitutes evidence and knowing where to find it is partly art and partly science. However, a sound approach and the proper tools will eliminate much of the guesswork.
To begin, a listing of all programs and files from the bit-stream evidence copy should be made. EnCase, NTI's FileList, or Maresware's DISKCAT can be used to help document file listings. The auditor should review the list to determine the presence of programs that are used to hide, delete, protect, or encrypt data. Encryption tools include, for example, "pretty good privacy" (PGP) freeware encryption packages and commercial utility packages, such as McAfee's POP Personal Security or NovaStor Corporation's DataSAFE. Additionally, there are freeware (Hide and Seek, S-Tools, STEGO, White Noise Storm) and commercial Steganos packages, such as CenturionSoft's Steganos, that can hide files inside digital images or music files. These programs show "intent" to conceal evidence and may help the auditor determine which additional forensics tools will be necessary. Evidence in deleted files, slack space, unallocated space, swap files, and password or encrypted files should then he collected for review.
DELETED FILES. Even when a user deletes files from his or her computer, that information may still be accessible on the system's hard drive. Deleted files can be recovered with software tools such as Norton Utilities, DIBS, or PowerQuest Corp.'s Lost & Found. After the files are located, they should be listed and reviewed for relevance to the investigation. EnCase, DIBS, and NTI's FileList are well-suited for this purpose. File characteristics should be noted, such as when the file was created, deleted, and last viewed. This type of evidence can be extremely important for determining time lines and showing relationships between computer files and storage media.
SLACK AND UNALLOCATED SPACE. Evidence in all of the slack space on the entire hard drive or other storage media can be retrieved quickly with tools such as NTI's GetSlack and Filter_I software utilities. GetSlack grabs all slack space and places it into a single file. In addition, DIBS and NTI's GetFree tools are useful for collecting all evidence in unallocated space for processing and searching.
After consolidating the slack and free space data, the auditor should then clean up these files so that a search/find tool can be implemented. Filter_I can be used to strip out all binary characters so that the auditor can then search the filtered file for desired text strings such as "password," "hate," or "destroy." Norton Utilities, dtSearch, DIBS, and NTI's Text Search Plus all offer fast text search tools that will save the auditor a significant amount of time looking for data of evidentiary value.
OBTAINING ADDITIONAL CLUES. A good disk editor is essential for viewing items such as the file allocation table, swap files, the master boot record, and the root directory. EnCase, Norton's Disk Editor, and Digital Intelligence Inc.'s DriveSpy are among the many tools available for this procedure. This type of software is also useful for viewing file slack and unallocated space. For those on a limited budget who want a single "best tool" for computer forensics work, a disk editor might be a worthwhile investment.
DOCUMENT AND GRAPHICS FILES
The hard drive and other media under investigation may contain a multitude of files that were produced by many applications. Of course, it's usually not feasible for an auditor to procure every possible database, spreadsheet, word processing, flowchart, or other software application on the market just to be able to view all of the files. Instead, a file viewer should be obtained. Products such as Jasc Software's Quick View, FileStream Inc.'s Turbo Browser 2000, and Clear & Simple Inc.'s DiskJockey 2000 enable users to view hundreds of file types using just one tool.
Auditors may encounter some difficulty with the document-viewing process if file extensions have been changed from those originally assigned by the application. Miscreants often alter the file names in this way to cover their tracks. When this occurs, however, the file's true type can usually still be determined. Many files contain a few bytes at the beginning of the file that constitute a unique signature or "file type." Most document and graphics files contain this signature. For example, the first six bytes at the beginning of a ".gif" file are either GIF89A or GIF87A. Microsoft Word documents contain a signature beginning with the letters "MSWD." Auditors should look at the signature for all files that the viewer software has difficulty reading. Either DiskCat by Maresware or a disk editor can be used for identifying mismatches in file headers and extensions.
EXTRACTING AND SORTING DATA
Depending on the type of information the internal auditor is searching for, a good data extraction and sorting tool can save up to hundreds of hours. For example, if the investigation involves searching through a zoo-gigabyte file of Internet URLs to determine whether or not employees are visiting pornography sites, a program such as ACL can pay for itself very quickly.
Alternatively, when working with a PC running a UNIX operating system, or a Windows PC with a UNIX subsystem loaded on it, the "grep," "awk," and "sed" commands can be used to filter through very large files quickly. These easy-to-learn commands accept wildcards for searching text patterns where a specific text string may not work well. In addition, the commands can be used to strip out "clutter" or unwanted data from files to make them more easily managed and reviewed for evidence.
CRACKING THE CODE
Miscreants will often try to hide evidence of their acts by using encryption or an application's password protection function. Forensic search utilities can't identify strings of text in password protected or encrypted files. However, with an effective password cracker tool -- or better yet a suite of tools -- the auditor has a good chance of opening the files for analysis.
AccessData Corp. and NTI both offer effective software for cracking password-protected or encrypted files. These programs work well on files that are blocked or encrypted by Microsoft Office and Lotus applications, WinZip, or PKZIP.
EQUIPPED FOR SUCCESS
Sound forensic equipment and procedures are paramount to successful investigations of abuses involving computers. Using the right investigative tools can help maximize the effectiveness of forensics work and ensure that evidence is kept in pristine shape. Reliable tools that can facilitate the investigative process are clearly an asset to the audit team, as well as the organization.
MARK BIGLER, CISA, CFE, CPA, heads the information systems audit function at J.D. Edwards in Denver.
(*.) Some of the tools mentioned may work in the UNIX environment, but because most government and corporate organizations use Microsoft operating systems, the discussion focuses primarily on tools suitable for DOS/Windows environments.
Computer Forensics Tools *
TOOL PRODUCT
EVIDENCE PRESERVATION
Mirror Image (Bit Stream) Copy SafeBack
EnCase
CaptureIT
SnapBack DatArrest
ByteBack
Norton Ghost 2001
Linux dd File Utility
Bit-Stream Software/Hardware DIBS
Packaged Solutions FRED
Mobile Forensic Workstation
Portable Forensic Workhorse
Solitaire Forensics
Diskette Image Copy CopyQM Plus, Anadisk
DOS "Diskcopy /V" command
System Testing and Documentation GetTime
AMIDiag
Checklt Portable, Checklt Suite
Partition Magic
DOS "FDISK" Command
Drive Image and File Validation CRCMd5, DiskSig
EnCase
Md5
Anti-virus Norton Anti-Virus
Dr. Solomon's Anti-Virus,
McAfee VirusScan
EVIDENCE RECOGNITION, COLLECTION,
ANALYSIS
File Listing and Documentation EnCase
FileList, NTI-Doc, ShowFL
DIBS
DISKCAT (also compares the file
header to the file extension)
Undelete Norton Utilities
Lost & Found
Fast File Undelete
Directory Structure Documentation NTI-Doc
DIBS
EnCase
TOOL COMPANY
EVIDENCE PRESERVATION
Mirror Image (Bit Stream) Copy New Technologies Inc. (NTI)
Guidance Software Inc.
Ontrack Data Internationa Inc.
Columbia Data Products Inc.
Tech Assist Inc.
Symantec Corporation
(Included with most Linux and
UNIX operating systems)
Bit-Stream Software/Hardware Computer Forensics Ltd.
Packaged Solutions Digital Intelligence Inc.
Vogon International Ltd.
Forensic-Computers.com
Logicube
Diskette Image Copy New Technologies Inc.
(DOS operating system)
System Testing and Documentation New Technologies Inc.
American Megatrends Inc.
Smith Micro Software Inc.
PowerQuest Corporation
(DOS operating system)
Drive Image and File Validation New Technologies Inc.
Guidance Software Inc.
Mares and Company, LLC
Anti-virus Symantec Corporation
Network Associates Inc.
EVIDENCE RECOGNITION, COLLECTION,
ANALYSIS
File Listing and Documentation Guidance Software Inc.
New Technologies Inc.
Computer Forensics Ltd.
Maresware
header to the file extension)
Undelete Symantec Corporation
PowerQuest Corporation
dtidata.com
Directory Structure Documentation New Technologies Inc.
Computer Forensics Ltd.
Guidance Software Inc.
TOOL WEB SITE
EVIDENCE PRESERVATION
Mirror Image (Bit Stream) Copy www.forensics-intl.com
www.guidancesoftware.com
www.ontrack.com
www.cdp.com
www.toolsthatwork.com
www.symantec.com
Bit-Stream Software/Hardware www.computer-forensics.com
Packaged Solutions www.digitalintel.com
www.vogon.co.uk
www.forensic-computers.com
www.logicube.com
Diskette Image Copy www.forensics-intl.com
System Testing and Documentation www.forensics-intl.com
www.ami.com
www.smithmicro.com
www.powerquest.com
Drive Image and File Validation www.forensics-intl.com
www.guidancesoftware.com
www.maresware.com
Anti-virus www.symantec.com
www.nai.com
EVIDENCE RECOGNITION, COLLECTION,
ANALYSIS
File Listing and Documentation www.guidancesoftware.com
www.forensics-intl.com
www.computer-forensics.co
www.maresware.com
header to the file extension)
Undelete www.symantec.com
www.powerquest.com
www.dtidata.com
Directory Structure Documentation www.forensics-intl.com
www.computer-forensics.com
www.guidancesoftware.com
Text/Hex Editor (to view hidden, Norton Commander, Norton
system, and text files; free space; Utilities -- Disk Editor
FAT; swap files; slack, etc.) WinHex
VEDIT
EnCase
DriveSpy
Binary data filter Filter_I
File Viewer (for spreadsheet, Quick View
database, word processor, Turbo Browser 2001
graphics, etc.) DiskJockey 2000
EnCase
DIBS
Search/Find STRSRCH (logical), SS
(physical)
dtSearch Desktop
DIBS
Norton Utilities
Text Search Plus, DiskSearch
Pro,
DiskSearch 32
Sorter ACL
UNIX commands such as "grep,"
"awk," and "sed"
DIBS
Free (Unallocated) Space Collector GetFree, Filter_I
Viewer DIBS
EnCase
Slack Space Collector/Viewer GetSlack, Filter_I
EnCase
DIBS
Password/Encryption Crackers Advanced Password Recovery
Software Kit
Password Recovery Toolkit
Passware Kit
Searcher for Web-related_Evidence Net Threat Analyzer-IP Filter
Hidden Partition Finders PartitionMagic
Norton Utilities
PTable
Fdisk DOS Utility
Text/Hex Editor (to view hidden, Symantec Corporation
system, and text files; free space;
FAT; swap files; slack, etc.) State-of-the-Art Software
Greenview Data Inc.
Guidance Software Inc.
Digital Intelligence Inc.
Binary data filter New Technologies Inc.
File Viewer (for spreadsheet, Jasc Software
database, word processor, FileStream Inc.
graphics, etc.) Clear & Simple Inc.
Guidance Software Inc.
Computer Forensics Ltd.
Search/Find Maresware
dtSearch Corporation
Computer Forensics Ltd.
Symantec Corporation
New Technologies Inc.
Sorter ACL Services Ltd.
(UNIX operating system)
Computer Forensics Ltd.
Free (Unallocated) Space Collector New Technologies Inc.
Viewer Computer Forensics Ltd.
Guidance Software Inc.
Slack Space Collector/Viewer New Technologies Inc.
Guidance Software Inc.
Computer Forensics Ltd.
Password/Encryption Crackers New Technologies Inc.
AccessData Corporation
LostPassword.com
Searcher for Web-related_Evidence New Technologies Inc.
Hidden Partition Finders PowerQuest Corporation
Symantec Corporation
New Technologies Inc.
(DOS operating system)
Text/Hex Editor (to view hidden, www.symantec.com
system, and text files; free space;
FAT; swap files; slack, etc.) www.sf-soft.de
www.vedit.com
www.guidancesoftware.com
www.digitalintel.com
Binary data filter www.forensics-intl.com
File Viewer (for spreadsheet, www.jasc.com
database, word processor, www.filestream.com
graphics, etc.) www.clear-simple.com
www.guidancesoftware.com
www.computer-forensics.
com
Search/Find www.maresware.com
www.dtsearch.com
www.computer-forensics.
com
www.symantec.com
www.forensics-intl.com
Sorter www.acl.com
www.computer-forensics.
com
Free (Unallocated) Space Collector www.forensics-intl.com
Viewer www.computer-forensics.
com
www.guidancesoftware.com
Slack Space Collector/Viewer www.forensics-intl.com
www.guidancesoftware.com
www.computer-forensics.
com
Password/Encryption Crackers www.forensics-intl.com
www.accessdata.com
www.lostpassword.com
Searcher for Web-related_Evidence www.forensics-intl.com
Hidden Partition Finders www.poweroquest.com
www.symantec.com
www.forensics-intl.com
(*)There are many software and hardware tools on the market that
can be used for computer forensics. This listing only reflects a
sample of such tools and is not meant to be all-inclusive.
EXPLANATION OF TERMS
CLUSTER. The smallest unit of storage the operating system can address and manage.
FILE ALLOCATION TABLE (FAT). This table is located near the beginning of the disk and keeps track of where data is stored on the disk. The FAT shows which clusters are free, bad, or the last cluster in a file. The directory list -- which contains information such as file name, extension, and date -- points to the FAT entry, which then points to where the file starts.
FILE SLACK. When a file is saved, it is assigned a certain number of clusters -- the smallest unit of storage the operating system can address and manage -- depending on the file's size. The number of clusters (that is, number of bytes) assigned to the file will always be equal to, or larger than, the actual file size. Thus, there will almost always be space between the end of the file and the end of the last cluster assigned to the file on the hard disk or other storage media. The space that exists from the end of the file to the end of the last cluster of the file is called slack. File slack contains the data from the previous file that the cluster held before the cluster was assigned to the new file for storage.
SECTOR. A hard drive is divided into sectors (usually 512 bytes), which are the smallest units of storage that can be read or written on a disk.
SWAP FILE SPACE. To run multiple programs simultaneously with a limited amount of physical memory, Microsoft Windows operating systems create a temporary file called a swap file. This file can contain information such as application data, pieces of documents, passwords, and e-mail.
UNALLOCATED (FREE) SPACE. The space available on a disk for saving files. When a user deletes a file, the file is not destroyed. Instead, the pointer (address) to the file is deleted, leaving the contents of the file intact. All deleted files become a part of the free space on the storage media. The computer uses free space to subsequently store new files.
COPYRIGHT 2001 Institute of Internal Auditors, Inc.
COPYRIGHT 2002 Gale Group