IAP President Jim Bates is Development Director with Computer Forensics Ltd. Here he discusses the principles involved in his work.
To define my terms: a “computer” is any electronic device capable of processing and/or storing information and the Concise Oxford Dictionary defines “forensic” as “of or used in courts of law”.
How computers store information varies according to the media used but it will almost invariably result in discrete changes to media granularity, so that changes can subsequently be examined and interpreted to recover the pattern of the original information.
For example, take a sheet of paper ruled in black and white squares. The stored information is contained only in the pattern occupying the squares and is not concerned with the paper or the squares themselves. Thus identical information may be stored on different substrates, marked in different ways (circles, triangles or magnetic dipoles) and with different conditions (on/off, black/white, north/south). It is therefore self-evident that the medium (the substrate and the type and marking of the elements) is completely independent of the information, which may thus be altered without trace. It is this possibility which concerns us when considering the forensic implications of electronically stored information. When such information is copied, there is no way to distinguish the original from the copy without reference to additional external information.
The majority of evidential information is found in semi-permanent storage and this may be evaluated in isolation by considering its content, location and condition.
Content and location are the most important and should be considered together. For example, if representations of the letters ‘C’, ‘E’, ‘M’, ‘O’, ‘P’, ‘R’, ‘T’ and ‘U’ are found, they may be meaningless unless their relevant locations are known and they can form simple sequential textual information like the word “COMPUTER”. Alternatively, as in the extreme case of encrypted information, the content may require additional processing before its intelligence becomes plain. The combining of words into files and files into directories together with their individual locations within an overall structure may also be vital elements within the evaluation and analysis process. Areas where such location information might add significantly to the investigation are the content of file slack space, the presence or absence of file fragmentation, the relationship between allocated and unallocated space or the degree of match between the logical and physical sequence of allocated clusters on a disk. Each of these has figured in past investigations.
The forensic examination process consists of three distinct phases: collection, examination and evaluation. These must be undertaken in this order with examination and evaluation taking place upon the copied information.
This immensely powerful capability of being able to conduct investigations on forensically sound copies of data, rather than on the data itself, preserves the integrity of the original information as best evidence. Given that the great majority of investigations are concerned with the overall content of files which require little or no subjective opinions, once a forensically sound copy has been made, investigation can often be completed by operatives with a limited degree of computer expertise.
For a full investigation it is vital that the information collection process is undertaken in a completely non-discriminatory manner. That is, the pattern of stored information must be collected without regard to its relationship to anything except itself and its associated hardware. For example, the contents of a 500-megabyte disk should be copied sector by sector from sector 0 to the end without regard to the content, even if only 50 megabytes are configured as currently in use. Thus, any data that might be hidden from, or inaccessible to, the resident operating system will be copied and available for examination. This does not disqualify information copied solely on the basis of the current operating configuration but it does ensure the completeness of the copy and may provide additional evidence in confirmation or rebuttal.
Ideally, two copies of the computer contents are taken at the earliest opportunity during an investigation and preferably in the presence of the owner (or his legal representative). When the copies are completed the owner is invited to choose one to be sealed in his presence. The sealed copy is signed by the owner or his legal representative and is kept secure by the police. Forensic examination is conducted on the other copy and the computer may be returned to the owner. In the event of a challenge to the integrity of the working copy, the court can order the seal to be broken on the secure copy and it can be independently examined. The security of this process is greatly improved if some system of internal verification is implemented in the copying procedure such that any subsequent alterations might be located and identified.
If the computer is to be seized and not returned, only a single copy is necessary for working purposes since the seized computer will constitute the “best evidence”. However, even then, given the transient nature of some storage systems (on hand-held computers, for instance) an additional sealed copy is a desirable safeguard.
