<CHAP NUM="17" ID="CH.00.0017">chapter 17
<CHAP NUM="17" ID="CH.00.017"><FM><TTL>Computer Forensics</TTL>
<AU><NA>By Andrew W. Donofrio</NA></AU>
<KTSET><TTL>Key Terms</TTL>
<KT>bit</KT>
<KT>byte</KT>
<KT>central processing unit (CPU)</KT>
<KT>cluster</KT>
<KT>file slack</KT>
<KT>hard disk drive (HDD)</KT>
<KT>hardware</KT>
<KT>latent data</KT>
<KT>Message Digest 5 (MD5)/secure hash algorithm (SHA)</KT>
<KT>motherboard</KT>
<KT>operating system (OS)</KT>
<KT>partition</KT>
<KT>RAM slack</KT>
<KT>random-access memory (RAM)</KT>
<KT>sector</KT>
<KT>software</KT>
<KT>swap file</KT>
<KT>temporary files</KT>
<KT>unallocated space</KT>
<KT>visible data</KT></KTSET>
<OBJSET><TTL>Learning Objectives</TTL>
<P>After studying this chapter you should be able to:
<OBJ><P><INST>< </INST>List and describe the hardware and software components of a computer</P></OBJ>
<OBJ><P><INST>< </INST>Understand the difference between read-only memory and random-access memory</P></OBJ>
<OBJ><P><INST>< </INST>Describe how a hard disk drive is partitioned</P></OBJ>
<OBJ><P><INST>< </INST>Describe the proper procedure for preserving computer evidence at a crime scene</P></OBJ>
<OBJ><P><INST>< </INST>Understand the difference between and location of visible and latent data</P></OBJ>
<OBJ><P><INST>< </INST>List the areas of the computer that will be examined to retrieve forensic data</P></OBJ></P></OBJSET></FM>
<CASE><TTL>The BTK Killer</TTL>
<P>Dennis Rader was arrested in February 2005 and charged with committing ten murders since 1974 in the Wichita, Kansas, area. The killer, whose nickname stands for “bind, torture, kill,” hadn’t murdered since 1991, but resurfaced in early 2004 by sending a letter to a local newspaper taking credit for a 1986 slaying. Included with the letter were a photocopy of the victim’s driver’s license and three photos of her body. The BTK killer was back to his old habit of taunting the police. Three months later another letter surfaced. This time the letter detailed some of the events surrounding BTK’s first murder victims. In 1974, he strangled Joseph and Julie Otero along with two of their children. Shortly after those murders occurred, BTK sent a letter to a local newspaper in which he gave himself the name BTK. In December 2004, a package found in a park contained the driver’s license of another BTK victim along with a doll whose hands were bound with pantyhose and who was covered with a plastic bag.</P>
<P>The major break in the case came when BTK sent a message on a floppy disk to a local TV station. “Erased” information on the disk was recovered and restored by forensic computer specialists, and the disk was traced to the Christ Lutheran Church in Wichita. The disk was then quickly linked to Dennis Rader, the church council president. The long odyssey of the BTK killer was finally over.</P></CASE>
<BM><P>Since the 1990s, few fields have progressed as rapidly as computer technology. Computers are no longer a luxury, nor are they in the hands of just a select few. Technology and electronic data are a part of everyday life and permeate all aspects of society. Consequently, computers have become increasingly important as sources of evidence in an ever-widening spectrum of criminal activities.</P>
<P>Investigators frequently encounter computers and other digital devices in all types of cases. As homicide investigators sift for clues they may inquire whether the method for a murder was researched on the Internet; whether signs of an extramarital affair can be found in e-mail or remnants of instant messages, which might provide motive for a spouse killing or murder for hire; or whether threats were communicated to the victim prior to a murder by an obsessed stalker. Arson investigators want to know whether financial records on a computer might provide a motive in an arson-for-profit fire. A burglary investigation would certainly be aided if law enforcement determined that the proceeds from a theft were being sold online—perhaps through eBay or a similar online auction site.</P>
<P>Accessibility to children and the perception of anonymity has given sexual predators a way to seek out child victims online. The vulnerability of computers to hacker attacks is a constant reminder of security issues surrounding digitally stored data. Finally, the fact that computers control most of our critical infrastructure makes technology an appetizing target for would-be terrorists.</P> 100<FNIND NUMBER="100"/>
<P>Computer forensics involves the preservation, acquisition, extraction, analysis, and interpretation of computer data. Although this is a simple definition, it gets a bit more complicated. Part of this complication arises from technology itself. More and more devices are capable of storing electronic data: cell phones, personal digital assistants (PDAs), iPods, digital cameras, flash memory cards, smart cards, jump drives, and many others. Methods for extracting data from these devices each present unique challenges. There are, however, sound forensic practices that apply to all these devices. The most logical place to start to examine these practices is with the most common form of electronic data: the personal computer.</P>
<H1>From Input to Output: How Does the Computer Work?</H1>
<H2>Hardware versus Software</H2>
<P>Before we get into the nuts and bolts of computers, we must establish the important distinction between hardware and software. <KT>Hardware</KT><SIDEIND NUM="1" ID="MN2.17.001"/> comprises the physical components of the computer: the computer chassis, monitor, keyboard, mouse, hard disk drive, random-access memory (RAM), and central processing unit (CPU), and so on (see <LINK LINKEND="FG.17.001">Figure <FIGIND NUM="1" ID="FG.17.001"/>17–1</LINK>). The list is much more extensive, but generally speaking, if it is a computer component or peripheral that you can see, feel, and touch, it is hardware.</P>
<P><KT>Software</KT><SIDEIND NUM="2" ID="MN2.17.002"/>, conversely, is a set of instructions compiled into a program that performs a particular task. Software consists of programs and applications that carry out a set of instructions on the hardware. Operating systems (Windows, Mac OS, Linux, Unix), word-processing programs (Microsoft Word, WordPerfect), web-browsing applications (Internet Explorer, Netscape Navigator, Firefox), and accounting applications (Quicken, QuickBooks, Microsoft Money) are all examples of software. It is important not to confuse software with the physical media that it comes on. When you buy an application such as Microsoft Office, it comes on a compact disc (CD). The CD containing this suite of applications is typically referred to as software, but this is technically wrong. The CD is external computer media that contains the software; it is a container for and a medium to load the set of instructions onto the hard disk drive (the hardware).</P>
<H2>Computer Case/Chassis</H2>
<P>The case is the physical box holding the fixed internal computer components in place. Cases come in many shapes and sizes: a full upright tower chassis, a slim desktop model sitting on the desktop, or an all-in-one monitor/computer case like the iMac. For our purposes, the term <ITAL>system unit</ITAL> is probably most appropriate when describing a chassis seized as evidence. The term <ITAL>system unit</ITAL> accurately references the chassis, including the motherboard and other internal components.</P>
<H2>Power Supply</H2>
<P>The term <ITAL>power supply</ITAL> is actually a misnomer, because it doesn’t actually supply power—the power company does that. Rather, a computer’s power supply converts power from the wall outlet to a usable format for the computer and its components. Different power supplies have different wattage ratings. The use, or more specifically the components, of the computer dictate the appropriate power supply.</P>
<H2>Motherboard</H2>
<P>The main circuit board in a computer (or other electronic devices) is referred to as the <KT>motherboard</KT><SIDEIND NUM="3" ID="MN2.17.003"/>. Motherboards contain sockets for chips and slots for add-on cards. Examples of add-on cards are a video card to connect the computer to the monitor, a network card or modem to connect to an internal network or the Internet, and a sound card to connect to speakers. Sockets on the motherboard typically accept things like random-access memory (RAM) or the central processing unit (CPU). The keyboard, mouse, CD-ROM drives, floppy disk drives, monitor, and other peripherals or components connect to the motherboard in some fashion through a direct wired or wireless connection.</P>
<H2>System Bus</H2>
<P>Contained on the motherboard, the system bus is a vast complex network of wires that carry data from one hardware device to another. This network is analogous to a complex highway. Data is sent along the bus in the form of ones and zeros (or, more appropriately stated, as electrical impulses representing an “on” or “off” state—this two-state computing is also known as <ITAL>binary computing</ITAL>).</P>
<H2>Read-Only Memory (ROM)</H2>
<P>This rather generic term describes special chips on the motherboard. ROM chips store programs called <ITAL>firmware</ITAL>, used to start the boot process and configure a computer’s components. Today’s ROM chips, termed <ITAL>flash ROM</ITAL>, are a combination of two types of chips used in past motherboard technologies. The first was known as the <ITAL>system ROM</ITAL>, which was responsible for booting the system and handling the “assumed” system hardware present in the computer. As the system ROM, generally speaking, could not be altered, and because as technology matured changes to the “assumed” hardware were more common, a different type of chip was introduced. The <ITAL>complementary metal-oxide semiconductor</ITAL> (CMOS) was a separate chip that allowed the user to exercise setup control over several system components. Regardless of how this technology is present on the motherboard, it can be referred to as the BIOS, for <ITAL>basic input-output system</ITAL>. The operation of the BIOS is relevant to several computer forensic procedures, particularly the boot sequence. It is the set of routines associated with the BIOS in ROM that initiates the booting process and enables the computer to communicate with various devices in the system such as disk drives, keyboard, monitor, and printer. As will become clear later, it is important not to boot the actual computer under investigation to the original hard disk drive. This would cause changes to the data, thus compromising the integrity of evidence. The BIOS allows investigators to control the boot process to some degree.</P>
<H2>Central Processing Unit (CPU)</H2>
<P>The <KT>central processing unit (CPU)</KT><SIDEIND NUM="5" ID="MN2.17.005"/>, also referred to as a processor, is essentially the brain of the computer. It is the main (and typically the largest) chip that plugs into a socket on the motherboard. The CPU is the part of the computer that actually computes. Basically, all operations performed by the computer are run through the CPU. The CPU carries out the program steps to perform the requested task. That task can range from opening and working in a Microsoft Word document to performing advanced mathematical algorithms. CPUs come in various shapes, sizes, and types. Intel Pentium chips and Advanced Micro Devices (AMD) chips are among the most common.</P>
<H2>Random-Access Memory (RAM)</H2>
<P>This is one of the most widely mentioned types of computer memory. <KT>Random-access memory (RAM)</KT><SIDEIND NUM="4" ID="MN2.17.004"/> takes the burden off the computer’s processor and hard disk drive (HDD). If the computer had to access the HDD each time it wanted data, it would run slowly and inefficiently. Instead the computer, aware that it may need certain data at a moment’s notice, stores the data in RAM. It is helpful to envision RAM as chips that create a large spreadsheet, with each cell representing a memory address that the CPU can use as a reference to retrieve data. RAM is referred to as <ITAL>volatile memory</ITAL> because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer. RAM takes the physical form of chips that plug into the motherboard; SIMMs (Single Inline Memory Modules), DIMMs (Dual Inline Memory Modules), and SDRAM (Synchronous Dynamic Random-Access Memory) are just a few of the types of chips. Today’s computers come with various denominations of RAM: 256 MB (megabytes), 512 MB, and 1 GB (gigabyte) are the most common.<FNIND NUMBER="1"/>1</P>
<H2>Input Devices</H2>
<P>Input devices are used to get data into the computer or to give the computer instructions. Input devices constitute part of the “user” side of the computer. Examples include the keyboard, mouse, jo...
Januszek66