Computer Forensics

Computer forensics is the process of investigating computer systems by collecting and analyzing computer-related evidence and data to determine their illegality or unauthorized involvement in crimes or frauds. This relatively new field is used by law enforcement, military, intelligence agencies, and businesses. Computer evidence processing protocols are scrupulously observed in the process, as the findings…

Computer forensics is the process of investigating computer systems by collecting and analyzing computer-related evidence and data to determine their illegality or unauthorized involvement in crimes or frauds. This relatively new field is used by law enforcement, military, intelligence agencies, and businesses. Computer evidence processing protocols are scrupulously observed in the process, as the findings should be presented in a court of law.

Not solely connected to computer data recovery alone, computer forensics is a fast-growing investigative technique used by a forensic specialist for retrieval data that has been electronically stored or encrypted on digital media such as a personal or work computer. Law enforcement agencies use computer forensics to gather evidence about a suspect or known criminal. Computer forensics experts can detect rogue employees or contractors who are leaking critical information such as company plans or sensitive customer data.

Many computer forensics professionals learn the techniques on the job in law enforcement or computer security positions. But with the field expanding broadly, employers are currently looking for candidates with certificate programs and formal education in computer forensics, which are available from many institutions. The formal education programs offer instructions on pertinent legal issues, computer skills, and forensic tools that they will need while working as computer forensics professionals.

They should have an extensive knowledge of computer systems and programs and the ability to retrieve information from them. Often, they are required to retrieve data that has been deleted from the device. For this, the specialist makes use of particular computer forensics software and other tools.

As the specialist works with evidence involved in a criminal or civil case, he / she takes particular care to properly document all the work done to the computer and information found from it. No licensing requirements exist for practicing as a computer forensics specialist. However, voluntary credentials should be provided. These are called Certified Information Systems Security Professional (CISSP) and the Certified Computer Examiner (CCE). Computer forensics consulting is also a fast-growing field.

Computer forensics has become an integral part of law enforcement agencies, defense forces, corporations, and large institutions as they all deal with computer offsets.

Computer Forensics – Finding Out What The Bad Guys Did With Their Computers!

Computer forensics is a lot like the CSI investigation programs on the television. Using advanced techniques and technologies, a computer forensic scientist will reconstruct a possible crime using the data that one computer systems. This data may include email trails, files, hidden directories and other related clues. Computer Forensics is the scientific study of computers…

Computer forensics is a lot like the CSI investigation programs on the television. Using advanced techniques and technologies, a computer forensic scientist will reconstruct a possible crime using the data that one computer systems. This data may include email trails, files, hidden directories and other related clues.

Computer Forensics is the scientific study of computers or computer related data in relation to an investigation by a law enforcement agency for use in a court of law. While this technology may be as old as computers themselves, the advances in technology are constantly revising this science.

While all computer languages ​​are created with ones and zeros, it's much easier to track what was done when, although by continuing to be problematic. Forensic science has done well to keep up with the task of tracking and tracing what is done and creating a timeline in an attempt to reconstruct a possible crime. Although it's possible to clean and remove data from a hard drive, most people simply think that a delete key really removed the data. In actuality, the delete key simply removed the file location from an index file and the actual data is still securely on the system. It's up to the data recovery skills of the forensic computer personnel to capture and restore that data without modification.

Computer forensics can be used to track emails, instant messaging and just about any other form of computer related communications. This can be necessary, especially in the world where computers and data travel around the world in seconds. Packet sniffers can literally be placed within a data stream and provide information on what's running through the network in real time. This is really phenomenal considering the millions upon millions of data packets moving through any individual part of the network.

Computer forensic science is an interesting niche in the law enforcement field that is seldom considered as a career. As it's relatively new, the field is considered by many to be wide open for anyone with the initiative to learn the skills. Unlike many computer related jobs, a computer forensic specialist will not be outsourced to a country on the other side of the world. The confidentiality of the data is just too sensitive to allow it to travel through the world just to save a little cash.

Computer Forensic Experts

Computer forensics is the process of preserving, identifying, extracting and documenting valuable electronic data. The term was first used in 1991 in a training session of the International Association of Computer Specialists (IACIS). Computer forensics has been used in law enforcement and military applications for a long time now, to gather evidence from electronic sources.…

Computer forensics is the process of preserving, identifying, extracting and documenting valuable electronic data. The term was first used in 1991 in a training session of the International Association of Computer Specialists (IACIS). Computer forensics has been used in law enforcement and military applications for a long time now, to gather evidence from electronic sources. Today, it is being incrementally used even in the corporate sector. The increasing volumes of electronic data being created, stored and transferred each day is the main reason for this.

Every second, thousands of pages of electronic data are being transferred across the world. In the process, the data could be lost or altered. Computer forensics involves the retrieval of this lost data using special software tools and techniques. It is used to identify valuable data from personal computers or other electronic data storage devices. It is also used to identify the leakage of sensitive data from the computer, or any inherent weaknesses in the system.

When documents are created electronically, they are stored in temporary files. Even when they are deleted or updated, some remnants still remain on the hard disk and can be recovered using special tools.

Computer forensics involves the creation of a backup of all the data in the computer. This data is a mirror image of the entire hard disk, and contains even temporary, deleted or altered files. The forensic expert creates a digital fingerprint of the original hard drive to ensure that it is not tampered with while retrieving data. Data is retrieved from the mirror file rather than the original file, so as to not alter date stamps or other useful data. The retrieval process also reveals historical information about the file, such as when it was deleted or altered. The retrieved information can be converted into any required format. There are three stages in data recovery: acquire, analyze and report.

There are many companies that provide computer forensic services. There are also many software tools with several useful options such as cloning and disk imaging, file preview, picture gallery, etc. that enable faster and more accurate forensic recoveries.

Solving Crime with Computer Forensics

Computer Forensics is the scientific study of computers or computer related data in relation to an investigation by a law enforcement agency for use in a court of law. While this technology may be as old as computers themselves, the advances in technology are constantly revising the science of computer forensics. In the technological old…

Computer Forensics is the scientific study of computers or computer related data in relation to an investigation by a law enforcement agency for use in a court of law. While this technology may be as old as computers themselves, the advances in technology are constantly revising the science of computer forensics.

In the technological old days, computer forensics was mostly related to data dumps, printing out every keystroke that had been logged on a computer in a series of eight digits, all of them zeroes and ones. Literally cases of paper would be used for the printing of the materials. Systems analysts would then have to convert all of the data into hex and then translate the value into whatever the actual keystroke was. In this way, it was possible to go over all of the data and figure out at what point the computer and the corresponding program crashed. Like computers and technology, Computer forensics has evolved by leaps and bounds since those days of old.

While all computer language still extremely boils down to ones and zeroes or binary and then hex, the means by which programs are created, run and utilized has changed drastically. Computer forensics has done well to keep up with the task at hand. Now hard drives can be wiped clean. However, without an unconventional format (and in rare cases, even with the unconventional switch) the data can still be retrieved. It takes an expert in computer forensics however. It takes someone who is familiar with the technology of the computer and the science of computer forensics to reconstruct all of the data that has been wiped off of the hard drive.

Computer forensics can be used to track emails, instant messaging and just about any other form of computer related communications. This can be necessary, especially in the world today. Computer forensics experts have even advanced the technology to the point that they can track data real time, or while it is actually being sent and received. This is a mind-numbing task when you think about the billions of communications going on around the globe at any given time, but the science of computer forensics is constantly advancing every bit as quickly or sometimes even faster than the technology they are responsible for investigating .

Computer forensics is an interesting aspect of technology that is often overlooked. Computer forensics have been used to solve many crimes and should have considered a viable tool in many ways. The study of computer forensics is constantly growing along with technology.

Best Practices for Computer Forensics in the Field

Introduction Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeated reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best…

Introduction

Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeated reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best evidence for defensible solutions in the field. Best practices themselves are intended to capture those processes that have repeatedly shown to be successful in their use. This is not a cookbook. Best practices are intended to be reviewed and applied based on the specific needs of the organization, the case and the case setting.

Job Knowledge

An examiner can only be so informed when they walk into a field setting. In many cases, the client or the client's representative will provide some information about how many systems are in question, their specifications, and their current state. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, cracking laptop computers, password hacking and device interfaces. A seizure that brings the equipment back to the lab should always be the first line of defense, providing maximum flexibility. If you must perform onsite, create a comprehensive working list of information to be collected before you hit the field. The list should be comprised of small steps with a checkbox for each step. The examiner should be fully informed of their next step and not have to “think on their feet.”

Overestimate

Overestimate effort by at least a factor of two the amount of time you will require to complete the job. This includes access to the device, initiating the forensic acquisition with the proper write-blocking strategy, filling out the appropriate paperwork and chain of custody documentation, copying the associated files to another device and restoring the hardware to its initial state. Keep in mind that you may require shop manuals to direct you in taking apart small devices to access the drive, creating more difficulty in accomplishing the acquisition and hardware restoration. Live by Murphy's Law. Something will always challenge you and take more time than anticipated – even if you have done it many times.

Inventory Equipment Most examiners have sufficient of a variety of equipment that they can perform forensically sound acquisitions in several ways. Decide ahead of time how you would like to ideally carry out your site acquisition. All of us will see equipment go bad or some other incompatibility become a show-stopper at the most critical time. Consider carrying two write blockers and an extra mass storage drive, wiped and ready. Between jobs, make sure to verify your equipment with a hashing exercise. Double-Check and inventory all of your kit using a checklist before taking off.

Flexible Acquisition

Instead of trying to make “best guesses” about the exact size of the client hard drive, use mass storage devices and if space is an issue, an acquisition format that will compress your data. After collecting the data, copy the data to another location. Many examiners limit themselves to traditional acquisitions where the machine is cracked, the drive removed, placed behind a write-blocker and acquainted. There are also other methods for acquisition made available by the Linux operating system. Linux, booted from a CD drive, allows the examiner to make a raw copy without compromising the hard drive. Be familiar enough with the process to understand how to collect hash values ​​and other logs. Live Acquisition is also discussed in this document. Leave the imagined drive with the attorney or the client and take the copy back to your lab for analysis.

Pull the Plug

Heated discussion occurs about what one should do when they encounter a running machine. Two clear choices exist; pulling the plug or performing a clean shutdown (assuming you can log in). Most examiners pull the plug, and this is the best way to avoid preventing any sort of malevolent process from running that may delete and wipe data or some other similar pitfall. It also allows the examiner access to create a snapshot of the swap files and other system information as it was last running. It should be noted that pulling the plug can also damage some of the files running on the system, making them unavailable to examination or user access. Businesses sometimes prefer a clean shutdown and should be given the choice after being explained the impact. It is critical to document how the machine was brought down because it will be absolutely essential knowledge for analysis.

Live Acquisitions

Another option is to perform a live acquisition. Some define “live” as a running machine as it is found, or for this purpose, the machine itself will be running during the acquisition through some means. One method is to boot into a customized Linux environment that includes enough support to grab an image of the hard drive (often among other forensic capabilities), but the kernel is modified to never touch the host computer. Special versions also exist that allow the examiner to leverage the Window's autorun feature to perform Incident Response. These require an advanced knowledge of both Linux and experience with computer forensics. This kind of acquisition is ideal when for time or complex reasons, disassembling the machine is not a reasonable option.

The Fundamentals

An amazingly brazen oversight that examiner's often make is neglecting to boot the device once the hard disk is out of it. Checking the BIOS is absolutely critical to the ability to perform a fully-validated analysis. The time and date reported in the BIOS must be reported, especially when time zones are an issue. A rich variety of other information is available depending on what manufacturer wrote the BIOS software. Remember that drive manufacturers may also hide certain areas of the disk (Hardware Protected Areas) and your acquisition tool must be able to make a full bitstream copy that takes that into account. Another key for the examiner to understand is how the hashing mechanism works: Some has algorithms may be preferred to others not necessarily for their technological soundness, but for how they may be perceived in a courtroom situation.

Store Securely

Acquired images should be stored in a protected, non-static environment. Examiners should have access to a locked safe in a locked office. Drives should be stored in antistatic bags and protected by the use of non-static packing materials or the original shipping material. Each drive should be tagged with the client name, attorney's office and evidence number. Some examiners copy drive labels on the copy machine, if they have access to one during the acquisition and this should be stored with the case paperwork. At the end of the day, each drive should link up with a chain of custody document, a job, and an evidence number.

Establish a Policy

Many clients and attorneys will push for an immediate acquisition of the computer and then sit on the evidence for months. Make clear with the attorney how long you are willing to maintain the evidence at your lab and charge a storage fee for critical or largescale jobs. You may be staring critical evidence to a crime or civil action and while from a marketing perspective it may seem like a good idea to keep a copy of the drive, it may be better than the perspective of the case to return all copies to the attorney or client with the appropriate chain of custody documentation.

Conclusion

Computer examiners have many choices about how they will carry out an onsite acquisition. At the same time, the onsite acquisition is the most volatile environment for the examiner. Tools may fail, time constraints can be severe, observers may add pressure, and suspicions may be present. Examiners need to take seriously the maintenance of their tools and development of ungoing knowledge to learn the best techniques for every situation. Utilizing the best practices herein, the examiner should be prepared for almost any situation they may face and have the ability to set reasonable goals and expectations for the effort in question.

Trojan Problems

Have you ever had this problem with your computer. Every time you try to open your Internet Explorer to surf the Internet, an error message reads “Failed to get data for 'ad'”, the next thing you see is a dreaded illegal operation box and your Internet Explorer gets shut down. When navigating around My Computer…

Have you ever had this problem with your computer. Every time you try to open your Internet Explorer to surf the Internet, an error message reads “Failed to get data for 'ad'”, the next thing you see is a dreaded illegal operation box and your Internet Explorer gets shut down.

When navigating around My Computer or Control Panels, you get this message although you still can navigate the controls, despite the illegal message error.

This is an example of a Trojan. Trojans are not viruses, these are malware that are usually hidden in a .exe file that you download online.

Here's examples of how it can happen.

1) You click on a .exe file that came from an email address you recognized.

2) You went to some sites and downloaded some .exe files that looked like something else you were looking for.

3) You click on a “Click Here!” link in someones AOL instant messenger profile and it ended up throwing about 3 Trojan Dropper viruses on my computer. Your virus checker can catch them but not be able to remove, quarantine or delete them without impairing your operating system.

Sometime after doing a complete system scan and one may assume that the virus checker has done it. About a week later, the symptoms can resurface.

If your out of ideas and your anti virus program is unable to help, before contemplating formatting your hard disk and reinstalling the OS, try using a focused Trojan Remover software. Trojans are not Viruses, so you need a specialized Trojan Remover tool that is constantly updated to combat the multi variations of a single Trojan.

Take for example, the Trojan. Vundo Trojan. This little guy will display multiple pop ups on your Internet Explorer browser, and you will end up seeing things that you may not want to see. There are many variants of this trojan and frequently updated anti-trojan anti-malware & spyware tools that will be able to detect and clean them quickly and easily. This will save one time and avoid the time consuming process of having to reinstall the entire WinXP / OS & Drivers.

Computer Forensics Consultants

The field of computer forensics consultation is emerging and fast growing, as this kind of service is offered to various military groups, governmental agencies, small companies and big corporations. Computer forensics specialists offer services by an independent capacity. This would mean that they are not under any institution or agency as staff. Computer forensic specialists…

The field of computer forensics consultation is emerging and fast growing, as this kind of service is offered to various military groups, governmental agencies, small companies and big corporations. Computer forensics specialists offer services by an independent capacity. This would mean that they are not under any institution or agency as staff.

Computer forensic specialists could be hired as freelancers or consultants for long-term and regular work with smaller corporations and institutions, which could not appoint or hire regular computer forensic experts. These specialists could even be retained to handle particular assignments on unusual data recovery problems.

These computer forensics consultants are usually pair by the hour which would compensate for the work and services that they give, which are usually just the same work and services that in-house computer forensics specialists do. They are responsible in the retrieval and evaluation of data that has been encrypted and stored on digital media.

Basically, the consultant has a variety in discharging his functions, because he basically works based on each case. Each case could differ from another one, so the specialist would need to infuse the applications with his skills to be able to disclose the data and information. Computer forensic consultants also need to go through the standard process of filing the information before the court. They also need to have sufficient knowledge regarding the legal processes.

Since investigators specializing in computer forensics are becoming more and moreought after, obtaining educational achievements on this field are also becoming desirable, where bachelor's degree, master degree and associate degree courses are available.

Gotcha! Computer Technology Helps Catch the Bad Guys

Life's becoming a little more difficult for lawbreakers, thanks to some new digital technologies. For example, British researchers have developed a fingerprint compression technology that transmits prints from a crime scene to a fingerprint bureau in a fraction of the typical four to 20 minutes. The same researchers are working on a technology to identify…

Life's becoming a little more difficult for lawbreakers, thanks to some new digital technologies. For example, British researchers have developed a fingerprint compression technology that transmits prints from a crime scene to a fingerprint bureau in a fraction of the typical four to 20 minutes. The same researchers are working on a technology to identify shoe impressions taken from crime scenes-a procedure currently done manually.

Police in Richmond, Virginia, are introducing data mining, predictive analysis and business intelligence tools to respond more rapidly to a crime, and possibly to prevent future crime from occurring. LAPD police are using video surveillance and criminal recognition software to get a bird's-eye view of activities in a crime-riddled area.

CompStat

Various technologies are gaining prominence, such as the somewhat controversial but highly regarded CompStat. CompStat assists law enforcement organizations in collecting and organizing crime information quickly. This, in turn, allows officials to identify emerging patterns in criminal activity, and allows police agencies to deploy resources more effectively.

According to BlogHouston.net, proponents describe this technology as an “advanced statistical analysis of crime aimed at preventing future crime.”

This award-winning program is said to have reduced crime rates through increased police accountability. Various law enforcement agencies across the United States, including the NYPD and the LYPD, use this program to analyze data and plan crime-prevention tactics. The program apparently played a key role in the well-documented reduction in crime enjoyed by New York City under the hand of former mayor Rudy Giuliani.

In With the Old

Sometimes harnessing the power of crime-fighting technologies involves using older technologies in new and inventive ways. For example, in late 2006, New York City announced plans to equip 911 call centers to receive digital images and digital videos sent from cell phones and computers. When citizens report a crime in progress, they can simultaneously send pictures or video of the crime scene, the perpetrator or the victim.

The digital imagery provides emergency response workers and law enforcement teams with a better understanding of the situation, and is likely to offer information not provided by panicked callers. The response teams can there sooner better access the preferred approach to handling the incident. Empowering citizens to use everyday technology in this way was a world first, according to Mayor Michael Bloomberg.

In a similar vein, the New York City is combating domestic violence in part through the MapInfo Professional mapping software application. This tool allows law enforcement personnel to better visualize relationships between data and geography.

The city is also using MapInfo's Mapmaker tool for mapping and analyzing data and adding geographic coordinates to database records. A city spokesperson reported that he had imported miscellaneous, city-based data-such as roadmaps, English proficiency ratings and homework rates-into MapInfo, and then overlaid that over a map of the city to display patterns and trends.

The information generated by these tools assists the city in determining how resources should be allocated. It also reveals information about an area's cultural makeup and languages ​​most often spoken in that community. Knowing where domestic violence victims live and the language they speak allows law enforcement officers to better communicate with victims.

Real-Life Success

These and other forensic technologies translate into real-life success stories that impact upon our lives in ways we could not have imagined 20 years ago. For example, in San Jose in October, a man driving a stolen Toyota kidnapped a 12-year-old girl. The girl escaped and reported the incident to the police. The kidnapper abandoned the Toyota. Some hours later, a patrol car using license-plate recognition technology passed the Toyota. “Stolen car” remarked the technology's computer-generated voice. The police officer discovered evidence in the Toyota that led to the arrest of the kidnapper.

Europe and Britain have used license-plate recognition technology for more than 20 years, but it is relatively new on the scene in the United States. The police have been able to enter license plates into a computer manually, but this technology lets them scan the plate of every car they pass. An officer can now check as many as 12,000 plates per shift, instead of the 50 that could be done manually. Although the technology raises concerns with privacy watchdogs, it is difficult to argue that any privacy violation occurred in this example.

In another interesting and recent development, Thai researchers used nanotechnology to develop a set of eyeglasses that easily detect invisible traces of bodily fluids left at a crime scene. The scientists applied nano crystallized indium osynitride to glass or plastic lenses. These special lenses can filter light waves of various lengths, and allow the user to see invisible tracks of saliva, sperm, blood and lymph immediately.

The current technology-a forensic light source-also allows investigators to see traces that can not be seen with the naked eye. However, this is an awkward and time-consuming procedure, since forensic teams must look separately for each type of fluid. Once the new technology is patented and commercialized, it will dramatically speed up this process.

Closer to home, researchers at the University of Missouri-Columbia have found a mathematical solution that can separate one sound from another in a recording of a noisy environment. In what is referred to as the “cocktail party” problem, sound editing technologies have been unable to separate one voice from many voices in busy environments, such as the cocktail party example, or in a crowded mall. Researchers in the past have separated voices, but could not reproduce the voice's characteristics.

Current technologies are not completely reliable because they confuse voices with other voices with similar pitches. With the new mathematical solution and assistance from computer programmers, the researchers hope to develop a software application that will allow law enforcement agencies or the Department of Homeland Security to isolate voices or sounds with reliability.

Sadly, though, there's a flip side to all this good news. In an interview with Computerworld magazine, Frank Abagnale, the notorious (former) criminal depicted in the movie Catch Me if you could, noted that it would be 4,000 times easier for him to commit his crimes today than it was 40 years ago-and that today he probably would not go to prison for it.

“Technology breeds crime-it always has, it always will,” he is reported to have said.

Speeding PHP Using APC PHP Cache

If you look at a PHP source file you will notice one thing. It's a source file. Not particularly surprising, but think about when you deploy a PHP application, what do you deploy? PHP source files. Now for many other languages; Java, C, etc when you deploy an application you deploy the compiled file. So,…

If you look at a PHP source file you will notice one thing. It's a source file. Not particularly surprising, but think about when you deploy a PHP application, what do you deploy? PHP source files. Now for many other languages; Java, C, etc when you deploy an application you deploy the compiled file. So, the question that you want to ask yourself is this, how much time does a PHP application send compiling source files vs running the code? I'll answer that for you, a lot.

There are advantages to being able to deploy source files though. It makes it easy to do on the fly configurations or bug fixes to a program, much like we used to do in the early BASIC languages. Just change the file and the next time it's accessed your change is reflected. So, how do we keep the dynamic nature of PHP, but not recompile our files every time they are accessed?

A PHP cache. It's surprising to me that this concept is not built into the base PHP engine, but because that's because some company's can sell this add on to speed up PHP. Luckily for us, some companies / open source projects provide this plugin in PHP at no charge. These plug ins are generally known as PHP accelerators, some of them do some optimization and then caching and some only do caching. I'm not going to pass judgment on which one is the best, any of them are better than nothing, but I decided to use APC, the Alternative PHP Cache. I chose this one because it is still in active development and is open source and free.

Alternative php cache can be found at php.net, just look down the left column for APC. It comes in source form, so you will need to compile it before installing it, do not worry about that part. If you're using Red Hat 4 or CentOS4 I'll tell you exactly how to do it. If you're using something else, you'll need the same tools, but getting the tools might be a bit different.

1. The Tools

Do you know how many web sites, forums and blogs I went to with my error messages before I found the answers as to what I was missing when I was trying to install APC – Alternative PHP Cache? Two days worth, but I finally found the correct combination and it's really quite obvious as is everything once you know the answer. There are three sets of dev tools that you will need.

1a. You'll need a package called “Development Tools” this will include all the important dev tools like the GCC compiler, etc.

1b. You'll need a package called php-devel which as you might guess are development tools for PHP

1c. You'll need a package called httpd-devel which of course are dev tools for Apache web server.

On Red Hat or CentOS getting these should be as easy as the following 3 commands:

yum groupinstall “Development Tools”

yum install php-devel

yum install httpd-devel

You'll do these three one at a time and follow any instructions (usually just saying yes).

Now it's time to follow the instructions contained in the APC package. Since these may change over time I'm not going to go through them. They are very complete. If you follow the instructions and get an apc.so file out of it, then you're all set, just modify your php.ini file and you're good to go.

There are two problems that I encountered that you may encounter too. The first is an error when running phpize. I ignored this error and everything succeeded okay, but not before I spent hours looking for the solution to this error. Here is the error.

configure.in:9: warning: underquoted definition of PHP_WITH_PHP_CONFIG

run info '(automake) Extended accocal'

or see http://sources.redhat.com/automake/automake.html#Extending-aclocal

configure.in:32: warning: underquoted definition of PHP_EXT_BUILDDIR

configure.in:33: warning: underquoted definition of PHP_EXT_DIR

configure.in:34: warning: underquoted definition of PHP_EXT_SRCDIR

configure.in:35: warning: underquoted definition of PHP_ALWAYS_SHARED

acinclude.m4: 19: warning: underquoted definition of PHP_PROG_RE2C

People would have had me updating my PHP version from 4.3.9 and everything else under the sun to get rid of this error, but in the end it did not matter. My APC compiled and installed nicely and I am good to go.

The other slight problem that I ran into was the location of php-config. The install instructions wanted me to do the following:

./configure –enable-apc-mmap –with-apxs
–with-php-config = / usr / local / php / bin / php-config

However my php-config is in / usr / bin / php-config. Making that change allowed this part to work.

So, have at it, once it's done you can expect to see huge improvements in your web site response times and reductions on your CPU load. One more quick note, My server hosts about 20 web sites, but only 3 or 4 are really busy. To reduce the memory footprint of caching everything for all 20 sites I used the apc.filters property. Although this property is slightly flawed for non qualified includes, it worked nicely for my Serendipity blogs. Your mileage with this property will vary according to the software you are using and how it does it's includes.

Computer Forensics Files – The Little Dame That Wouldn’t – Real CSI Cases from Burgess Forensics #14

The stories are true; the names and places have been changed to protect the potentially guilty. A dame, a rich guy, and an email account: what more do you need for a story? I was in my office one fine spring day in Marin studying the benefits of Eastern philosophy, engaged in my special snoring…

The stories are true; the names and places have been changed to protect the potentially guilty.

A dame, a rich guy, and an email account: what more do you need for a story?

I was in my office one fine spring day in Marin studying the benefits of Eastern philosophy, engaged in my special snoring meditation, when the buzzing of the telephone dragged me back to the present. It was Sam & Dave – not the Soul Men, but the lawyers in the Valley. They had a situation. A computer expert was heading over to their offices to make a copy of their client's computer – the dame's laptop – to try to prove that she sent endearing emails to a scorned male – the rich guy … Mr. Silicon Valley.

See, rich guy had not been so rich until some computer hardware of his design had been snapped up by a big player in the computer world for a hefty sum. Newly rich Mr. Silicon decided to try his hand at picture books – picture books of natural looking young ladies in their native birthday attire. The hook was that they would be all natural – no silicone for Mr. Silicon.

One day, Mr. S was driving through the Rockies when he espied a liberated young lady. Liberated in the sense that she was 17, but living on her own. S offered to liberate her from a deadend waitress job if she would come come live in his valley mansion. It would all be very Platonic – they'd each have their own end of the mansion – and she would work with the picture book office staff.

But as our young lady reached adulthood, Mr. S became enamored enough to make our lovely waif a bit uncomfortable. She thought he was acting like a creep. She wanted out – out of the office and out of the mansion. The word “harassment” strikes fear into the heart of many an employer, and Sam & Dave were looking for a settlement to enrich all involved. But Mr. S was not to give up so easily. He maintained that the lovely Miss had been sending him endearing loveletters from her America OnLine account. Sure enough, her account had sent those letters – but had she the one to send them? AOL has a setting that allows a user to sign in automatically – that is, to sign in without having to type in a password. This setting is almost always a mistake, unless no one else is ever near your computer. I always recommend to my clients that they take the extra 5 seconds out of their busy schedules to type an actual password. You might have guessed that her AOL was set to automatically login.

But the letters had been sent after she had already left the office. That meant that if she had sent them, she must have draped them on her laptop from home. A deal was made. Mr. S hired a computer expert to do some digital discovery. He'd make an identical copy of the hard disk from her laptop, while sitting in Sam & Dave's conference room. This is where I entered the picture. S & D wanted me to make sure that the hired thugs … er, experts … would not pull any funny stuff. I went to observe on the day of the copying.

Just a short half hour or so after their scheduled arrival, the other experts arrived. They were decked out in full company regalia. Their bright jackets, hats, and business cards announced their offices in New York, Tokyo, London, Hong Kong, and Los Angeles. These guys were apparently internationally jetting big shots. As it turned out, only one was the bigshot – the other guy was the gofer. Bigshot sat in a chair and bragged about his exploits while Gofer unloaded their equipment. A large, high-powered desktop computer, with external drives hooked up through an Adaptec SCSI host adapter appeared on the tabletop. A briefcase full of secret computer forensic software was opened to reveal its treasures. The golden floppy disk was removed from the briefcase. Bigshot examined the laptop, and announced, “We can not do this copy – there's no floppy drive.”

I was a little dumbfounded. Surely these guys had all of the computer forensic equipment known to mankind. “I have EnCase and ByteBack,” he said, “but I need to boot from a floppy drive to make a copy.” This was at least half accurate. Whenever a drive is operated in a Windows environment, Windows writes bits and pieces of data to the drive. Under such circumstances, the data is changed and is not a true identical, “bit-for-bit” copy. It's not a forensic image. But when the system is booted from a DOS diskette, nothing gets written to the hard disks. This is what the fellow was looking to do.

I suggested he removed the hard disk from the laptop, and hook it up through a write-blocker to his desktop computer. “What's a write-blocker?” he asked. “Gofer, do we have any write blockers?” Gofer's look of befuddlement answered for him. I explained to Bigshot International that a write blocker is a device that can be hooked up between the hard disk and the cable it is attached to, or between an external enclosure holding the hard disk and the USB cable leading to the computer. The MyKey NoWrite FPU is one of my favorites. The Tableau works well. The Disk Jockey Forensic was not around then. The DriveDock & others would have been fine. But he did not have any by anyone.

Still, removing the hard disk, attaching it to its system and booting the system from its floppy diskette should have been fine. I suggested as much. “How do you take out the hard disk?” he asked. Nearby laptops are different in London and Hong Kong and those other places he had offices.

I asked S & D's secretary for a little Phillips screwdriver, and removed the hard disk for Our Man. “It does not hook up to my IDE cable,” he said. You see, laptop IDE hard disks and desktop IDE hard disks are different sizes. Most in laptops are 2.5 “and most in desks are 3.5” and never the twain shall meet – at least, not on the same cable. The 40-pin connector on the laptop is, unsurprisingly, smaller in size. “How about an adapter?” I said. “Have you a 2.5” to 3.5 “adapter?”

“Have we got one, Gofer?” Befuddlement answered wordlessly again. I suggested a quick run to the local computer store. I even volunteered to go, for the Mensa-level technical skill was getting to me a little at that point.

Twenty minutes later, we had an adapter from a local Mom & Pop computer shop. Some adapters for laptop drives hook up the opposite way from what is intuitive. Once I warned against hooking the laptop drive up backwards, Bigshot got everything set up right, the computer booted, and a good copy looked like it was only minutes away. That is, until I heard, “My target disk drive is not big enough.” Well, I did not want him to have to go all the way to Tokyo or New York for another. I suggested hooking up additional drives from his special briefcase to the SCSI bus, then changing the image size. Many computer forensic programs allow one to acquire a large drive as several or many contiguous images of a smaller size. By changing his configuration, Mr. B could make many successful CD-sized images of about 650 MB each, instead of one giant one that would not fit in the available space in any one of his hard drives.

With the copy proceeding apace, I asked S & D what I should do next. We saw the estimated time of completion was about five hours away! I surprised if sitting waiting for electrons to move was the best use of my time and their money, and they seemed to think it was not. I explained what to look out for – any cables being unplugged, any keyboards being typed on, any undertakings of “oops” or “oh no!” from the Dynamic Duo making the copies. The job should be mostly babysitting until the copy was completed. I headed back to the airport, and to my office at Burgess Forensics to finish my interrupted meditation.

How did it all turn out? There were no loving emails drawn on the laptop. The computer she had used at the office was being used to send bogus emails from her auto logon AOL account. Mr. S was ready to settle … after just one more meeting.

As part of the settlement, Mr. S & our lovely Miss had one last lunch together. They met at an outdoor café. It might have been romantic, but Miss sat well out of reach, her lawyer sat just out of earshot a couple of tables to the West. The attorney for S sat just out of earshot a couple of tables to the North. Everybody ate lunch. S paid the bill – three bills, actually – one for lunches, one for the lawyers, and one settlement for the lovely lady. She then walked away and never looked back.

While I never met the lady, I was alerted to look for her on a fashion show. There she was, on the TV, looking like the waif models are apparently supposedly to resemble. I could not tell if she looked any richer, but I hoped she would spend some of the settlement on a few more lunches – she could have filled out a little and looked a bit more … natural. But that's outside my area of ​​expertise. A nutritionist I'm not – I do computers.

This is just one of the many “CSI * – Computer Forensics Files: Real Cases from Burgess Forensics” cases in the file. Stay tuned for more stories of deceit uncovered by science.

* The (online) Free Dictionary lists more than 160 definitions for CSI – for us it's Computer Scene Investigation.