Computer Forensics Tools

In general, a computer forensic investigator will use a tool in order to gather data from a system (eg a computer or computer network) without altering the data on that system. This aspect of an investigation, the care taken to avoid altering the original data, is a fundamental principle of computer forensic examination and some…

In general, a computer forensic investigator will use a tool in order to gather data from a system (eg a computer or computer network) without altering the data on that system. This aspect of an investigation, the care taken to avoid altering the original data, is a fundamental principle of computer forensic examination and some of the tools available include function specifically designed to uphold this principle. In reality it is not always easy to gather data without altering the system in some way (even the act of shutting a computer down in order to transport it will most likely cause changes to the data on that system) but an experienced investigator will always strive to protect the integrity of the original data whenever possible. In order to do this, many computer forensic examinations involve the making of an exact copy of all the data on a disk. This copy is called an image and the process of making an image is often referred to as imaging. It is this image which is usually the subject of subsequent examination.

Another key concept is that deleted data, or parts thereof, may be recoverable. Generally speaking, when data is deleted it is not physically wiped from the system but rather only a reference to the location of the data (on a hard disk or other medium) is removed. Thus the data may still be present but the operating system of the computer no longer “knows” about it. By imaging and examining all of the data on a disk, rather than just the parts known to the operating system, it may be possible to recover data which has been accidently or purposely deleted.

Although most real world tools are designed to carry out a specific task (the hammer to hammer nails, the screwdriver to turn a screw, etc.) some tools are designed to be multi-functional. Similarly some computer forensic tools are designed with only one purpose in mind whereas others may offer a whole range of functionality. The unique nature of every investigation will determine which tool from the investigator's toolkit is the most appropriate for the task in hand.

As well as differenting in functionality and complexity, computer forensic tools also differ in cost. Some of the market-leading commercial products cost thousands of dollars while other tools are completely free. Again, the nature of the forensic examination and the goal of the investigation will determine the most appropriate tools to be used.

The collection of tools available to the investigator continues to expand and many tools are regularly updated by their developers to enable them to work with the latest technologies. Furthermore, some tools provide similar functionality but a different user interface, whereas others are unique in the information they provide to the examiner. Against this background it is the task of the computer forensic examiner to judge which tools are the most appropriate for an investigation, bearing in mind the nature of the evidence which needs to be collected and the fact that it may at some stage be presented to a court of law. Without doubt, the growing number of both civil and criminal cases where computer forensic tools play a significant role makes this a fascinating field for all those involved.

Computer Forensics Labs

Computer forensics labs are high-tech labs that are used for rendering computer forensic and other investigative services. Various software and techniques are used during the process of investigation, including password cracker, email converters, or the EnCase or Forensic Toolkit (FTK) software applications. Initially, an exact replica of the hard disk drive is created, so that…

Computer forensics labs are high-tech labs that are used for rendering computer forensic and other investigative services. Various software and techniques are used during the process of investigation, including password cracker, email converters, or the EnCase or Forensic Toolkit (FTK) software applications.

Initially, an exact replica of the hard disk drive is created, so that the evidence can be evaluated and processed from a forensic file. The identifying leads and computer evidence contained in files proves critical in determining the outcome of the case. The finds are then documented, and the opinions of experts are taken. The expert witness testimony proves very helpful to clarify technical computer issues in the litigation process. With the help of customized software, the forensics investigators can retrieve deleted data, hidden data and password-protected data. The retrieved data is then carefully documented and recorded in reports that are then presented at times of litigation.

On an average only 10 percent of these files may actually be used in litigation cases. Customized software is used to filter out unnecessary data, based on data relevant parameters covered on the software. Around 25 percent of the original data set can be filtered, using intelligent filtering methods. It is also used to remove duplicated items from the database, saving thousands of dollars for the company.

Computer evidence often decides the results of civil or criminal actions. Cases involving trading secrets, commercial disputes, misdemeanor and felony crimes can be or lost with the introduction of lost computer evidence. The latest high tech labs are equipped to recover such data.

Computers are widely used for criminal activities such as hacking, credit card frauds and intellectual property right crimes. This has created a rising need for forensic labs that are capable of collecting lost electronic evidences. These high-tech computer forensic labs are certainly an alarm for lawbreakers.

Computer Forensic Classes

Computer forensics is becoming a popular profession among law enforcement, government intelligence and corporate security professionals. As the profession demands extra skills and an investigational instinct, basic training is necessary. This high quality computer forensic training is available through renovated universities and colleges for which conditions apply with regard to personal history and citizenship. The…

Computer forensics is becoming a popular profession among law enforcement, government intelligence and corporate security professionals. As the profession demands extra skills and an investigational instinct, basic training is necessary.

This high quality computer forensic training is available through renovated universities and colleges for which conditions apply with regard to personal history and citizenship.

The universities provide customized training designed to meet the specific needs of a law enforcement or intelligence agency. Expert faculty, who are retired personnel from major federal law enforcement agencies, trains professionals. They are internationally recognized for demonstrated expertise in the field.

An intensive 45 hours laboratory course is designed to equip government and corporate investigators with skills needed to safely locate and secure the computer evidence at search sites, as well as off-site analysis.

With the help of challenging group exercises and written examinations, forensic concepts and procedural skills are reinforced. An optional, online, 9-hour seminar is also available, primarily on hacker and child pornography.

Forensic examiners are provided with an essential understanding of federal and state computer laws by the newly introduced 5-day Computer Forensics Legal Issues course.

A special one-day non-examiner laboratory first responder course has been designed to introduce the examiner assistants to concepts and skills needed at the computer search. An 8-hour non-laboratory seminar, called Computer Forensics Program Manager is available for individual, responsible for supervising computer forensics operations. The course also provides an overview of essential computer forensics concepts and procedures, personnel staffing and equipment alternatives. The Program Manager seminar is inclusive of a 4-hour terrorist threat multimedia briefing.

A 6-day Computer Forensics Advanced course is designed using Linux to safely and effectively analyze Windows systems, including Windows 9.x. ME, XP and 2000 Professional. The program also includes a computer forensics technical report-writing laboratory. As the courses are no more restricted to fulltime government employees or a selected group of corporate security investigators, they are becoming popular among law enforcement, government intelligence, and corporate security professionals.

Best Practices for Computer Forensics in the Field

Introduction Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeated reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best…

Introduction

Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeated reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best evidence for defensible solutions in the field. Best practices themselves are intended to capture those processes that have repeatedly shown to be successful in their use. This is not a cookbook. Best practices are intended to be reviewed and applied based on the specific needs of the organization, the case and the case setting.

Job Knowledge

An examiner can only be so informed when they walk into a field setting. In many cases, the client or the client's representative will provide some information about how many systems are in question, their specifications, and their current state. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, cracking laptop computers, password hacking and device interfaces. A seizure that brings the equipment back to the lab should always be the first line of defense, providing maximum flexibility. If you must perform onsite, create a comprehensive working list of information to be collected before you hit the field. The list should be comprised of small steps with a checkbox for each step. The examiner should be fully informed of their next step and not have to “think on their feet.”

Overestimate

Overestimate effort by at least a factor of two the amount of time you will require to complete the job. This includes access to the device, initiating the forensic acquisition with the proper write-blocking strategy, filling out the appropriate paperwork and chain of custody documentation, copying the associated files to another device and restoring the hardware to its initial state. Keep in mind that you may require shop manuals to direct you in taking apart small devices to access the drive, creating more difficulty in accomplishing the acquisition and hardware restoration. Live by Murphy's Law. Something will always challenge you and take more time than anticipated – even if you have done it many times.

Inventory Equipment Most examiners have sufficient of a variety of equipment that they can perform forensically sound acquisitions in several ways. Decide ahead of time how you would like to ideally carry out your site acquisition. All of us will see equipment go bad or some other incompatibility become a show-stopper at the most critical time. Consider carrying two write blockers and an extra mass storage drive, wiped and ready. Between jobs, make sure to verify your equipment with a hashing exercise. Double-Check and inventory all of your kit using a checklist before taking off.

Flexible Acquisition

Instead of trying to make “best guesses” about the exact size of the client hard drive, use mass storage devices and if space is an issue, an acquisition format that will compress your data. After collecting the data, copy the data to another location. Many examiners limit themselves to traditional acquisitions where the machine is cracked, the drive removed, placed behind a write-blocker and acquainted. There are also other methods for acquisition made available by the Linux operating system. Linux, booted from a CD drive, allows the examiner to make a raw copy without compromising the hard drive. Be familiar enough with the process to understand how to collect hash values ​​and other logs. Live Acquisition is also discussed in this document. Leave the imagined drive with the attorney or the client and take the copy back to your lab for analysis.

Pull the Plug

Heated discussion occurs about what one should do when they encounter a running machine. Two clear choices exist; pulling the plug or performing a clean shutdown (assuming you can log in). Most examiners pull the plug, and this is the best way to avoid preventing any sort of malevolent process from running that may delete and wipe data or some other similar pitfall. It also allows the examiner access to create a snapshot of the swap files and other system information as it was last running. It should be noted that pulling the plug can also damage some of the files running on the system, making them unavailable to examination or user access. Businesses sometimes prefer a clean shutdown and should be given the choice after being explained the impact. It is critical to document how the machine was brought down because it will be absolutely essential knowledge for analysis.

Live Acquisitions

Another option is to perform a live acquisition. Some define “live” as a running machine as it is found, or for this purpose, the machine itself will be running during the acquisition through some means. One method is to boot into a customized Linux environment that includes enough support to grab an image of the hard drive (often among other forensic capabilities), but the kernel is modified to never touch the host computer. Special versions also exist that allow the examiner to leverage the Window's autorun feature to perform Incident Response. These require an advanced knowledge of both Linux and experience with computer forensics. This kind of acquisition is ideal when for time or complex reasons, disassembling the machine is not a reasonable option.

The Fundamentals

An amazingly brazen oversight that examiner's often make is neglecting to boot the device once the hard disk is out of it. Checking the BIOS is absolutely critical to the ability to perform a fully-validated analysis. The time and date reported in the BIOS must be reported, especially when time zones are an issue. A rich variety of other information is available depending on what manufacturer wrote the BIOS software. Remember that drive manufacturers may also hide certain areas of the disk (Hardware Protected Areas) and your acquisition tool must be able to make a full bitstream copy that takes that into account. Another key for the examiner to understand is how the hashing mechanism works: Some has algorithms may be preferred to others not necessarily for their technological soundness, but for how they may be perceived in a courtroom situation.

Store Securely

Acquired images should be stored in a protected, non-static environment. Examiners should have access to a locked safe in a locked office. Drives should be stored in antistatic bags and protected by the use of non-static packing materials or the original shipping material. Each drive should be tagged with the client name, attorney's office and evidence number. Some examiners copy drive labels on the copy machine, if they have access to one during the acquisition and this should be stored with the case paperwork. At the end of the day, each drive should link up with a chain of custody document, a job, and an evidence number.

Establish a Policy

Many clients and attorneys will push for an immediate acquisition of the computer and then sit on the evidence for months. Make clear with the attorney how long you are willing to maintain the evidence at your lab and charge a storage fee for critical or largescale jobs. You may be staring critical evidence to a crime or civil action and while from a marketing perspective it may seem like a good idea to keep a copy of the drive, it may be better than the perspective of the case to return all copies to the attorney or client with the appropriate chain of custody documentation.

Conclusion

Computer examiners have many choices about how they will carry out an onsite acquisition. At the same time, the onsite acquisition is the most volatile environment for the examiner. Tools may fail, time constraints can be severe, observers may add pressure, and suspicions may be present. Examiners need to take seriously the maintenance of their tools and development of ungoing knowledge to learn the best techniques for every situation. Utilizing the best practices herein, the examiner should be prepared for almost any situation they may face and have the ability to set reasonable goals and expectations for the effort in question.

Solving Crime with Computer Forensics

Computer Forensics is the scientific study of computers or computer related data in relation to an investigation by a law enforcement agency for use in a court of law. While this technology may be as old as computers themselves, the advances in technology are constantly revising the science of computer forensics. In the technological old…

Computer Forensics is the scientific study of computers or computer related data in relation to an investigation by a law enforcement agency for use in a court of law. While this technology may be as old as computers themselves, the advances in technology are constantly revising the science of computer forensics.

In the technological old days, computer forensics was mostly related to data dumps, printing out every keystroke that had been logged on a computer in a series of eight digits, all of them zeroes and ones. Literally cases of paper would be used for the printing of the materials. Systems analysts would then have to convert all of the data into hex and then translate the value into whatever the actual keystroke was. In this way, it was possible to go over all of the data and figure out at what point the computer and the corresponding program crashed. Like computers and technology, Computer forensics has evolved by leaps and bounds since those days of old.

While all computer language still extremely boils down to ones and zeroes or binary and then hex, the means by which programs are created, run and utilized has changed drastically. Computer forensics has done well to keep up with the task at hand. Now hard drives can be wiped clean. However, without an unconventional format (and in rare cases, even with the unconventional switch) the data can still be retrieved. It takes an expert in computer forensics however. It takes someone who is familiar with the technology of the computer and the science of computer forensics to reconstruct all of the data that has been wiped off of the hard drive.

Computer forensics can be used to track emails, instant messaging and just about any other form of computer related communications. This can be necessary, especially in the world today. Computer forensics experts have even advanced the technology to the point that they can track data real time, or while it is actually being sent and received. This is a mind-numbing task when you think about the billions of communications going on around the globe at any given time, but the science of computer forensics is constantly advancing every bit as quickly or sometimes even faster than the technology they are responsible for investigating .

Computer forensics is an interesting aspect of technology that is often overlooked. Computer forensics have been used to solve many crimes and should have considered a viable tool in many ways. The study of computer forensics is constantly growing along with technology.

An Introduction to Computer Forensics

Computer Forensics is the process of investigating electronic devices or computer media for the purpose of discovering and analyzing available, deleted, or “hidden” information that may serve as useful evidence in supporting both claims and defenses of a legal matter as well as it can helpful when data have been accidentally deleted or lost due…

Computer Forensics is the process of investigating electronic devices or computer media for the purpose of discovering and analyzing available, deleted, or “hidden” information that may serve as useful evidence in supporting both claims and defenses of a legal matter as well as it can helpful when data have been accidentally deleted or lost due to hardware failure.

However, this is a very old technique but now it has been changed a lot because of technological advances, modern tools and software's that makes Computer Forensics much easier for Computer Forensic Experts to find and restore more evidence / data faster and with more accuracy.

Computer forensics has changed the way digital evidence is collected & used as evidence of a crime & it is done using advanced techniques and technologies. A computer forensic expert uses these techniques to discover evidence from an electronic storage device for a possible crime. The data can be from any kind of electronic device like pen drives, disks, tapes, handhelds, PDAs, memory stick, Emails, logs, hidden or deleted files etc.

Most of us think that deleting a file or history will remove it completely from the hard disk drive. In realty, it only removes the file from the location but the actual file still remains on your computer. It is easier to track what has been done on your computer but difficult to say by whatever though it is possible to alter or delete the data completely from your storage device. It depends on computer forensic expert's skills how well he can find and restore the data without any loss or change.

Computer forensics has gained concern during the Enron scandal widely believed to be the largest computer forensics investigation ever. Nowadays Computer Forensics & Electronic discovery is becoming a standard part of litigation of all types, especially large litigations involving corporate matters in which there are large amounts of data.

Computer forensics can be used to conceal a fraud, unauthorized use of a computer, violation of company policies, provide record keeping etc … by tracking e-mails, chat-history, files, tapes, sites people browse or any other form of electronic communications.

Data security is one of the largest issues that the corporate world is facing now by publishing company's internet / policies & consequences for violations, signing of compliance documents by employees. Businesses can initiate monitoring their own computer systems to avoid legal consequences in future. Making employees aware that monitoring software and Computer forensics personnel are available could prevent workers from wrong doing.

With the use of computers in everyday life and increasing amount of hi-tech crimes, Computer forensics is a growing niche in the litigation support sector. Unlike many jobs in information technology sector, chances are that computer forensics services will not be outsourced to other country because of the confidentiality of the data business which will not allow it to travel just to save a little cash.

Improving Awareness of Computer Forensics Services

Given the situation, there have been some attempts on the part of the government to spread awareness of computer crime, but not on a mass scale. It will be possible to spread awareness of computer forensics only after consciousness about computer crimes increase. The attempt should be two pronged – to dissipate ignorance – and…

Given the situation, there have been some attempts on the part of the government to spread awareness of computer crime, but not on a mass scale. It will be possible to spread awareness of computer forensics only after consciousness about computer crimes increase. The attempt should be two pronged – to dissipate ignorance – and to clear misconceptions. It is no point talking of what comes after the crime to people who do not even know what a crime is. This makes life much harder for computer forensics specialists, as they have to deal with clients who get the evidence tampered and covered without any idea of ​​what they are doing. Online crimes have shaken the UK repeatedly during the past three years, but most home users still do not update their antiviruses. Very few companies have security measures in place, and in the lack of a comprehensive and forceful application of data protection laws, will probably continue being callous, bringing down a lot of misery on themselves and their clients.

Government Enterprise

Below is a list of government concerns that deal with computer crimes:

  • The local police force: According to the Home Office, all computer crimes should first be lodged with the local police force, who should be equipped either to deal with it, or pass it on to the appropriate higher authority.
  • SOCA: Serious and Organized Crime Agency is the body to which the former computer crime investigative wing, National High Tech Crime Unit (NHTCU) now belongs.
  • CEOP: Child Exploitation and Online Protection Center attempts to capture online child sexual exploiters and spread awareness among children. They even have an offline campaign.
  • CESG: Communications Electronics Security Group is in charge of IT and communications safety for UK government agencies, including the armed forces.
  • NISCC: National Infrastructure Security Coordination Center works on risk reduction for and safe information sharing among government departments.
  • Others: The home office has a computer crime policy team and the DTI conducts the aforesaid survey; the cabinet has the Central Sponsor for Information Assurance who are running the public awareness campaigns like Get Safe Online, and IT safe.

Computer Forensics and Corporate Houses – the Pros and Cons

With so many bodies to report to, how many of the computer crimes actually get reported every year by corporate houses? Unfortunately, we can only see the tip of the iceberg so far. Most companies are scared to report as they fear public backlash, media firing, client dispersal, and some gleeful comments from rival groups. Just like crime, justice too travels very fast on the internet, and the clients may come to know of the fiasco sooner than the company expects. This has happened to several gigantic concerns in the recent past, and it is hoped that all other companies would learn through their folly. Companies are scared about calling in data recovery professionals as they fear the safety of their data in the hands of the rescuers, and much the same reason is given when it comes to forensics experts too. One can always take the extra precaution of choosing a really reliable company and paying them well enough where high volumes of data have been compromised, and the trail is getting colder every second. It is the duty of a business house to locate and employ proper investigators when so many other people's labors are at stake, and they have to find a way to do it.

CSI Computer Forensics – Real Cases From Burgess Forensics #12 – Case of the Computer That Got Lost

The stories are true; the names and places have been changed to protect the potentially guilty. A few years ago, Debby Johnson, an attorney from a large firm based in Kansas City, contacted me about a relatively simple matter. I was to travel to offices in Sacramento from my San Francisco-area labs, copy a computer's…

The stories are true; the names and places have been changed to protect the potentially guilty.

A few years ago, Debby Johnson, an attorney from a large firm based in Kansas City, contacted me about a relatively simple matter. I was to travel to offices in Sacramento from my San Francisco-area labs, copy a computer's disk drive, and locate emails sent by the petitioner to his brothers and sisters, of which he had nine. The case was a product liability law for an amount in the tens of millions of dollars. The plaintiff claimed that his health had been damaged by an international firm's defective product, although he was symptom-free at the moment. What was the product? Let's say it was coffee.

From the cool Bay Area in summer, I traveled to downtown Sacramento, where it was a balmy 106 degrees. I knew I was sweating, but inside I was cool. I surprised if someone else would be in hot water soon.

It is not unusual for me to never meet my client, for computers can be shipped to me at my lab, but Debby was there in the law offices of the plaintiff's attorney. In an oak-paneled conference room we met with counsel for “the other side” and with the stainiff himself. He sat smugly with his shiny computer on the conference table, friendly enough in spite of his contentment that I would never find the offending emails he had allegedly sent years before. My client believed that this fellow had sent emails to his siblings that would disprove his contention – that would show him to be making up a case to snag a cool few ten millions.

I removed the hard disk from our man's system to make a forensic copy to work with and analyze. I was surprised to find that the hard disk was 100GB in size. A drive of that capacity was fairly new and unusual to see in a case this soon after it had come on the market. I was prepared for a much smaller disk drive, as I had been told I'd be seeing one about 20% the size. Fortunately, there was an electronics superstore nearby, so I doffed my suit jacket, cranked up the air conditioning on my minivan / lab wagon (that beauty just turned over 200,000 miles on the day I'm writing this), and headed on over for a bit of new gear. Forty-five minutes and a bit of melted rubber later I came back at the scene to forensically clean the new disk drive by writing letters to every sector ..

Once cleared to my satisfaction, I set up the copy process. In those days, while I was partial to Diskology's Disk Jockey, the version I had then did not seem to be able to handle what was such a large drive for the time. I probably used Byte Back on a forensic Intel box I had just in case. I began the copy process and it went without a hitch. But while the copy was proceeding, I was to wonder – was not this a pretty big drive to have been around at the time of the claimed emails? And for that matter, this computer was not very fast for its age. And did Windows XP really come on the market before these emails were to have been written? I was beginning to suspect that the game was rigged, and that I never would find the flawless deleted emails on that computer.

I discussed the matter with Debby. I guessed that the claim was right about the task being futile – because I guessed that the offending emails were never on this computer. I said I'd be willing to look for them, but I did not want to waste my client's cash. Debby asked me to look into the matter of the components' age when I got back to HQ. A few inquiries with the manufacturer and a couple of Google searches later, I was pretty well convinced that the fellow had never written those emails on this computer. Windows XP was almost too new, the disk drive was a couple of weeks too modern, and the computer was a month or two younger than those emails.

Debby called opposing counsel – who had no idea why this might not be the original system … until he checked with his man. Turns out he had “set it on the curve for trash pickup” because it was not working. ” The attorneys were not happy. The court was not happy. The only solution was for me to go to the nine brothers and sisters in four states to copy their personal computers and sift through those for the offending emails.

Do you think they were happy to hear from me? Would you be if your brother put you on the spot like that? Each of them had to agree that a perfect stranger – one who was working against their beloved brother – could come into their homes and look through everything on their personal computers. The most telling example of their displeasure was from one brother, a former Viet Name-era Green Beret, who – in response to my phone call asking when there would be a good time to show up – said “I did not spend two years marching up and down the God ** m Ho Chi Minh Trail for this s ** t! ” I understood.

It turns out that opposing counsel had never gotten around to telling this group that a computer forensics guy would be calling them and they needed to cooperate. I found that out when I told Debby of the righteous resistance I had come up against. She straightened it out with counsel and the next set of phone calls I made to the sibs was a lot more congenial.

The next several days, traveling from state to state, town to town, brother to sister to brother and on and on to copy the private data of nine innocent family members had its challenges. But that's a story unto itself … I'll spare you most of the details. Upon my return, the protocol called for me to search all of the data for any correspondence from – let's call him “The Brother” that mentioned his struggles with … we're calling it Coffee. I was then to print out the references I found, and send a copy both to the judge and to opposing counsel for privilege and relevance review. Debby and her firm were not to get a look at the data until anything either private or irrelevant had been taken out, and only the reminder produced.

What did I find? Around the time of the claimed emails, lo and behold, I found actual emails. The whole family was talking about The Brother's struggle with Coffee, their individual investigations into Coffee, and the upcoming lawsuit about Coffee. At one point, one email pointed out that this guy Burgess was going to be looking into everyone's email, and would not it make sense not to talk about Coffee? They agreed. They now spoke only of … “the C-Word.”

What else did I find when I performed my electronic discovery and digital forensic analysis? Well, for the most part, I just can not talk about it. There are some things on your computer you would not want me talking about, I'm sure. There are things on my computer I would not want me talking about either! E-discovery often has to be a pretty private process.

But there was one particular interesting finding. When I called the Green Beret Brother (GBB) from his sister's place across town, and asked for permission to head on over to make the copy of his computer, he obligingly told me it was okay. When I got there, he first asked me to read and sign a statement that I would not hold him liable for any damage to me or my equipment – unintentional or otherwise. Well that was a little scary coming from a guy trained in the arts of stealth, war, and undutely the garrote. But as the paper did not seem like a legal document, I signed it, if that was what would get me in to do my work. He was pleasant enough, the music he had on was good, and the copy went without a hitch. And I left alive and undamaged – a plus, indeed!

Once in my lab, I discovered the last thing that had happened on his computer. About one minute after my phone call for permission to go over, GBB had sent himself an email and then immediately deleted it. The subject, all in caps, was “COFFEE!” No “C-Word” fooling around for him. The message in the body was simple and succinct: “If you find this email, F *** YOU !!!!!” It's nice when a person knows how he feels and is able to express it freely. There was also a deleted photograph attached to the deleted email. Upon recovering same, it turned out to be a very recent photo of an extended middle finger – presumably GBB's finger. Visual aids are always helpful in understanding the subject matter, do not you think?

In the end, I produced about 75 pages of documentation I thought relevant. Of course, I had to include GBB's missive. As expected opposing counsel called everything honorable or privileged. Also as expected, the judge allowed all of the documents I had produced – with a number of lines redacted – to be delivered to my client. Everyone's favorite was the literate bit produced by GBB.

As for The Brother – the court decided that not only was he not very honest, due to the destruction of the most important data in the case – his original computer – but the evidence and the relevant emails showed him to be apparently undamaged by the Coffee . The case went to defeat, Debby and her firm were happy, and GBB became a legend.

This is just one of the many “CSI * – Computer Forensics Files: Real Cases from Burgess Forensics”. Stay tuned for more stories of deceit uncoformed by computer forensics.

* The Free Dictionary lists more than 160 definitions for CSI at acronyms.thefreedictionary.com. We choose Computer Scene Investigation.

Computer Forensics Files – The Little Dame That Wouldn’t – Real CSI Cases from Burgess Forensics #14

The stories are true; the names and places have been changed to protect the potentially guilty. A dame, a rich guy, and an email account: what more do you need for a story? I was in my office one fine spring day in Marin studying the benefits of Eastern philosophy, engaged in my special snoring…

The stories are true; the names and places have been changed to protect the potentially guilty.

A dame, a rich guy, and an email account: what more do you need for a story?

I was in my office one fine spring day in Marin studying the benefits of Eastern philosophy, engaged in my special snoring meditation, when the buzzing of the telephone dragged me back to the present. It was Sam & Dave – not the Soul Men, but the lawyers in the Valley. They had a situation. A computer expert was heading over to their offices to make a copy of their client's computer – the dame's laptop – to try to prove that she sent endearing emails to a scorned male – the rich guy … Mr. Silicon Valley.

See, rich guy had not been so rich until some computer hardware of his design had been snapped up by a big player in the computer world for a hefty sum. Newly rich Mr. Silicon decided to try his hand at picture books – picture books of natural looking young ladies in their native birthday attire. The hook was that they would be all natural – no silicone for Mr. Silicon.

One day, Mr. S was driving through the Rockies when he espied a liberated young lady. Liberated in the sense that she was 17, but living on her own. S offered to liberate her from a deadend waitress job if she would come come live in his valley mansion. It would all be very Platonic – they'd each have their own end of the mansion – and she would work with the picture book office staff.

But as our young lady reached adulthood, Mr. S became enamored enough to make our lovely waif a bit uncomfortable. She thought he was acting like a creep. She wanted out – out of the office and out of the mansion. The word “harassment” strikes fear into the heart of many an employer, and Sam & Dave were looking for a settlement to enrich all involved. But Mr. S was not to give up so easily. He maintained that the lovely Miss had been sending him endearing loveletters from her America OnLine account. Sure enough, her account had sent those letters – but had she the one to send them? AOL has a setting that allows a user to sign in automatically – that is, to sign in without having to type in a password. This setting is almost always a mistake, unless no one else is ever near your computer. I always recommend to my clients that they take the extra 5 seconds out of their busy schedules to type an actual password. You might have guessed that her AOL was set to automatically login.

But the letters had been sent after she had already left the office. That meant that if she had sent them, she must have draped them on her laptop from home. A deal was made. Mr. S hired a computer expert to do some digital discovery. He'd make an identical copy of the hard disk from her laptop, while sitting in Sam & Dave's conference room. This is where I entered the picture. S & D wanted me to make sure that the hired thugs … er, experts … would not pull any funny stuff. I went to observe on the day of the copying.

Just a short half hour or so after their scheduled arrival, the other experts arrived. They were decked out in full company regalia. Their bright jackets, hats, and business cards announced their offices in New York, Tokyo, London, Hong Kong, and Los Angeles. These guys were apparently internationally jetting big shots. As it turned out, only one was the bigshot – the other guy was the gofer. Bigshot sat in a chair and bragged about his exploits while Gofer unloaded their equipment. A large, high-powered desktop computer, with external drives hooked up through an Adaptec SCSI host adapter appeared on the tabletop. A briefcase full of secret computer forensic software was opened to reveal its treasures. The golden floppy disk was removed from the briefcase. Bigshot examined the laptop, and announced, “We can not do this copy – there's no floppy drive.”

I was a little dumbfounded. Surely these guys had all of the computer forensic equipment known to mankind. “I have EnCase and ByteBack,” he said, “but I need to boot from a floppy drive to make a copy.” This was at least half accurate. Whenever a drive is operated in a Windows environment, Windows writes bits and pieces of data to the drive. Under such circumstances, the data is changed and is not a true identical, “bit-for-bit” copy. It's not a forensic image. But when the system is booted from a DOS diskette, nothing gets written to the hard disks. This is what the fellow was looking to do.

I suggested he removed the hard disk from the laptop, and hook it up through a write-blocker to his desktop computer. “What's a write-blocker?” he asked. “Gofer, do we have any write blockers?” Gofer's look of befuddlement answered for him. I explained to Bigshot International that a write blocker is a device that can be hooked up between the hard disk and the cable it is attached to, or between an external enclosure holding the hard disk and the USB cable leading to the computer. The MyKey NoWrite FPU is one of my favorites. The Tableau works well. The Disk Jockey Forensic was not around then. The DriveDock & others would have been fine. But he did not have any by anyone.

Still, removing the hard disk, attaching it to its system and booting the system from its floppy diskette should have been fine. I suggested as much. “How do you take out the hard disk?” he asked. Nearby laptops are different in London and Hong Kong and those other places he had offices.

I asked S & D's secretary for a little Phillips screwdriver, and removed the hard disk for Our Man. “It does not hook up to my IDE cable,” he said. You see, laptop IDE hard disks and desktop IDE hard disks are different sizes. Most in laptops are 2.5 “and most in desks are 3.5” and never the twain shall meet – at least, not on the same cable. The 40-pin connector on the laptop is, unsurprisingly, smaller in size. “How about an adapter?” I said. “Have you a 2.5” to 3.5 “adapter?”

“Have we got one, Gofer?” Befuddlement answered wordlessly again. I suggested a quick run to the local computer store. I even volunteered to go, for the Mensa-level technical skill was getting to me a little at that point.

Twenty minutes later, we had an adapter from a local Mom & Pop computer shop. Some adapters for laptop drives hook up the opposite way from what is intuitive. Once I warned against hooking the laptop drive up backwards, Bigshot got everything set up right, the computer booted, and a good copy looked like it was only minutes away. That is, until I heard, “My target disk drive is not big enough.” Well, I did not want him to have to go all the way to Tokyo or New York for another. I suggested hooking up additional drives from his special briefcase to the SCSI bus, then changing the image size. Many computer forensic programs allow one to acquire a large drive as several or many contiguous images of a smaller size. By changing his configuration, Mr. B could make many successful CD-sized images of about 650 MB each, instead of one giant one that would not fit in the available space in any one of his hard drives.

With the copy proceeding apace, I asked S & D what I should do next. We saw the estimated time of completion was about five hours away! I surprised if sitting waiting for electrons to move was the best use of my time and their money, and they seemed to think it was not. I explained what to look out for – any cables being unplugged, any keyboards being typed on, any undertakings of “oops” or “oh no!” from the Dynamic Duo making the copies. The job should be mostly babysitting until the copy was completed. I headed back to the airport, and to my office at Burgess Forensics to finish my interrupted meditation.

How did it all turn out? There were no loving emails drawn on the laptop. The computer she had used at the office was being used to send bogus emails from her auto logon AOL account. Mr. S was ready to settle … after just one more meeting.

As part of the settlement, Mr. S & our lovely Miss had one last lunch together. They met at an outdoor café. It might have been romantic, but Miss sat well out of reach, her lawyer sat just out of earshot a couple of tables to the West. The attorney for S sat just out of earshot a couple of tables to the North. Everybody ate lunch. S paid the bill – three bills, actually – one for lunches, one for the lawyers, and one settlement for the lovely lady. She then walked away and never looked back.

While I never met the lady, I was alerted to look for her on a fashion show. There she was, on the TV, looking like the waif models are apparently supposedly to resemble. I could not tell if she looked any richer, but I hoped she would spend some of the settlement on a few more lunches – she could have filled out a little and looked a bit more … natural. But that's outside my area of ​​expertise. A nutritionist I'm not – I do computers.

This is just one of the many “CSI * – Computer Forensics Files: Real Cases from Burgess Forensics” cases in the file. Stay tuned for more stories of deceit uncovered by science.

* The (online) Free Dictionary lists more than 160 definitions for CSI – for us it's Computer Scene Investigation.

Speeding PHP Using APC PHP Cache

If you look at a PHP source file you will notice one thing. It's a source file. Not particularly surprising, but think about when you deploy a PHP application, what do you deploy? PHP source files. Now for many other languages; Java, C, etc when you deploy an application you deploy the compiled file. So,…

If you look at a PHP source file you will notice one thing. It's a source file. Not particularly surprising, but think about when you deploy a PHP application, what do you deploy? PHP source files. Now for many other languages; Java, C, etc when you deploy an application you deploy the compiled file. So, the question that you want to ask yourself is this, how much time does a PHP application send compiling source files vs running the code? I'll answer that for you, a lot.

There are advantages to being able to deploy source files though. It makes it easy to do on the fly configurations or bug fixes to a program, much like we used to do in the early BASIC languages. Just change the file and the next time it's accessed your change is reflected. So, how do we keep the dynamic nature of PHP, but not recompile our files every time they are accessed?

A PHP cache. It's surprising to me that this concept is not built into the base PHP engine, but because that's because some company's can sell this add on to speed up PHP. Luckily for us, some companies / open source projects provide this plugin in PHP at no charge. These plug ins are generally known as PHP accelerators, some of them do some optimization and then caching and some only do caching. I'm not going to pass judgment on which one is the best, any of them are better than nothing, but I decided to use APC, the Alternative PHP Cache. I chose this one because it is still in active development and is open source and free.

Alternative php cache can be found at php.net, just look down the left column for APC. It comes in source form, so you will need to compile it before installing it, do not worry about that part. If you're using Red Hat 4 or CentOS4 I'll tell you exactly how to do it. If you're using something else, you'll need the same tools, but getting the tools might be a bit different.

1. The Tools

Do you know how many web sites, forums and blogs I went to with my error messages before I found the answers as to what I was missing when I was trying to install APC – Alternative PHP Cache? Two days worth, but I finally found the correct combination and it's really quite obvious as is everything once you know the answer. There are three sets of dev tools that you will need.

1a. You'll need a package called “Development Tools” this will include all the important dev tools like the GCC compiler, etc.

1b. You'll need a package called php-devel which as you might guess are development tools for PHP

1c. You'll need a package called httpd-devel which of course are dev tools for Apache web server.

On Red Hat or CentOS getting these should be as easy as the following 3 commands:

yum groupinstall “Development Tools”

yum install php-devel

yum install httpd-devel

You'll do these three one at a time and follow any instructions (usually just saying yes).

Now it's time to follow the instructions contained in the APC package. Since these may change over time I'm not going to go through them. They are very complete. If you follow the instructions and get an apc.so file out of it, then you're all set, just modify your php.ini file and you're good to go.

There are two problems that I encountered that you may encounter too. The first is an error when running phpize. I ignored this error and everything succeeded okay, but not before I spent hours looking for the solution to this error. Here is the error.

configure.in:9: warning: underquoted definition of PHP_WITH_PHP_CONFIG

run info '(automake) Extended accocal'

or see http://sources.redhat.com/automake/automake.html#Extending-aclocal

configure.in:32: warning: underquoted definition of PHP_EXT_BUILDDIR

configure.in:33: warning: underquoted definition of PHP_EXT_DIR

configure.in:34: warning: underquoted definition of PHP_EXT_SRCDIR

configure.in:35: warning: underquoted definition of PHP_ALWAYS_SHARED

acinclude.m4: 19: warning: underquoted definition of PHP_PROG_RE2C

People would have had me updating my PHP version from 4.3.9 and everything else under the sun to get rid of this error, but in the end it did not matter. My APC compiled and installed nicely and I am good to go.

The other slight problem that I ran into was the location of php-config. The install instructions wanted me to do the following:

./configure –enable-apc-mmap –with-apxs
–with-php-config = / usr / local / php / bin / php-config

However my php-config is in / usr / bin / php-config. Making that change allowed this part to work.

So, have at it, once it's done you can expect to see huge improvements in your web site response times and reductions on your CPU load. One more quick note, My server hosts about 20 web sites, but only 3 or 4 are really busy. To reduce the memory footprint of caching everything for all 20 sites I used the apc.filters property. Although this property is slightly flawed for non qualified includes, it worked nicely for my Serendipity blogs. Your mileage with this property will vary according to the software you are using and how it does it's includes.