COMPUTER FORENSICS – A CRITICAL NEED IN COMPUTER SCIENCE PROGRAMS

*
John D. Fernandez, Stephen Smith, Mario Garcia, and Dulal Kar Texas A&M University – Corpus Christi, 6300 Ocean Drive #5825, Corpus Christi, TX 78412 ABSTRACT The number of computer security incidents is growing exponentially and society’s collective ability to respond to this crisis is constrained by the lack of trained professionals. The field of computer forensics is relatively new and this paper describes the discipline, its development, and critical issues associated with its practice. The increased use of the Internet and computer technology to commit crimes indicates an abuse of new developments that requires a response by those involved in law enforcement. Cyber crimes and many child-related sex crimes leave clear digital evidence that must be investigated by those who are trained in computer forensics. University computer science programs are perfectly suited to respond to this crisis. With minor changes, computer science programs can address the growing demand for forensics professionals. INTRODUCTION Mention computer forensics to people outside the law enforcement or corporate security arena, and many will conclude that the subject under discussion covers the use of computers to catalog traditional physical evidence, including such things as fingerprint, dental, and DNA evidence. Indeed, computer technology has revolutionized the storage of and access to such vital evidence. Such computer technology enables rapid access to fingerprint information for law enforcement agencies. However, the field of computer forensics opens an entirely new area, as computer forensics involves the investigation of computers themselves for evidence of criminal activity or activity that constitutes a violation of company policy. According to Nelson, Phillips, Enfinger & Steuart [4],

___________________________________________
*

Copyright © 2005 by the Consortium for Computing Sciences in Colleges. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the CCSC copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a fee and/or specific permission. 315

JCSC 20, 4 (April 2005) computer forensics investigates data that can be retrieved from memory, hard disk or other storage devices, such as, CD-ROMs, digital memory cards, etc. DEVELOPMENT OF COMPUTER FORENSICS Almost as soon as any new technology becomes available, people find a way to abuse it. Computers and the Internet are no exception. In the 1970’s when computers were still the domain of large business enterprises, unscrupulous programmers in the banking industry wrote subroutines in programs that would transfer small fractions of a penny into their accounts. Dale, Weems, and Headington [3] note one particular case where a bank audit …turned up a mysterious account with a large amount of money in it…The bank-computed interest on its accounts to a precision of a tenth of a cent. The tenths of a cent were not added to the customers’ accounts, so the programmer had the extra tenths for all the accounts summed and added into an account in his name. In large financial institutions with many clients, this new method of embezzlement resulted in substantial losses. Indeed, when investigating computer related crimes as in so many other crimes, the operative philosophy is often, “Follow the money.” Greed is still a large motivating factor for many cyber crimes. Since computers and the Internet can facilitate the commission of crime, it makes sense that law enforcement must come up with ways to investigate such computer-related crimes. It is precisely at this point that computer forensics enters the picture. Patterson [6] points out that while courts consider computer evidence to be physical evidence, it is unlike most other types of physical evidence. A witness cannot show a jury the contents of a disk drive by holding the physical disk drive up in front of them. The evidence must be extracted in a way that preserves its evidentiary value, yet enables the court to see exactly what is on that drive. Law enforcement requires reliable methods to extract such evidence in a way that will pass muster with the courts. During the 1980’s, government agencies developed and utilized the first computer forensics tools, and perhaps the first U.S. agency to use such tools was the IRS. At first, these agencies designed forensics tools to meet their own specific needs and placed little or no emphasis on whether or how they might be utilized by other agencies, let alone the private sector. However, in the mid 1980s, two commercially available software tools emerged: X-Tree Gold and Norton Disk Edit. Although not designed as computer forensics tools, per se, both products could recognize and recover lost or deleted files (key requirements of forensics tools), and were available to the public.[4] In the early 1990’s new tools that were more specialized began to appear, and the need for investigators who understood computer data storage rapidly increased. One of the results of this need was the creation of specialized organizations such as the International Association of Computer Investigative Specialists (IACIS). Such groups offer training on computer forensics tools available to law enforcement investigators.

316

CCSC: South Central Conference CYBER FRAUD – A SIGNIFICANT FINANCIAL IMPACT The growing use of computers to commit fraud is a great concern to the FBI. The FBI reports that organized crime and even terrorist groups increasingly use Internet fraud, once the domain of a few hackers. One of their tactics involves “phishing” in which a perpetrator sends an e-mail purporting to be from the victim’s Internet service provider, bank, or other company with whom the victim does business. The e-mail asks the victim to update his account information. Sullivan [10] quotes FBI sources: The e-mails, which ask people to “update” their personal information -- Social Security numbers, dates of birth, passwords and the like -- or tell a well-concocted tale meant to trick people into divulging their credit card and bank account numbers, now comprise more than half of the 15,000 monthly citizen complaints filed to the FBI’s Internet crime center. When the victim complies with the request, he will have unwittingly sent his personal information to a criminal. Especially troubling is the fact that terrorists are using this technique more frequently. Sullivan [10] continues: Officials believe crime syndicates -- especially in Russia and the former Soviet bloc -- have begun to realize how much money they can make with little or no overhead. They also believe terrorist sympathizers, possibly operating out of Africa and the Middle East, have also begun using phishing schemes to steal identities and make fast cash after being shut out by counterterrorism measures from their traditional avenues of funding such as bogus charities. Phil Williams [12] of Carnegie Mellon University’s CERT Coordination Center cites seven trends of which businesses should be aware. Among these are organized crime involvement in using the Internet for major fraud and theft activities, white collar crimes including “pump and dump” stock schemes, traditional mob activities conducted via the Internet (such as cyber-extortion and money laundering), and the adaptation of nuisance tools such as viruses for even more serious criminal acts including theft and embezzlement. Williams cites, as an example of the latter, a case occurring in 2000 where perpetrators who remain unknown created a variation of the Love Letter worm and used it in an attempt to gain access to Swiss and American bank accounts. CHILD-RELATED SEX CRIMES – A SIGNIFICANT SOCIETAL ISSUE If financial crimes were the only computer related crimes law enforcement had to investigate, the task would be difficult enough. Unfortunately, this is not the case. Many computer crimes involve the most vulnerable among us: children. Exploitation of children, sexual and otherwise, did not begin with the invention of computers or the Internet. However, the Internet has facilitated communication between individuals with an interest in exploiting children, resulting in the transmission of child pornography among pedophiles, transmission of pornography to children themselves, and worse, setting up meetings between pedophiles and their intended victims. According to the National Center for Missing and Exploited Children, “one in five children (10 to 17 years old) receives unwanted sexual solicitations online.” With an estimated 23,810,000

317

JCSC 20, 4 (April 2005) children using the Internet, this statistic reveals that a staggering 4.52 million children have potentially received such sexual solicitations. Law enforcement has not been standing idly by. A number of agencies have set up sting operations to catch Internet pedophiles. Apuzzo [1] relates the story of 31-year-old Eric Hopkins who went into Internet chat rooms trying to find a middle school aged girlfriend and met a 13-year old named Stacy. “Stacy was an obedient Connecticut 13-year-old who was good at keeping secrets and willing to run away. She promised to become his sex slave and call him Daddy. In exchange, Hopkins promised to take her to Disney World.” However, when Hopkins went to meet Stacy, he found that “Stacy” was actually Scott Driscoll, a police officer assigned to the FBI Innocent Images Task Force who, with the assistance of federal agents, arrested Hopkins. Apuzzo reports, “…the Innocent Images program has become the bureau's second-largest operation, behind only the Sept. 11 terrorism case.” Kenneth Patterson [6] reports that this fits with what he has seen in his geographic region as well. The Corpus Christi Police Department Computer Crimes Unit reports that 60% of its caseload involves child pornography or crimes against children including aggravated sexual assault. Other frequently occurring cases involve identity theft, and tampering with government documents such as fake IDs. THE DIGITAL TRAIL Everyone who uses a computer for any purpose leaves a digital trail. This digital trail can reveal many things: what files were accessed, when and by whom; what files were modified, when and by whom; and what Internet sites have been visited, and which of those are stored in cache memory to name only a few. The operating system creates this trail in part for the purpose of facilitating file access and speeding access to Internet sites often visited. From a purely functional standpoint, such a trail can be a valuable feature. For example, Web sites stored in local RAM or disk cache eliminate the need to wait for those Web pages to re-download each time the user visits them. Especially where there is a dial-up connection, such functionality saves a great deal of time. However (and often unbeknownst to the user), when a person utilizes a computer to commit a crime, this trail serves another valuable purpose as a pathway to evidence. Many computer users falsely believe that when they delete a file from their computer, it is gone. However, while various operating systems deal with file deletion in different ways, they generally delete only the reference to the file and not the actual file itself. For example, in Microsoft FAT file systems, when a file is deleted, the operating system simply replaces the first character of the filename with the lowercase sigma character ( ). This tells the operating system that the file is no longer available and the disk space it once occupied is now unallocated and can receive new data. However, until that file space receives new data and overwrites the old file, the “deleted” file remains exactly as it was except for the first character of the filename. Therefore when a criminal tries to eliminate evidence from a computer by using a simple file delete, the digital trail remains. [4] In fact, this trail of computer evidence often provides law enforcement with evidence of intent and patterns of criminal behavior in a given case. The existence of
318

CCSC: South Central Conference such evidence can make a compelling case for conviction, and enhance ultimate sentencing of the perpetrator. Such evidence combined with traditional criminal investigation has helped lock away some very heinous criminals. For example, while executing a search warrant at the home of serial killer John Robinson, authorities recovered the badly decomposed bodies of two of his victims. Additionally, law enforcement officers seized five computers as evidence. The computer evidence showed that Robinson used the Internet to find victims with whom he would set up a meeting, then sexually assault them or kill them. The computer evidence showed something that traditional physical evidence alone could not—the psychopathic and very cunning nature of Robinson. This digital evidence which included Internet chats, e-mails (some of which were forged by Robinson to allay the fears of his victims’ families) helped to get Robinson sentenced to death. [2] The most infamous mole in FBI history, Robert Hanssen spying first for the Soviet Union, then for Russia after the Soviet breakup, “hid and encrypted data on floppy disks that he allegedly passed to the KGB, and used handheld devices to communicate with his collaborators.” In one message recovered during the investigation, Hanssen recommends a Palm VII organizer that has wireless Internet capability. [2] FORENSIC EXPLORATORY TECHNIQUES As noted earlier, the need to conduct computer forensic investigation has driven the production of new and more powerful computer forensic tools for various operating systems. While the list of available tools is lengthy, the available tools divide into two main groups: command line forensics tools and graphical user interface (GUI) forensics tools. Nelson et al., [4] state that the primary advantages of command-line tools are that they often fit on a floppy disk and use few system resources. However, command-line tools have some limitations. “…they typically cannot search archive files such as Zip (.zip) files of Cabinet (.cab) files.” Additionally, some are limited to MS-DOS FAT file systems. GUI tools are more user-friendly, and do not require as much specialized knowledge as command line tools. In fact, some GUI tools have also simplified training for beginning examiners in computer forensics. However, they require more system resources, and they will not fit on a floppy disk. [4] K. Patterson [6] states that the Corpus Christi Police Department generally uses GUI tools, and two in particular: EnCase by Guidance Software, and Forensic Tool Kit by AccessData. He cites another advantage of GUI tools: most of the time, a computer forensics examiner can readily open a suspicious file in another window without closing the GUI tool. Forensics examiners need to remember that no one tool can do it all. While the ability to access a number of computer forensics tools varies widely depending on the size of the agency (or private-sector entity) and the budget available, a computer forensics examiner should have more than one tool in his tool set. [7]

319

JCSC 20, 4 (April 2005) Patterson [6] states that the investigator must avoid altering a suspect disk in any way. To do so would destroy its evidentiary value. To this end, he recommends the use of write blocking devices. Since even booting up a computer causes the operating system to make disk writes, the write-blocking device must be attached before the system is powered on. Such write-blocking devices send a message to the operating system that the disk-write was successful even though it was actually blocked. He goes on to say that the only thing an investigator should do with the original suspect disk is make a bit-stream copy of that disk, then secure the original suspect disk in an evidence locker. Any analysis of the files on the disk should be done from the bit-stream copy. With this approach, if anything goes wrong during the analysis, the evidence is still safely stored on the original suspect disk. [6] LACK OF TRAINED PERSONNEL – A MAJOR ISSUE The challenge for law enforcement investigators and other investigators is to collect and protect digital evidence in such a manner that its evidentiary value is preserved and admissible in court. Like the forensics of traditional physical evidence such as fingerprints, bloodstains, dental records, and more recently DNA, digital evidence requires careful collection, chain of custody documentation, access management, diligence, and attention to detail. Unlike traditional forensics however, the forensics of digital evidence requires specialized knowledge of computer technology (both hardware and software), including various operating systems, file storage techniques, and file recovery techniques. Therefore, this represents a major adjustment in some of the procedures followed by law enforcement. Marc Rogers [8] writes, “The eyewitness of today and tomorrow may be a computer generated ‘log file’.” For law enforcement, the challenge is to find people with these skills, and provide them with the tools and up-to-date training they need. The Corpus Christi Police Department, for example, utilizes both sworn and civilian personnel in its Computer Crimes Unit. Such an arrangement takes advantage of the general law enforcement knowledge of sworn officers, provides them with additional computer forensics training, and supplements them with specially trained civilians to assist with their caseload. [6] Rogers and Siegfried [9] conducted a survey to find out the top five issues in the field. Respondents most often cited education, training, and certification. Surprisingly, lack of funding was the least often cited. The main complaint is “…the fragmented nature of the computer forensics discipline. Currently, there is a lack of a national framework for curricula and training development, and no gold standard for professional certification.” THE CHALLENGE FOR COMPUTER SCIENCE PROGRAMS The challenge for computer science programs across the country is to meet the critical need for trained personnel in the field of computer forensics. Recent contacts with recruiting groups indicate that computer science majors are the second most sought after graduates by the FBI. The critical needs of the National Security Agency and the

320

CCSC: South Central Conference Department of Homeland Security in the war against terror have further depleted the availability of graduates for computer forensics positions in law enforcement. Some universities have responded to the critical need for computer science graduates in forensics by offering one or two course in the discipline. Others like West Virginia University have certificates in computer forensics [11]. The WVU course offerings for the certificate in computer forensics include: • Introduction to Forensic Computer Science and Security • Data Forensics • Intrusions, Security and Network Forensics in Networked Computer Systems • Introduction to Computer Security Management • Computer Forensics and the Law This can serve as a starting point for any university who recognizes the critical need and is willing to respond to the challenge. Tools recommended by Dr. Roy Nutter [5] of WVU are EnCASE and Forensic ToolKit (FTK) for Windows and Knoppix for Linux. It is interesting to note that Patterson [6] stated that he uses the two Windows tools for his forensics work. Encase, the forensics Cadillac tool, has a variety of functionality, is certified by NIST, and is available at www.encase.com. FTK has excellent capability and is easily downloaded for teaching purposes from www.accessdata.com [5]. Knoppix for Linux is bootable from CD-ROM, has good capability, and is freely available at www.knoppix.com [5]. Many other tools exist that could be included in a forensics course. FUTURE OF COMPUTER FORENSICS In a presentation to Carnegie Mellon University’s CyLab Capacity Building Program, Dr. Roy Nutter [5] described the difference between security and forensics. He explained that security involves all the mechanisms and theory designed to protect people and resources while forensics starts when an incident is reported. With the ever growing number of security incidents requiring forensic investigations, there will continue to be a huge demand for graduates of computer science programs with the appropriate computer forensics education. Patterson [6] says the field of computer forensics requires a person able to deal with highly technical subjects, yet articulate enough to explain and describe “unerase” to a jury. He goes on to say that a computer forensics specialist must “have the patience of a wildlife photographer and the literary skills of Mark Twain.” Computer forensics is an exciting field that energizes the students who pursue its study. It behooves all computer science programs to develop one or more related courses to meet the critical demand for professionals in this field. ACKNOWLEDGEMENT This work was partially funded by NSF Minority Institutions Infrastructure Program grant #EIA-0330822.

321

JCSC 20, 4 (April 2005) REFERENCES 1. Apuzzo, M., FBI online sex stings winning first convictions, [Electronic Version], USA Today, retrieved on January 25, 2004 from: http://www.usatoday.com/tech/news/2004-01-25-pedo-stings_x.htm Casey, E., & Seglem, K., Introduction, in E. Casey (Ed), Handbook of Computer Crime Investigation: Forensic Tools and Technology, San Diego, CA: Academic Press, 2002. Dale, N., Weems, C., & Headington, M., Programming and Problem Solving with C++, Sudbury, MA, Jones and Bartlett Publishers, 1997. Nelson B., Phillips, A., Enfinger, F., & Steuart, C., Guide to Computer Forensics and Investigations, Boston, MA, Course Technologies, 2004. Nutter, Roy, presentation to CMU’s CyLab Faculty Capacity Building Program, Carnegie Mellon University, July 2004. Patterson, K., Corpus Christi Police Department Computer Crimes Unit, personal interview, February 20, 2004. Patzakis, J., The encase process, in E. Casey (Ed.), Handbook of Computer Crime Investigation: Forensic Tools and Technology, San Diego, CA, Academic Press, 2002. Rogers, M., The role of criminal profiling in the computer forensics process, Computers & Security, May 2003, Vol. 22 Issue 4, 292-298. Retrieved April 12, 2004 from Science Direct. Rogers, M., Seigfried, K., The future of computer forensics: a needs analysis survey, Computers & Security, February, 2004, Vol 23, Issue 1, 12-16. Retrieved April 12, 2004 from Science Direct .

2.

3. 4. 5. 6. 7.

8.

9.

10. Sullivan, L., FBI ties Internet scam increase to organized crime, and terrorist sympathizers, The Detroit News, February 14, 2004, retrieved April13, 2004, from http://www.detnews.com/2004/technology/0402/14/technology-63815.htm 11. West Virginia University, Certificate in Computer Forensics, site http://www.lcsee.cemr.wvu.edu/forensics/index.php visited on September 20, 2004. 12. Williams, P., Organized crime and cyber-crime: Implications for business, retrieved April 16, 2004, from Carnegie Mellon University CERT® Coordination Center Web site, http://www.cert.org/archive/pdf/cybercrime-business.pdf

322