January 2008 — Features
Print this articleClick here to receive your FREE subscription to T.H.E. Journal
CSI: Hard Drive
Quick Tip
Do not surround the computer in question and begin by opening files. On a PC, doing that will change dates and times on file, so it's not a forensically sound procedure.
Remember, too, that while today's software outfits have improved their forensic tools to near foolproof standards, it only takes one ill-trained or too-eager human to taint the results. For instance, Harrold has seen a lot of well-meaning principals and technology teachers with a smattering of hardware knowledge surround the computer in question and begin by opening files. "If it's a Windows computer, doing that will change dates, times, and things of that nature on file, so it's not a forensically sound procedure," he says.
Likewise, if you use ordinary data recovery tools for the job—the kind you'd whip out if the school secretary's computer crashed—you ultimately would tamper with modified access times, which blows your ability to accuse a person of committing an offense on a certain day and time. "If someone's freedom depends upon the veracity of evidence, you certainly don't want to be altering that evidence," Harrold says. "And it's very easy to do accidentally."
Sound procedure requires an IT team to use the software's imaging tool and write-blocking technologies, which prevent users from changing the date on the hard drive. The programs automatically create a "bit copy," which is computer- speak for copying every little bit of data off that hard drive from the first sector to the last. That includes deleted files and surfing paths a user can't pull up from his seat at the keyboard. Think of it as taking a microscope to the hard drive.
"The difference between what you see through your Windows Explorer and what you see from computer forensic tools is night and day," says Karney. "The way the operating and file systems work, there's a whole lot of action that goes on underneath."
Or better yet, says Karney, data capture is like ripping out the table of contents and index to a book, leaving you with just the words to navigate blindly—only in this case, the actual information is reported in binary codes of ones and zeros. The software next steps into the gap to serve as an index, grouping deleted files, data in the recycle bin, internet chat streams, deleted web pages, etc. What's missing? "Well," he says, "there's no such thing as a ‘go find evidence' button."
Phase 2 of a forensic computer investigation requires a human touch: people thinking logically. If, for instance, a student has been accused of buying guns, the examiner needs to sleuth through the files seeking anything related to guns: brokers, bullets, ammunition, rifles, and so forth. "You have to put yourself in the person's shoes and get a sense of what information they'd need to know more about," Karney says. "At the end of the day, you're trying to prove a point with a very high level of certainty. You're asking skilled questions, which is, frankly, the exciting part of this."
But because a positive outcome does require such precise questioning, Karney says that in his experience he's found standard, scheduled computer-checking policies to be pointless. You could easily miss sexual harassment because you were scouring specifically for pornography, and meanwhile nobody noticed that the computer was being used to post speeches of support on terrorist web pages.
