91av

Chasing the elusive shadows of e-crime

How do you catch a criminal if the clues are deleted from their computer? In the virtual world there will always be faint digital fingerprints left behind

JULIAN GREEN thought his PC was possessed. One evening in September 2001, his 7-year-old daughter dashed out of the family computer room in alarm and told him it had started showing her nasty pictures. He found that the computer’s homepage had somehow been reset to a child-porn site. He quickly changed it back, but every couple of days it happened again. At the same time the errant machine started calling his internet service provider to access the site of its own accord.

In desperation, Green called in a computer consultant he found in the local yellow pages. The consultant was equally baffled by the problem and jokingly put it down to “demonic possession”. Eventually, by reloading some software, Green managed to make the porn go away, but the computer was still prone to strange behaviour and unprompted dialling.

Then, just when Green thought the worst was over, things got considerably worse. In October 2002, police raided his home in Torquay in the UK and found 172 images of child pornography on his computer’s hard disc. He was arrested, and his life started to fall apart.

Green was detained for more than three months awaiting trial, charged with possession of child pornography. During this time he also lost custody of his daughter and faced the awful prospect of 10 years in jail. “I thought, ‘Oh Christ’,” Green recalls. “I had no explanation for how they had got there and I just couldn’t see how I could explain it. Throughout the ordeal he protested his innocence: “It’s not innocent until proven guilty. It’s the other way round with this sort of thing,” he says.

Finding out the truth in cases of computer crime is not easy. The anonymity of the internet provides new opportunities for criminals to disguise their identity – not just child pornographers, but fraudsters and even terrorists. In their constant battle to defeat the criminals, police are turning to computer forensics. The tools and techniques they use are derived from programs used to debug hardware and software.

The evidence they need can either be found in analysis of network activity or of the hard drive of a suspect computer. “Computers tell a very good story about an individual,” says Martin Gibbs, a computer forensics consultant with Vogon International, a UK data recovery and computer forensics company based in Bicester, Oxfordshire. Simply by looking at files and folders, bookmarks and programs, Gibbs says, “you can get a good idea of the type of person you are dealing with, what their interests are and what their level of technical knowledge is”.

The hard disc is examined using a program that enables an investigator to pick through data on it with the digital equivalent of a fine-tooth comb. Every portion of the drive is examined, from programs, folders and files all the way to the individual bits stored on each segment of the disc.

The first step in an investigation of a hard disc is to make a duplicate of it as soon as the computer has been confiscated. The contents of the drive can then be analysed on this working copy without investigators having to lay a finger on the original evidence. The computer’s read-only memory is also recorded as is the machine’s internal clock setting, which will provide a vital reference to when information was recorded to the disc.

To ensure that no new information is added to the working copy, the software used to analyse its contents automatically “signs” it before the analysis begins and again each time a change is made. And each investigator working on the disc has a unique “signature”, so a complete audit trail will be available to the courts. If the disc has been tampered with, the signature system will show a mismatch with the original, and the evidence will be identified as suspect.

In Green’s case, this process was part of the routine procedure. Gibbs was brought in to analyse the machine for the defence. He knew very little more about the case other than that the police had found a large number of illegal images on the hard drive. He found new evidence that the police had missed, and quickly realised that they might have made a serious mistake.

Buried deep within the computer’s file structure Gibbs saw a number of programs that should never have been there. He found 11 “Trojans” – software named after the fabled horse used by the Greeks to infiltrate Troy – hidden on Green’s machine. Trojans are commonly used by hackers to gain remote control of a computer, and analysis revealed that they had been designed to automatically access the child-porn sites that had appeared on Green’s machine.

In this case Gibbs found the evidence quickly because the Trojans had not been deleted from the disc. In some cases, however, evidence is deliberately deleted to hide a perpetrator’s tracks although an experienced investigator can often recover deleted information and examine it for clues too. This apparently impossible trick relies on the way computer discs store and delete information.

As a file is created and information added to it, the data is magnetically written to the surface of the disc in the form of 1s and 0s within a “block” – a segment on the disc’s surface. Once a block is full, the computer moves to another block, which may be anywhere else on the disc.

When that file is later deleted and the recycle bin emptied, the data on the surface of the disc is marked as fit for overwriting with new information, but the information is not removed. Unless new data has been written to every segment of the disc used for the old file, fragments may still lurk, allowing them to be pieced together so that part or all of the original is reconstructed.

“You can get not just the files but the underlying structure of the disc too,” says Neil Barrett, a visiting professor of computer criminology at Cranfield University, Wiltshire, in the UK. “It might be part of a web browser cookie showing that someone has visited a particular site, for example. In quite a few cases, what is left in those segments is evidence that we can use.”

In Green’s case evidence was forthcoming. But what if someone used commonly available software to deliberately blank files when deleting them? Gibbs’s technique would have failed.

Nevertheless, blocks blanked by software designed to write several iterations of garbage over a file’s exact location, still offer some limited information. For example, they indicate which files have been tampered with and blanked, which, if nothing else, can suggest the owner had something to hide.

But in the last couple of years hackers have gone even further by developing “anti-forensics” software designed specifically to defeat efforts to analyse a computer for evidence of illegal activity. In July 2002 for example, a software package called The Defiler’s Toolkit was released anonymously on the web. It is designed to confuse forensic analysis of a system after a remote break-in by keeping track of all changed data and automatically overwriting it with random bits. Other tools have appeared since then. Eoghan Casey, editor in chief of the journal Digital Investigation, says this is a worrying trend. “These tools are specifically targeted at undermining the tools that investigators use,” he says.

But some researchers believe they have found a way around this. They exploit the physical characteristics of a hard disc to delve deeper into its past and read ghostly magnetic images of the data that was once stored there, even after it has been wiped with an anti-forensic tool.

The technique, developed by data- recovery experts, is based on the way the hard drive works. Information is stored on a hard drive by passing an electromagnet over the surface of the disc and applying a magnetic field to particular portions, or domains, of the ferromagnetic material coating the surface. Each bit is a 1 or a 0 and is represented by giving collections of atoms in these domains either a north-south or south-north polarity.

The key to the recovery technique lies in the minute alignment errors that a hard disc makes when writing data, called misregistration, but which are ignored in routine reading cycles. Data is written onto the hard disc on concentric tracks within very narrow rings on the surface of the disc platter. In modern drives a data track would be about 400 nanometres wide. Because the track is so narrow, when it is overwritten with new data the equipment is not precise enough to cover the old track perfectly (see Graphic), so slivers of the old track are usually left unchanged around the edges of the new one. The read head on the hard drive is not sensitive enough to pick up this signal under normal operation, so it is ignored.

Chasing the elusive shadows of e-crime

However, data-recovery experts have a trick up their sleeves. Machines called spin stand testers, normally used by hard-drive manufacturers to test their products, allow an operator to steer the read head off its normal course to pick up these slivers of residual information. If enough of them remain, data that a criminal may think was safely deleted can be reconstructed.

“We have recovered names, telephone numbers and credit card details from a machine belonging to a suspected Irish terrorist using this technique,” says Gordon Stevenson of Vogon. But he also points out that recovery is becoming ever more difficult as hard-disc memory increases. “The track width is becoming so narrow these days, it’s very hard to recover any off-track data.” Even when it is possible, built-in compression systems and a range of fancy enhancements that cram more data into the same space make recovering the original files very difficult, he says.

There are, however, some techniques his company can employ to good effect. If a region of a hard disc becomes physically damaged and unusable, say because the computer is knocked or dropped, modern disc controllers automatically mark these areas as unusable and write all the data intended for this region to another, without telling the computer. These sectors are said to be remapped. Over time, abuse of a drive will leave up to 0.5 per cent remapped, Stevenson says. This may sound insignificant, but when the hard drive holds say 100 gigabytes, that will leave 500 megabytes abandoned on the disc. “That’s an awful lot of files and images,” he says.

Stevenson says his company can take a hard drive like this and fool it into reading back the damaged sectors as if they were functioning normally. “You can retrieve all sorts of information that a user would believe has long been lost,” he says. Even if the disc is physically damaged, Vogon has the equipment to separate a disc into its constituent platters and scan each platter individually to recover lost or deleted information.

“Changing things on a computer may look simple, but in reality it’s a nightmare,” Stevenson says. “There are numerous copies kept in back-up tapes and network discs – even some printers contain hard discs – so getting rid of stuff completely is much harder than it seems.”

Back-up tapes are easier to reconstruct than hard discs. Their write heads work in much the same way as on a hard disc, but instead write the data blocks on the long strand of tape. The alignment error can be large, so wide strips of the previous data are often still available after the tape has been overwritten. And deleting information using the drive’s built-in system doesn’t overwrite data, so recovering this data is also a straightforward task, says Stevenson. “We’ve been involved in a Customs and Excise case where an individual had intentionally tried to erase a back-up, but we managed to recover a lot of incriminating information that proved they were involved in tax evasion,” he says.

There are even more advanced ways in which deleted data can be recovered. Romel Gomez of the University of Maryland at College Park has developed a technique he claims can read back data that has been completely overwritten. But instead of looking for traces of the old data peeping out at the sides of the track, Gomez looks for shadows of the data in the magnetic fields that represent the new track.

Suppose a string of 1s has been written onto a blank track on a disc. The bits will be represented by rectangles containing a particular magnetic pattern that represents a 1. Gomez observed a crucial phenomenon: if a pattern of alternating 1s and 0s is written over this track, where a 1 is written over a 1, the strength of magnetic field is slightly increased. On the other hand, where a 0 is written over an initial 1, the magnetic field is flipped and weakened by more than just the normal value for a 0.

Using a magnetic force microscope to measure how much the magnetic field in each bit is out from the average, Gomez has succeeded in reading back a track on which data had been overwritten. “This means that it is not completely safe to reformat your hard disc and expect that all the data cannot be retrieved,” he says. However, he concedes that the process is extremely laborious. “Extracting 1 kilobyte of data per hour is optimistic,” he says.

These techniques are also very expensive, and would probably only be used in cases of national security, says Axel Valentin, a computer forensics expert at the US Department of Defense’s Computer Forensics Laboratory in Linthicum, Maryland. Employing techniques like those used by Gibbs, the 50 examiners that work in his laboratory analyse more than 150 hard discs a month for evidence of child porn, fraud or hacking. “We find information related to the allegation in 95 per cent of cases,” Valentin says. And the times when their analyses fail the disc has often been expertly destroyed. “One suspect microwaved his hard drive to destroy the evidence,” Valentin says. “That data was completely unrecoverable.”

The comparatively conventional analysis Gibb performed on Green’s hard disc led him to concluded that the machine must have been hijacked by a hacker or a virus over the internet and made to download the images without Green’s knowledge. Thanks to Gibbs’s astute detective work, Green’s case never went to trial. “I got quite a clear picture that he hadn’t done it,” Gibbs recalls. “It was certainly rewarding to prove him innocent.”

Topics: Computer crime