Académique Documents
Professionnel Documents
Culture Documents
SCIENCE PROGRAMS*
ABSTRACT
The number of computer security incidents is growing exponentially and
society’s collective ability to respond to this crisis is constrained by the lack
of trained professionals. The field of computer forensics is relatively new and
this paper describes the discipline, its development, and critical issues
associated with its practice. The increased use of the Internet and computer
technology to commit crimes indicates an abuse of new developments that
requires a response by those involved in law enforcement. Cyber crimes and
many child-related sex crimes leave clear digital evidence that must be
investigated by those who are trained in computer forensics. University
computer science programs are perfectly suited to respond to this crisis. With
minor changes, computer science programs can address the growing demand
for forensics professionals.
INTRODUCTION
Mention computer forensics to people outside the law enforcement or corporate
security arena, and many will conclude that the subject under discussion covers the use
of computers to catalog traditional physical evidence, including such things as fingerprint,
dental, and DNA evidence. Indeed, computer technology has revolutionized the storage
of and access to such vital evidence. Such computer technology enables rapid access to
fingerprint information for law enforcement agencies. However, the field of computer
forensics opens an entirely new area, as computer forensics involves the investigation of
computers themselves for evidence of criminal activity or activity that constitutes a
violation of company policy. According to Nelson, Phillips, Enfinger & Steuart [4],
___________________________________________
*
Copyright © 2005 by the Consortium for Computing Sciences in Colleges. Permission to copy
without fee all or part of this material is granted provided that the copies are not made or
distributed for direct commercial advantage, the CCSC copyright notice and the title of the
publication and its date appear, and notice is given that copying is by permission of the
Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a
fee and/or specific permission.
315
JCSC 20, 4 (April 2005)
computer forensics investigates data that can be retrieved from memory, hard disk or
other storage devices, such as, CD-ROMs, digital memory cards, etc.
316
CCSC: South Central Conference
317
JCSC 20, 4 (April 2005)
children using the Internet, this statistic reveals that a staggering 4.52 million children
have potentially received such sexual solicitations.
Law enforcement has not been standing idly by. A number of agencies have set up
sting operations to catch Internet pedophiles. Apuzzo [1] relates the story of 31-year-old
Eric Hopkins who went into Internet chat rooms trying to find a middle school aged
girlfriend and met a 13-year old named Stacy. “Stacy was an obedient Connecticut
13-year-old who was good at keeping secrets and willing to run away. She promised to
become his sex slave and call him Daddy. In exchange, Hopkins promised to take her to
Disney World.” However, when Hopkins went to meet Stacy, he found that “Stacy” was
actually Scott Driscoll, a police officer assigned to the FBI Innocent Images Task Force
who, with the assistance of federal agents, arrested Hopkins. Apuzzo reports, “…the
Innocent Images program has become the bureau's second-largest operation, behind only
the Sept. 11 terrorism case.”
Kenneth Patterson [6] reports that this fits with what he has seen in his geographic
region as well. The Corpus Christi Police Department Computer Crimes Unit reports that
60% of its caseload involves child pornography or crimes against children including
aggravated sexual assault. Other frequently occurring cases involve identity theft, and
tampering with government documents such as fake IDs.
318
CCSC: South Central Conference
such evidence can make a compelling case for conviction, and enhance ultimate
sentencing of the perpetrator. Such evidence combined with traditional criminal
investigation has helped lock away some very heinous criminals.
For example, while executing a search warrant at the home of serial killer John
Robinson, authorities recovered the badly decomposed bodies of two of his victims.
Additionally, law enforcement officers seized five computers as evidence. The computer
evidence showed that Robinson used the Internet to find victims with whom he would set
up a meeting, then sexually assault them or kill them. The computer evidence showed
something that traditional physical evidence alone could not—the psychopathic and very
cunning nature of Robinson. This digital evidence which included Internet chats, e-mails
(some of which were forged by Robinson to allay the fears of his victims’ families)
helped to get Robinson sentenced to death. [2]
The most infamous mole in FBI history, Robert Hanssen spying first for the Soviet
Union, then for Russia after the Soviet breakup, “hid and encrypted data on floppy disks
that he allegedly passed to the KGB, and used handheld devices to communicate with his
collaborators.” In one message recovered during the investigation, Hanssen recommends
a Palm VII organizer that has wireless Internet capability. [2]
319
JCSC 20, 4 (April 2005)
Patterson [6] states that the investigator must avoid altering a suspect disk in any
way. To do so would destroy its evidentiary value. To this end, he recommends the use
of write blocking devices. Since even booting up a computer causes the operating system
to make disk writes, the write-blocking device must be attached before the system is
powered on. Such write-blocking devices send a message to the operating system that
the disk-write was successful even though it was actually blocked.
He goes on to say that the only thing an investigator should do with the original
suspect disk is make a bit-stream copy of that disk, then secure the original suspect disk
in an evidence locker. Any analysis of the files on the disk should be done from the
bit-stream copy. With this approach, if anything goes wrong during the analysis, the
evidence is still safely stored on the original suspect disk. [6]
320
CCSC: South Central Conference
Department of Homeland Security in the war against terror have further depleted the
availability of graduates for computer forensics positions in law enforcement.
Some universities have responded to the critical need for computer science
graduates in forensics by offering one or two course in the discipline. Others like West
Virginia University have certificates in computer forensics [11]. The WVU course
offerings for the certificate in computer forensics include:
• Introduction to Forensic Computer Science and Security
• Data Forensics
• Intrusions, Security and Network Forensics in Networked Computer Systems
• Introduction to Computer Security Management
• Computer Forensics and the Law
This can serve as a starting point for any university who recognizes the critical need
and is willing to respond to the challenge.
Tools recommended by Dr. Roy Nutter [5] of WVU are EnCASE and Forensic
ToolKit (FTK) for Windows and Knoppix for Linux. It is interesting to note that
Patterson [6] stated that he uses the two Windows tools for his forensics work. Encase,
the forensics Cadillac tool, has a variety of functionality, is certified by NIST, and is
available at www.encase.com. FTK has excellent capability and is easily downloaded for
teaching purposes from www.accessdata.com [5]. Knoppix for Linux is bootable from
CD-ROM, has good capability, and is freely available at www.knoppix.com [5]. Many
other tools exist that could be included in a forensics course.
ACKNOWLEDGEMENT
This work was partially funded by NSF Minority Institutions Infrastructure Program
grant #EIA-0330822.
321
JCSC 20, 4 (April 2005)
REFERENCES
1. Apuzzo, M., FBI online sex stings winning first convictions, [Electronic
Version], USA Today, retrieved on January 25, 2004 from:
http://www.usatoday.com/tech/news/2004-01-25-pedo-stings_x.htm
2. Casey, E., & Seglem, K., Introduction, in E. Casey (Ed), Handbook of Computer
Crime Investigation: Forensic Tools and Technology, San Diego, CA: Academic
Press, 2002.
3. Dale, N., Weems, C., & Headington, M., Programming and Problem Solving with
C++, Sudbury, MA, Jones and Bartlett Publishers, 1997.
4. Nelson B., Phillips, A., Enfinger, F., & Steuart, C., Guide to Computer Forensics
and Investigations, Boston, MA, Course Technologies, 2004.
5. Nutter, Roy, presentation to CMU’s CyLab Faculty Capacity Building Program,
Carnegie Mellon University, July 2004.
6. Patterson, K., Corpus Christi Police Department Computer Crimes Unit, personal
interview, February 20, 2004.
7. Patzakis, J., The encase process, in E. Casey (Ed.), Handbook of Computer Crime
Investigation: Forensic Tools and Technology, San Diego, CA, Academic Press,
2002.
8. Rogers, M., The role of criminal profiling in the computer forensics process,
Computers & Security, May 2003, Vol. 22 Issue 4, 292-298. Retrieved April 12,
2004 from Science Direct.
9. Rogers, M., Seigfried, K., The future of computer forensics: a needs analysis survey,
Computers & Security, February, 2004, Vol 23, Issue 1, 12-16. Retrieved April 12,
2004 from Science Direct .
10. Sullivan, L., FBI ties Internet scam increase to organized crime, and terrorist
sympathizers, The Detroit News, February 14, 2004, retrieved April13, 2004, from
http://www.detnews.com/2004/technology/0402/14/technology-63815.htm
11. West Virginia University, Certificate in Computer Forensics, site
http://www.lcsee.cemr.wvu.edu/forensics/index.php visited on September 20, 2004.
12. Williams, P., Organized crime and cyber-crime: Implications for business, retrieved
April 16, 2004, from Carnegie Mellon University CERT® Coordination Center Web
site, http://www.cert.org/archive/pdf/cybercrime-business.pdf
322