COMPUTER FORENSICS – A CRITICAL NEED IN COMPUTER

SCIENCE PROGRAMS*

John D. Fernandez, Stephen Smith, Mario Garcia, and Dulal Kar

Texas A&M University – Corpus Christi, 6300 Ocean Drive #5825,
Corpus Christi, TX 78412

ABSTRACT
The number of computer security incidents is growing exponentially and
society’s collective ability to respond to this crisis is constrained by the lack
of trained professionals. The field of computer forensics is relatively new and
this paper describes the discipline, its development, and critical issues
associated with its practice. The increased use of the Internet and computer
technology to commit crimes indicates an abuse of new developments that
requires a response by those involved in law enforcement. Cyber crimes and
many child-related sex crimes leave clear digital evidence that must be
investigated by those who are trained in computer forensics. University
computer science programs are perfectly suited to respond to this crisis. With
minor changes, computer science programs can address the growing demand
for forensics professionals.

INTRODUCTION
Mention computer forensics to people outside the law enforcement or corporate
security arena, and many will conclude that the subject under discussion covers the use
of computers to catalog traditional physical evidence, including such things as fingerprint,
dental, and DNA evidence. Indeed, computer technology has revolutionized the storage
of and access to such vital evidence. Such computer technology enables rapid access to
fingerprint information for law enforcement agencies. However, the field of computer
forensics opens an entirely new area, as computer forensics involves the investigation of
computers themselves for evidence of criminal activity or activity that constitutes a
violation of company policy. According to Nelson, Phillips, Enfinger & Steuart [4],

___________________________________________
*
Copyright © 2005 by the Consortium for Computing Sciences in Colleges. Permission to copy
without fee all or part of this material is granted provided that the copies are not made or
distributed for direct commercial advantage, the CCSC copyright notice and the title of the
publication and its date appear, and notice is given that copying is by permission of the
Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a
fee and/or specific permission.

315
JCSC 20, 4 (April 2005)

computer forensics investigates data that can be retrieved from memory, hard disk or
other storage devices, such as, CD-ROMs, digital memory cards, etc.

DEVELOPMENT OF COMPUTER FORENSICS

Almost as soon as any new technology becomes available, people find a way to
abuse it. Computers and the Internet are no exception. In the 1970’s when computers
were still the domain of large business enterprises, unscrupulous programmers in the
banking industry wrote subroutines in programs that would transfer small fractions of a
penny into their accounts. Dale, Weems, and Headington [3] note one particular case
where a bank audit
…turned up a mysterious account with a large amount of money in it…The
bank-computed interest on its accounts to a precision of a tenth of a cent. The
tenths of a cent were not added to the customers’ accounts, so the programmer
had the extra tenths for all the accounts summed and added into an account in
his name.
In large financial institutions with many clients, this new method of embezzlement
resulted in substantial losses. Indeed, when investigating computer related crimes as in
so many other crimes, the operative philosophy is often, “Follow the money.” Greed is
still a large motivating factor for many cyber crimes.
Since computers and the Internet can facilitate the commission of crime, it makes
sense that law enforcement must come up with ways to investigate such computer-related
crimes. It is precisely at this point that computer forensics enters the picture. Patterson
[6] points out that while courts consider computer evidence to be physical evidence, it is
unlike most other types of physical evidence. A witness cannot show a jury the contents
of a disk drive by holding the physical disk drive up in front of them. The evidence must
be extracted in a way that preserves its evidentiary value, yet enables the court to see
exactly what is on that drive. Law enforcement requires reliable methods to extract such
evidence in a way that will pass muster with the courts.
During the 1980’s, government agencies developed and utilized the first computer
forensics tools, and perhaps the first U.S. agency to use such tools was the IRS. At first,
these agencies designed forensics tools to meet their own specific needs and placed little
or no emphasis on whether or how they might be utilized by other agencies, let alone the
private sector. However, in the mid 1980s, two commercially available software tools
emerged: X-Tree Gold and Norton Disk Edit. Although not designed as computer
forensics tools, per se, both products could recognize and recover lost or deleted files
(key requirements of forensics tools), and were available to the public.[4]
In the early 1990’s new tools that were more specialized began to appear, and the
need for investigators who understood computer data storage rapidly increased. One of
the results of this need was the creation of specialized organizations such as the
International Association of Computer Investigative Specialists (IACIS). Such groups
offer training on computer forensics tools available to law enforcement investigators.

316
 CCSC: South Central Conference

CYBER FRAUD – A SIGNIFICANT FINANCIAL IMPACT

The growing use of computers to commit fraud is a great concern to the FBI. The
FBI reports that organized crime and even terrorist groups increasingly use Internet fraud,
once the domain of a few hackers. One of their tactics involves “phishing” in which a
perpetrator sends an e-mail purporting to be from the victim’s Internet service provider,
bank, or other company with whom the victim does business. The e-mail asks the victim
to update his account information. Sullivan [10] quotes FBI sources:
The e-mails, which ask people to “update” their personal information -- Social
Security numbers, dates of birth, passwords and the like -- or tell a
well-concocted tale meant to trick people into divulging their credit card and
bank account numbers, now comprise more than half of the 15,000 monthly
citizen complaints filed to the FBI’s Internet crime center.
When the victim complies with the request, he will have unwittingly sent his personal
information to a criminal. Especially troubling is the fact that terrorists are using this
technique more frequently. Sullivan [10] continues:
Officials believe crime syndicates -- especially in Russia and the former Soviet
bloc -- have begun to realize how much money they can make with little or no
overhead. They also believe terrorist sympathizers, possibly operating out of
Africa and the Middle East, have also begun using phishing schemes to steal
identities and make fast cash after being shut out by counterterrorism measures
from their traditional avenues of funding such as bogus charities.
Phil Williams [12] of Carnegie Mellon University’s CERT Coordination Center
cites seven trends of which businesses should be aware. Among these are organized
crime involvement in using the Internet for major fraud and theft activities, white collar
crimes including “pump and dump” stock schemes, traditional mob activities conducted
via the Internet (such as cyber-extortion and money laundering), and the adaptation of
nuisance tools such as viruses for even more serious criminal acts including theft and
embezzlement. Williams cites, as an example of the latter, a case occurring in 2000
where perpetrators who remain unknown created a variation of the Love Letter worm and
used it in an attempt to gain access to Swiss and American bank accounts.

CHILD-RELATED SEX CRIMES – A SIGNIFICANT SOCIETAL ISSUE

If financial crimes were the only computer related crimes law enforcement had to
investigate, the task would be difficult enough. Unfortunately, this is not the case. Many
computer crimes involve the most vulnerable among us: children.
Exploitation of children, sexual and otherwise, did not begin with the invention of
computers or the Internet. However, the Internet has facilitated communication between
individuals with an interest in exploiting children, resulting in the transmission of child
pornography among pedophiles, transmission of pornography to children themselves, and
worse, setting up meetings between pedophiles and their intended victims. According to
the National Center for Missing and Exploited Children, “one in five children (10 to 17
years old) receives unwanted sexual solicitations online.” With an estimated 23,810,000

317
JCSC 20, 4 (April 2005)

children using the Internet, this statistic reveals that a staggering 4.52 million children
have potentially received such sexual solicitations.
Law enforcement has not been standing idly by. A number of agencies have set up
sting operations to catch Internet pedophiles. Apuzzo [1] relates the story of 31-year-old
Eric Hopkins who went into Internet chat rooms trying to find a middle school aged
girlfriend and met a 13-year old named Stacy. “Stacy was an obedient Connecticut
13-year-old who was good at keeping secrets and willing to run away. She promised to
become his sex slave and call him Daddy. In exchange, Hopkins promised to take her to
Disney World.” However, when Hopkins went to meet Stacy, he found that “Stacy” was
actually Scott Driscoll, a police officer assigned to the FBI Innocent Images Task Force
who, with the assistance of federal agents, arrested Hopkins. Apuzzo reports, “…the
Innocent Images program has become the bureau's second-largest operation, behind only
the Sept. 11 terrorism case.”
Kenneth Patterson [6] reports that this fits with what he has seen in his geographic
region as well. The Corpus Christi Police Department Computer Crimes Unit reports that
60% of its caseload involves child pornography or crimes against children including
aggravated sexual assault. Other frequently occurring cases involve identity theft, and
tampering with government documents such as fake IDs.

THE DIGITAL TRAIL

Everyone who uses a computer for any purpose leaves a digital trail. This digital
trail can reveal many things: what files were accessed, when and by whom; what files
were modified, when and by whom; and what Internet sites have been visited, and which
of those are stored in cache memory to name only a few. The operating system creates
this trail in part for the purpose of facilitating file access and speeding access to Internet
sites often visited. From a purely functional standpoint, such a trail can be a valuable
feature. For example, Web sites stored in local RAM or disk cache eliminate the need to
wait for those Web pages to re-download each time the user visits them. Especially
where there is a dial-up connection, such functionality saves a great deal of time.
However (and often unbeknownst to the user), when a person utilizes a computer to
commit a crime, this trail serves another valuable purpose as a pathway to evidence.
Many computer users falsely believe that when they delete a file from their
computer, it is gone. However, while various operating systems deal with file deletion
in different ways, they generally delete only the reference to the file and not the actual file
itself. For example, in Microsoft FAT file systems, when a file is deleted, the operating
system simply replaces the first character of the filename with the lowercase sigma
character ()). This tells the operating system that the file is no longer available and the
disk space it once occupied is now unallocated and can receive new data. However, until
that file space receives new data and overwrites the old file, the “deleted” file remains
exactly as it was except for the first character of the filename. Therefore when a criminal
tries to eliminate evidence from a computer by using a simple file delete, the digital trail
remains. [4]
In fact, this trail of computer evidence often provides law enforcement with
evidence of intent and patterns of criminal behavior in a given case. The existence of

318
 CCSC: South Central Conference

such evidence can make a compelling case for conviction, and enhance ultimate
sentencing of the perpetrator. Such evidence combined with traditional criminal
investigation has helped lock away some very heinous criminals.
For example, while executing a search warrant at the home of serial killer John
Robinson, authorities recovered the badly decomposed bodies of two of his victims.
Additionally, law enforcement officers seized five computers as evidence. The computer
evidence showed that Robinson used the Internet to find victims with whom he would set
up a meeting, then sexually assault them or kill them. The computer evidence showed
something that traditional physical evidence alone could not—the psychopathic and very
cunning nature of Robinson. This digital evidence which included Internet chats, e-mails
(some of which were forged by Robinson to allay the fears of his victims’ families)
helped to get Robinson sentenced to death. [2]
The most infamous mole in FBI history, Robert Hanssen spying first for the Soviet
Union, then for Russia after the Soviet breakup, “hid and encrypted data on floppy disks
that he allegedly passed to the KGB, and used handheld devices to communicate with his
collaborators.” In one message recovered during the investigation, Hanssen recommends
a Palm VII organizer that has wireless Internet capability. [2]

FORENSIC EXPLORATORY TECHNIQUES

As noted earlier, the need to conduct computer forensic investigation has driven the
production of new and more powerful computer forensic tools for various operating
systems. While the list of available tools is lengthy, the available tools divide into two
main groups: command line forensics tools and graphical user interface (GUI) forensics
tools.
Nelson et al., [4] state that the primary advantages of command-line tools are that
they often fit on a floppy disk and use few system resources. However, command-line
tools have some limitations. “…they typically cannot search archive files such as Zip
(.zip) files of Cabinet (.cab) files.” Additionally, some are limited to MS-DOS FAT file
systems.
GUI tools are more user-friendly, and do not require as much specialized knowledge
as command line tools. In fact, some GUI tools have also simplified training for
beginning examiners in computer forensics. However, they require more system
resources, and they will not fit on a floppy disk. [4]
K. Patterson [6] states that the Corpus Christi Police Department generally uses GUI
tools, and two in particular: EnCase by Guidance Software, and Forensic Tool Kit by
AccessData. He cites another advantage of GUI tools: most of the time, a computer
forensics examiner can readily open a suspicious file in another window without closing
the GUI tool.
Forensics examiners need to remember that no one tool can do it all. While the
ability to access a number of computer forensics tools varies widely depending on the size
of the agency (or private-sector entity) and the budget available, a computer forensics
examiner should have more than one tool in his tool set. [7]

319
JCSC 20, 4 (April 2005)

Patterson [6] states that the investigator must avoid altering a suspect disk in any
way. To do so would destroy its evidentiary value. To this end, he recommends the use
of write blocking devices. Since even booting up a computer causes the operating system
to make disk writes, the write-blocking device must be attached before the system is
powered on. Such write-blocking devices send a message to the operating system that
the disk-write was successful even though it was actually blocked.
He goes on to say that the only thing an investigator should do with the original
suspect disk is make a bit-stream copy of that disk, then secure the original suspect disk
in an evidence locker. Any analysis of the files on the disk should be done from the
bit-stream copy. With this approach, if anything goes wrong during the analysis, the
evidence is still safely stored on the original suspect disk. [6]

LACK OF TRAINED PERSONNEL – A MAJOR ISSUE

The challenge for law enforcement investigators and other investigators is to collect
and protect digital evidence in such a manner that its evidentiary value is preserved and
admissible in court. Like the forensics of traditional physical evidence such as
fingerprints, bloodstains, dental records, and more recently DNA, digital evidence
requires careful collection, chain of custody documentation, access management,
diligence, and attention to detail. Unlike traditional forensics however, the forensics of
digital evidence requires specialized knowledge of computer technology (both hardware
and software), including various operating systems, file storage techniques, and file
recovery techniques. Therefore, this represents a major adjustment in some of the
procedures followed by law enforcement. Marc Rogers [8] writes, “The eyewitness of
today and tomorrow may be a computer generated ‘log file’.”
For law enforcement, the challenge is to find people with these skills, and provide
them with the tools and up-to-date training they need. The Corpus Christi Police
Department, for example, utilizes both sworn and civilian personnel in its Computer
Crimes Unit. Such an arrangement takes advantage of the general law enforcement
knowledge of sworn officers, provides them with additional computer forensics training,
and supplements them with specially trained civilians to assist with their caseload. [6]
Rogers and Siegfried [9] conducted a survey to find out the top five issues in the
field. Respondents most often cited education, training, and certification. Surprisingly,
lack of funding was the least often cited. The main complaint is “…the fragmented
nature of the computer forensics discipline. Currently, there is a lack of a national
framework for curricula and training development, and no gold standard for professional
certification.”

THE CHALLENGE FOR COMPUTER SCIENCE PROGRAMS

The challenge for computer science programs across the country is to meet the
critical need for trained personnel in the field of computer forensics. Recent contacts
with recruiting groups indicate that computer science majors are the second most sought
after graduates by the FBI. The critical needs of the National Security Agency and the

320
 CCSC: South Central Conference

Department of Homeland Security in the war against terror have further depleted the
availability of graduates for computer forensics positions in law enforcement.
Some universities have responded to the critical need for computer science
graduates in forensics by offering one or two course in the discipline. Others like West
Virginia University have certificates in computer forensics [11]. The WVU course
offerings for the certificate in computer forensics include:
• Introduction to Forensic Computer Science and Security
• Data Forensics
• Intrusions, Security and Network Forensics in Networked Computer Systems
• Introduction to Computer Security Management
• Computer Forensics and the Law
This can serve as a starting point for any university who recognizes the critical need
and is willing to respond to the challenge.
Tools recommended by Dr. Roy Nutter [5] of WVU are EnCASE and Forensic
ToolKit (FTK) for Windows and Knoppix for Linux. It is interesting to note that
Patterson [6] stated that he uses the two Windows tools for his forensics work. Encase,
the forensics Cadillac tool, has a variety of functionality, is certified by NIST, and is
available at www.encase.com. FTK has excellent capability and is easily downloaded for
teaching purposes from www.accessdata.com [5]. Knoppix for Linux is bootable from
CD-ROM, has good capability, and is freely available at www.knoppix.com [5]. Many
other tools exist that could be included in a forensics course.

FUTURE OF COMPUTER FORENSICS

In a presentation to Carnegie Mellon University’s CyLab Capacity Building
Program, Dr. Roy Nutter [5] described the difference between security and forensics. He
explained that security involves all the mechanisms and theory designed to protect people
and resources while forensics starts when an incident is reported. With the ever growing
number of security incidents requiring forensic investigations, there will continue to be
a huge demand for graduates of computer science programs with the appropriate
computer forensics education.
Patterson [6] says the field of computer forensics requires a person able to deal with
highly technical subjects, yet articulate enough to explain and describe “unerase” to a
jury. He goes on to say that a computer forensics specialist must “have the patience of
a wildlife photographer and the literary skills of Mark Twain.”
Computer forensics is an exciting field that energizes the students who pursue its
study. It behooves all computer science programs to develop one or more related courses
to meet the critical demand for professionals in this field.

ACKNOWLEDGEMENT
This work was partially funded by NSF Minority Institutions Infrastructure Program
grant #EIA-0330822.

321
JCSC 20, 4 (April 2005)

REFERENCES
1. Apuzzo, M., FBI online sex stings winning first convictions, [Electronic
Version], USA Today, retrieved on January 25, 2004 from:
http://www.usatoday.com/tech/news/2004-01-25-pedo-stings_x.htm
2. Casey, E., & Seglem, K., Introduction, in E. Casey (Ed), Handbook of Computer
Crime Investigation: Forensic Tools and Technology, San Diego, CA: Academic
Press, 2002.
3. Dale, N., Weems, C., & Headington, M., Programming and Problem Solving with
C++, Sudbury, MA, Jones and Bartlett Publishers, 1997.
4. Nelson B., Phillips, A., Enfinger, F., & Steuart, C., Guide to Computer Forensics
and Investigations, Boston, MA, Course Technologies, 2004.
5. Nutter, Roy, presentation to CMU’s CyLab Faculty Capacity Building Program,
Carnegie Mellon University, July 2004.
6. Patterson, K., Corpus Christi Police Department Computer Crimes Unit, personal
interview, February 20, 2004.
7. Patzakis, J., The encase process, in E. Casey (Ed.), Handbook of Computer Crime
Investigation: Forensic Tools and Technology, San Diego, CA, Academic Press,
2002.
8. Rogers, M., The role of criminal profiling in the computer forensics process,
Computers & Security, May 2003, Vol. 22 Issue 4, 292-298. Retrieved April 12,
2004 from Science Direct.
9. Rogers, M., Seigfried, K., The future of computer forensics: a needs analysis survey,
Computers & Security, February, 2004, Vol 23, Issue 1, 12-16. Retrieved April 12,
2004 from Science Direct .
10. Sullivan, L., FBI ties Internet scam increase to organized crime, and terrorist
sympathizers, The Detroit News, February 14, 2004, retrieved April13, 2004, from
http://www.detnews.com/2004/technology/0402/14/technology-63815.htm
11. West Virginia University, Certificate in Computer Forensics, site
http://www.lcsee.cemr.wvu.edu/forensics/index.php visited on September 20, 2004.
12. Williams, P., Organized crime and cyber-crime: Implications for business, retrieved
April 16, 2004, from Carnegie Mellon University CERT® Coordination Center Web
site, http://www.cert.org/archive/pdf/cybercrime-business.pdf

322