Inc.
710 N. Third St., Jacksonville Beach, FL 32250
(904) 568-8927 FAX: (904) 241-0883
Basic Guidelines for Locating Illegal Materials in a Windows-based Machine
1.00 Preface
Analyzing a computer's hard drive is an incredibly time consuming task. Before you
even begin, you must realize that it will be impossible to look at every single individual section
of a hard drive. Even the smallest of hard drives, if put under a complex enough analysis, could
easily take thousands of years to complete with exponential time search algorithms. Knowing
this, the kind of searches a basic user will be performing will be relatively simple, and should be
able to be performed in sequence in about thirty minutes to an hour.
Keep in mind that the average computer criminal is not smart. If a person is hiding
information, provided you know what you are looking for, you can find it if you look correctly.
The kind of mega-hacking you see in the movies, you will probably never stumble across. Even
if you did, the people that are smart enough to keep their data hidden are usually also smart
enough to have some sort of logic-bomb to destroy all the sensitive files, or they simply secure
delete every so often. Do not ever get too hung up on looking for overly complex methods of
hiding information. Knowing this, if you believe that the person in question has a very high
level of computer and hacking expertise, it may be wise to not use any of these techniques on
said computer, and instead make recommendation for a forensic analysis.
Before getting into anything meaningful, one must always bear in mind, that the
techniques that are presented in this guide are NOT the same used by computer forensics teams.
Instead, this guide allows a user that has legal access to a computer to quickly find items of
questionable content on a computer. Upon locating any such content, the inspector should
immediately document it, then contact local law enforcement for forensic handling. Once the
content is located, all interaction with the computer should immediately cease, as to coincide
with proper forensic evidence preservation.
1.01 Basic file search
Windows has a very easy to use interface for searching for files. By clicking on the start
menu at the bottom of the screen and then ‘search’, you can specify a search for files, by name,
type, date accessed, and many other criteria. Most likely your search patterns will be restricted
based on the expected materials to find on the user’s computer, so you can try lots of basic
keywords for the file names, like ‘child’, or ‘porn’, etc. The search interface also allows for
search based on extensions (or search based on file type), which we will get into later.
When you are performing these searches, its important to make the search area as broad
as possible, and to also encompass hidden files and folders. This is done simply by clicking on
the ‘more advanced options’ tab, and checking ‘search hidden files and folders’. It would also be
prudent to select the ‘search system folders’ and ‘search subfolders’ tabs as well, and the ‘search
tape backup’ if necessary. Now to make the search encompass all the hard drives in the
computer and any disks/CD’s that are in the drives, click the ‘look in’ tab and select ‘my
computer’. If the computer is slow searches might take a bit of time, and the more words you try
to search for at once, the longer the search may take. The ‘when was it modified’ option can be
of use for making a time line, but is not considered forensically sound, since anybody with basic
hex editing knowledge can change the dates on files easily (for instance, to hinder the search for
all files created in the last year, a user could set the created/modified date on all his files to
1975). Try to keep in mind, however, that someone with this expertise will not likely leave any
obvious things to find. Successful searches will display in the window, showing a pathname to
the files searched for.
1.02 Deleted files
Recovering files that have been deleted from a hard drive can range in difficulty from
very easy and enjoyable to actually impossible. To understand this you must understand what
happens to files when you delete them. Every file on the hard drive has two parts, the file header
information, which contains basic info about the file (name, size, date, etc), and the actual data in
the file. When you delete a file (normally), the data is left intact, and marked as free space, and
the file header information is marked as free. Now the data section is all still intact, but since it
is marked as free space, the computer MAY write different data to those sections, upon which
time the file truly is lost, even if the file header information is recoverable.
Now that you know how file deletion occurs, it is also important to know that there are
many programs for secure deletion on the Internet. Most of these are free, and some are even
included in very basic computer suites, such as Norton Systemworks. If a user deletes files with
a secure delete program, there is absolutely no way to ever recover these files. The only thing
you can do in these cases is note that the user does in fact have software for secure deletion of
files. If you want to see the last time the user accessed that program, you can find the last access
date by going to the start menu, ‘control panel’, and ‘add or delete programs’. Find the program
on the list and it will say the last access time. This, of course, is more meaningful if the utility is
solely for secure deletion, and less so if its part of a suite such as Norton, since many computer
users frequently do virus scans. Not every one of these utilities will be in a popular computer
suite, in fact, there are thousands of these utilities online, and almost all are freeware. If you see
a program in the ‘add or delete programs’ list that you think may be a secure delete program, use
an Internet search engine such as Google to verify this.
Now that you’re completely discouraged from searching for deleted files, know that there
are just as many programs for recovering files as there are for deleting them. In fact most of
these are also freeware and designed to fit onto a floppy or CD drive, so that you don’t have to
write any information onto the suspect computer (and in fact this is the approach you should
use). A tool I’ve used with some success can be found at this url :
http://aumha.org/downloads/restoration.exe . Again, this is just one tool available, and there are
countless others, both free and of cost that perform the task just as well. All recovered files will
be just as they were before they were deleted, provided there were no data sections overwritten.
The only exception to this is if the user has a version of Windows installed onto a FAT file
system. In this case, the filename will be missing the first letter, but the rest of the filename, info
and data will be valid (for instance, a file ‘child.jpg’ would be recovered usually as ‘$hild.jpg’)
1.03 File Names and Extensions
In Windows, all file names actually have a ‘.’ and letters after, so that it knows what kind
of file it is and how to read said file, for instance .txt is a text file, and .avi is a divx encoded
video file. The basic perpetrator that is trying to hide data will more than likely try to change the
filenames, but not be aware that the file extension remained intact. When you change filenames
in Windows this is how it does it, changing on the name, not the extension. Because of this you
can be very specific in your searches, as in search for a file type instead of a name, and in fact
these will almost always yield better results than a filename search. There are many video
formats, the main ones of interest are mpg, mpeg, avi, wmv, mov, rm, ram, swf. There are
actually quite a few more than this, but are highly unlikely to be seen on an average person’s
computer. In your search scope, if you wish to search for a type of file, simply type “*.mov”
without the quotes, where mov can be any of the above mentioned formats. Expect to find quite
a large number of movie files on any given hard drive, as windows programs tend to use them
for all sorts of various things that are not frequently seen.
A much more difficult problem is if the user has the sense to actually change the
extension. A person can easily shell into a command prompt and change some file, say
child.mov to child.txt. Now Windows would interpret the file to be a text file, but the user can
easily recover the extension by changing it back to .mov. The problem with finding these files is
that, unless the name of the file is particularly indicative, the only way to identify them is with a
special program that reads file data header information. These tools are available, but are
INCREDIBLY slow, as they have to traverse the entire hard drive once for every type of file
format they are enabled for searching (for our case above, the hard drive would have to be read 8
times, this could take days). A task such as this should not be attempted in a basic search. If this
situation is suspected, it is better to refer the materials to a forensics team, as they will have the
equipment to more efficiently make these searches.
1.04 Other Hiding Techniques
The only other method of data hiding that will be mentioned in any detail is hidden and
unallocated partitions. There are many in depth ways to check if there are any that are
complicated, but the easiest way is to compare the BIOS information with the information that
Windows reports once the computer is booted. To get to the BIOS, restart the computer, and
find the key sequence needed to get into it. Some computers display a key to press to get into
“setup”, while many others display nothing. In practice, its usually good to just hit all the F1F12 keys, as one of them usually ends up being the correct one. Once you get into BIOS, you
will need to locate the user’s hard drives. Every BIOS is a little bit different, but usually you go
into some sort of “basic settings” menu screen, and you will see 4 items called primary master,
primary slave, secondary master, secondary slave. Here you will see the hard drives, CD drives,
etc. The CD ROM drives are easily identifiable, as they almost always say exactly what they
are. The hard drives should be the others, and at very minimum (assuming only one hard drive)
the primary master must be a hard drive. For all the hard drives, hit enter on them to get
information as to how many bytes are on the device. Once you have this, exit and boot into
Windows. Once booted, click on “start” and then “my computer”. Here you should see the same
hard drives you saw in the BIOS menu, unless one of those drives was partitioned. When you
right click on any of the hard drives and click on “properties”, you will get information as to how
much free and used space is on that hard drive, in bytes. Basically what you’re doing here is
adding those up, and seeing if they match the number of bytes that were reported in the BIOS.
Keep in mind, if the BIOS reports bytes in megabytes or gigabytes, you need to convert that to
bytes. The conversion is 1024 bytes = 1 kilobyte; 1024 kilobytes = 1 megabyte; 1024 megabytes
= 1 gigabyte. So for instance, if the BIOS reported 1 gigabyte, the number of bytes would be
1*1024*1024*1024 = 1073741824 bytes. Now that you’ve done all this adding, compare the
numbers. Windows almost always will be the size of the hard drive LESS eight megabytes, so if
the BIOS reported a hard drive that was 10 gigabytes, and Windows showed only 8 gigabytes
(across all partitions) then its possible there are hidden or unallocated partitions, and should be
referred for forensic analysis.
There are countless other ways that data can be hidden that are well out of the scope of
this basic computer search. Some are mentioned here so that you are familiar with their names,
and so that if you see any tools on the computer that explicitly say they do these things, you can
recognize their names:
Slack Space - Every file has potential unused information in the sectors they occupy, which
could potentially store hidden data. This is unlikely for storing of photos/videos, but could have
simple text, such as phone numbers or addresses. The only way you would reasonably see this is
you recognized a tool that was used for manipulating slack space
Encryption - This is a nasty one to look out for, as even some of the most simple of encryption
methods are completely indecipherable unless you can figure out the password for decoding
them. You would not search for encrypted files, but rather see if the computer has encryption
tools on it.
Host Protected Area (HPA) - This is an area, usually created by a computer vendor, but possibly
by a user, that in both inaccessible and not viewable by the BIOS or the OS that can store data on
the hard drive. This is somewhat like a hidden partition and needs specialized tools to read.
Again, the only way to identify this issue is to recognize a tool that says it deals with these on the
computer in question.
1.05 Conclusion
To reiterate, do not be overzealous with your file searches. Most criminals are not smart,
and will leave very obvious things for you to find very quickly. The primary purpose of
mentioning the more complex methods of data hiding is so that you, the investigator, are aware
of them, and can recognize the terminology, in case you see it on the computer somewhere, or
you see some literature at the perpetrator’s home related to these subjects. In ALL cases where
complex data hiding techniques are suspected, forensic specialists should be contacted
immediately.
This Guide is drawn up May 2006. Be aware that computer technology is constantly changing
and some of this information may become out of date.