Arguably, one of the most widely used forensic tools is a product called EnCase, published by Guidance Software (www.guidancesoftware.com), which is used to create verifiable copies of a hard drive or other media, and forensically analyze it. Utilized by the FBI and thousands of other law enforcement agencies, EnCase can also find and recover deleted files, altered files, hidden files, files with dummy or incorrect extensions, and other information from a hard drive that may otherwise be lost to a less stringent inspection. Among the tricks used by some cyber criminals to try and conceal information, data, or images on their drives is to change a file extension to another extension, and then copy the files to other directories on their hard drives. One example that I worked with were some images that could have been illicit images of children that were in the popular “.jpg” and “.gif” formats, but changed to filenames and extensions that were similar to Windows system files, and placed in Windows system directories. While the bad guys were thinking that they were being smart by hiding their digital contraband, EnCase quickly caught and identified the images, and allowed them to be fully documented and viewed as evidence. Cyber evidence discovered with EnCase is generally accepted by the courts, and has been validated in countless criminal trials.

A competitor of EnCase, which is sometimes synergistically used along with it as additional verification or because of its complementary tools, is a product of Access Data (www.accessdata.com) named Forensic Tool Kit (FTK). Using a familiar Windows-looking interface, it was easy to forensically duplicate a hard drive or other media, verifying that the copies thus created were absolutely identical to the original, to a degree of certainty that will be accepted by the courts. Using the integral tools, it was fast and easy to find hidden files, altered files, images that were not intended to be found, deleted data, and other evidentiary information. When coupled with a companion program, Password Recovery Tool Kit, password protected files and directories suddenly became accessible. It was obvious that while some cyber criminals think that they are being smart by password protecting their hard drives, making investigations difficult, the forensic results would prove them wrong. While protecting sensitive files and directories with passwords makes good sense, and may keep prying eyes from critical data, those same passwords were often no match to the Password Recovery Tool Kit. We easily viewed such password protected files and directories with the Access Data’s excellent utilities, and were able to quickly prepare evidence reports documenting the content thus discovered.

While all of the above products are commercial and justifiably expensive, the U.S. Treasury has created an excellent and possibly superior forensic utility, ILook. ILook can do what the above utilities can do, and possibly more. What makes ILook especially attractive is that it is available to qualified law enforcement agencies at no charge, and Treasury will also provide training to local law enforcement personnel for the same price. Treasury has realized that they can not discover and investigate all of the possible cases by themselves, and have decided that it would be mutually advantageous to make ILook available to local law enforcement.

For thousands of years, sensitive information was concealed in plain sight using a process called steganography. The digital age has enabled steganography to blossom, with over 300 programs available on the internet which can hide messages and other information in online images or other digital content. One example we worked with was a common digital image of the Mona Lisa which contained a document hidden in the image. To the naked eye, there was no difference between the images, and in some cases, the file size was the same, despite one image containing hidden content. This method of hiding and transmitting information is used illicitly by terrorists, pedophiles, and others. An interesting product that can forensically detect and crack almost all known forms of steganography is WetStones’s Stego Suite (www.wetstonetech.com). Using this utility we were able to locate images and other digital files containing hidden messages, crack the passwords protecting them, and view the content. Once again, the bad guys have more than met their match, and can be easily discovered, investigated, and prosecuted.

The bad guys think that they can hide their illicit data, but I can tell you that it is most likely that with these and other similar utilities, the bad guys will be caught and prosecuted.

For more information on the Tulsa Computer Society click here