Mills College

Graduate Student in Interdisciplinary Computer Science (M.A.)

Sponsor: Ellen Spertus, PhD

Abstract: There is a trend in both civil and criminal courts to allow data found in computers to be used as evidence. This paper explores common techniques of finding evidence on computers primarily focusing on personal computers in a Windows environment. In doing so, this paper explores the technical methods in which an individual can protect his/her data and the legal rights an individual in the United States has to prevent the seizure of his/her computer. The legal rights and procedures explored will focus on US criminal laws.

Computer Forensics and Your Rights

In late 2001, Wall Street Journal journalist Alan Cullison's laptop computer was severely damaged when the Northern Alliance truck he was riding was upended on a road on the way to Kabul. In Kabul, Cullison entered a shop in search of replacement computer parts. The salesman directed him to someone who had a laptop, and it soon became evident that the computer came from an abandoned home of someone involved with Al Qaeda. For $1100, Cullison acquired the laptop and a hard drive, and through assistance from Arabic speakers and computer experts, was able to break password requirements and encryption to 1,750 files, detailing internal politics to the mission of an Al-Qaeda agent whose reported movements mirror those of Richard Reid, the alleged "shoe-bomber" from American Airlines flight 63.(1) The Journal handed over copies of the drives to the federal government and published details of their findings in a December 31, 2001 article.(2)

In this case, both the government and a private entity used computer forensics, "the collection of techniques and tools used to find evidence in a computer."(3) Computer forensics can involve several different types of investigations, such the recovery of data deleted from hard drives, cracking encrypted data, recovering damaged data, and finding file and web access history.

Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists. Criminal prosecutors use computer evidence in cases such as homicides and financial fraud. Civil litigations can make use of records found on computer systems as evidence in divorce, discrimination, and harassment cases. Insurance companies may be able to mitigate costs by using computer evidence in cases of possible fraud. Corporations sometimes hire computer forensics specialists to ascertain evidence relating to sexual harassment, theft or misappropriation of trade secrets. Law enforcement officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment.(4)

This paper explores common techniques of finding evidence on computers primarily focusing on personal computers in a Windows environment (as opposed to network forensics which deals with network security). In doing so, this paper explores the technical methods in which an individual can protect his/her data and the legal rights an individual in the United States has to prevent the seizure of his/her computer. The legal rights and procedures explored will focus on US criminal laws (as opposed to civil laws).

File "deletion" is a misnomer in computer use. Files actually remain on the hard drive after they are deleted; the file directory simply removes the reference to the file location, and thus the file "disappears." The file remains in the hard drive for an indefinite amount of time, until its space is needed and overwritten by another file.

Based on similar concepts, deleted or altered text from files can also be recovered by searching the hard drive. When a file is saved, the previous version is not permanently over-written but rather a new version, or copy, of the file is created. The old version remains in the hard drive, again, for an indefinite amount of time.(5)

These versions and deleted files become part of the "free space" of a hard drive, the available space between recognized files. A computer forensics specialist can easily use hard drive scanning software, such as Norton Utilities or Encase, and search for these altered and deleted files.

The swap file is an area not commonly recognized or known by the everyday user and is subsequently a major source of forensic evidence for a computer investigator. The swap file is a space in the hard disk that both Windows and Unix use as a temporary holding place for anything not needed in main memory at a particular instant. The swap file can therefore store sensitive information which was not intended to be stored on disk, such as passwords and copies of files.

Windows also creates numerous temporary files unbeknownst to the user, just in case the operating system crashes. These temporary files are stored in the hard disk at unadvertised locations, and unless specifically removed, can remain in the hard disk for an indefinite amount of time.

Network back-ups and e-mails are major sources of evidence by computer forensics specialists. Even if one successfully destroys all traces of a file on a personal computer, if the file was ever on a network, there is a good chance that a copy of the file is on a back-up tape. Copies of e-mail messages can also be on tape-backups, as well multiple servers worldwide, depending on where it was sent. Deleted e-mail also can stay on servers longer than one would think, from a day up to a week.(6)

Lastly, another source of forensics evidence is the registry. In a Windows environment, the registry is a collective name for two files USER.DAT and SYSTEM.DAT which store convenient properties such as the icons on the desktop and the resolution of the monitor. However, Windows and other applications also make use of the registry to store information such as one's name (such as when entered during software installation), recently browsed web pages, software installation and un-installation history, serial numbers, passwords, and traces of messages downloaded from newsgroups.(7) The registry contains a wide array of information which a privacy-conscious individual may want to control.

There are many reasons why an individual would want to protect his/her data and it's not always people engaged in illegal activities who would want to do this. Data protection may be needed to protect oneself from illegal computer forensics -- such as to prevent the theft of intellectual property, theft of propriety business documents, to protect freedom fighters in oppressive governments, and to protect individuals from planted or contaminated computer evidence.

First, this paper will address some common methods that are sometimes utilized to protect data, but in actuality, with proper forensic technique and software, they do little to protect data.

There are various software programs on the market that can break file password requirements, such as ones by Access Data Systems or Crak Software.(8) An intruder can also search the registry for passwords (however since the registry contains a lot of information which must be sifted through, this technique is usually used if the intruder has an idea of what the password is).(9)

Disk formatting is sometimes misunderstood as a way to erase data, but it does little but set the pointers in the file allocation table to zero. The data remains on the disk, as when data is deleted.

The best way to erase data is to use software that will "zero-out" the hard drive. The software will place zeros and ones in the free space of the hard drive, therefore overwriting deleted files.

The user should be aware that zeroing out the hard drive is good way to destroy data, however is it not 100% effective. Very similarly to how faint remains of previous drawings are left behind on an Etch-A-Sketch, the process of zeroing out magnetic media, such as hard drives, leaves faint remnants of original files.(10) It is possible that sophisticated labs, such as government labs, can use methods such as magnetic force microscopy (MFM) and scanning tunneling microscopy (SLM) to re-construct the data.

Encryption can be a very powerful tool to protect data; however, as is it possible to reconstruct zeroed out data, using sophisticated techniques and powerful equipment, it is possible to crack encryption. For instance, the Al-Qaeda computer obtained by the Wall Street Journal journalist had a 68 bit encryption which was crackable, but it required the power of a Cray computer, which the US government has.(11) However, due to the degree of sophistication required to crack encryption, encryption may be a very useful tool for everyday users and businesses.

In addition to zeroing out the hard drive, a user should also make sure the swap file and temporary files are specifically zeroed out and that the registry is cleared of all sensitive data.(12)

As can be seen, there is no sure-fire way of protecting one's data or erasing it, at least while keeping the computer intact. Some computer forensics specialists recommend that privacy minded individuals drill a hole through the hard disk if they want to ensure that their data is destroyed.(13)

In the winter of 1999, during contract negotiations, a Northwest Airlines flight attendant hosted a message board on his personal website; among the messages were anonymous messages by Northwest employees urging co-workers to participate in sick-outs, which is illegal by U.S. federal labor laws. That season over 300 flights were cancelled. Northwest Airlines subsequently obtained permission from a federal judge to search union office computers and employee personal computers, in order to obtain the identities of the anonymous posters.(14)

How did Northwest Airlines obtain permission from a federal judge to search both union office computers and personal computers? Quite easily. U.S. criminal and civil laws make it easy for a plaintiff get permission to search property, with or without a warrant, and this property can include the insides of computers.

The Fourth Amendment limits the ability of government agents to search for evidence without a warrant.  It states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants ?shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

"Probable cause" can be defined as "where known facts and circumstances, of a reasonably trustworthy nature, are sufficient to justify a man of reasonable caution or prudence in the belief that a crime has been or is being committed." (Draper v. U.S. 1959.(15)

Accordingly, as long as a plaintiff can convince a judge of probable cause, a warrant to search a computer can be granted. Today, more federal judges are approving searches of computers for evidence in civil and criminal cases.(16)

Furthermore, the U.S. criminal law system allows the search and seizure of computers without a warrant. According to the Supreme Court, a warrantless search does not violate the Fourth Amendment if one of two conditions is satisfied. First, if the government's conduct does not violate a person's reasonable expectation of privacy. Second, a warrantless search that violates a person's reasonable expectation of privacy will be constitutional if it falls within an established exception to the warrant requirement.(17)

The Department of Justice has provided several scenarios that do not violate a person's reasonable expectation of privacy, and thus allow computers to be searched without a warrant. If the computer to be searched is a stolen one, it is assumed that there is no expectation of privacy, since the computer does not belong to the person. If the person has made the computer openly available, such as making the boot-up password visible, there is no reasonable expectation of privacy since he/she did not guard access ability. If the information to be examined has been transmitted via the internet or received by someone via e-mail, there is no reasonable expectation of privacy since the individual relinquished that expectation when he/she transmitted it. Lastly, if a computer has been handed over to a third party, such as a repair shop, it is assumed that the person relinquished his/her reasonable expectation of privacy by granting computer access to a third party.

Therefore, in order for a computer owner to preserve his/her reasonable expectation of privacy, and thus eliminate possibilities of a warrantless search, he/she should limit third party access to the computer in all ways possible.

There are several exceptions to the warrant requirement that make a warrantless search which is a violation of a person's reasonable expectation of privacy constitutional.

Agents may search a place or object without a warrant, or even probable cause, if a person with authority has voluntarily consented to the search. This also applies if there are several people who share a computer, and any one person who has authority over the computer consents to a search. Spousal consent searches are often valid as well, as long as the consenting spouse has access to the computer. Consent from parents in regard to a minor's computer is also valid.

There is no doubt that U.S. laws are complicated and have many nuances. A sampling of scenarios have been provided to illustrate that the judicial system provides many interpretations of the law to allow warrantless searches. The manual Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations by Department of Justice provides many other scenarios and interpretations (see http://www.usdoj.gov/criminal/cybercrime/searchmanual.htm#Ic2 ).(18)

Conclusion

It can be difficult for computer users to keep their data protected and private. Computer technology makes it almost impossible to destroy data without destroying the hard drive, and in a system where anyone can sue anyone, U.S. laws provide ample avenues for parties to seize and search computers, with or without a warrant.

With these odds against them, computer users should be cognizant of what they are putting in their computers, but are not. According to Joan Feldman, president of Computer Forensics, Inc., in Seattle, "Most people don't think of the computer as a continually running tape recorder but it is. It's the closest thing we have in our culture to something that's recording our every thought and every word. And we're not taught to think of them that way." (20)Computer users can be very casual about what they put on their computers and do not think about the possibility, and consequences, of their computers being searched.

What can a privacy-conscious computer user do? Know your rights (and how you can lose your rights), guard access to your computer, practice good computer hygiene (zero-out your hard drive regularly), and be cognizant of what you are putting on your computer. Don't keep anything on a computer which you're afraid could one day be used against you.

References

(1)Barringer, Felicity. "Why Reporters Discoveries were Shared With Officials." New York Times 21 January 2002, late ed.:C2.

(3)(7)(12)(14)Caloyannides, Michael. Computer Forensics and Privacy. Boston, MA: Artech House, 2001.

(2)Cullison, Alan and Andrew Higgins. "Files Found: A Computer in Kabul Yields a Chilling Array of al Qaeda Memos." The Wall Street Journal. 31 December 2001: A1.

(6)(11)(13)Feldman, Joan. Interview. Computer Forensics. With Ira Flatow. National Public Radio. Washington, DC. 25 January 2002. http://search.npr.org/cf/cmn/cmnpd01fm.cfm?PrgDate=01%2F25%2F2002&PrgID=5 (19 April 2002).

(20)Festa, Paul and Lisa M. Bowman. "Can PC Sleuths undo Enron Shredding?" ZDNet News. 2 February 2002. http://zdnet.com.com/2100-11-829071.html (14 April 2002).

(10)(19)Kruse, Warren and Jay Heiser. Computer Forensics: Incident Response Essentials. New York: Addisen Wesley, 2002.

(16)McCarthy, Michael. "Privacy: Can your PC be Subpoened?" The Wall Street Journal Online. 23 May 2000. http://zdnet.com.com/2100-11-502433.html?legacy=zdnn(19 April 2002).