To access a suspect’s computer, traditional procedure involves removing the hard drive, creating a forensic image (a duplicate copy) and then analyzing that copy using sophisticated industry-specific software.
Although effective, this process takes many hours and allows investigators to view and present information only in a raw state – one that non-computer experts such as attorneys and juries can find difficult to understand.
As a result, computer forensic investigators are increasingly adopting a complimentary tool that allows them to turn on and operate the suspect’s computer without altering its contents in any way.
By doing so, investigators are able to review and navigate the computer as if the suspect turned it on and then stepped aside. This includes utilizing whatever operating system is installed, launching programs, opening files, viewing recent e-mails or images, web history, etc. Literally anything the computer’s owner can see or do, can be accessed without risk of altering the evidence.
This ability to view the computer in its natural state is speeding investigations and increasing the likelihood that the case will be resolved prior to trial.
Because the tool – the Shadow 3 from Voom Technologies – can be installed within minutes rather than the half day or more to copy a hard drive and run forensic software, critical evidence can be accessed more quickly for time-sensitive cases such as abductions, child abuse and homicides.
In addition, any evidence discovered can be copied to an external storage device such as a thumb drive, printed, or captured as a screenshot or screen video. Because this evidence is presented in a more relatable way, it is often more easily understood by attorneys, investigators, judges and juries.
Accessing, without Altering
When a computer is turned on, thousands of changes are made in the background automatically. The operating system runs updates, anti-virus scans are conducted, bit logs are changed, Internet files purged – all of which can potentially overwrite or alter evidence.
To protect against this, digital forensic experts vigorously avoid turning on the computer. Instead, they remove the hard drive and make several copies before returning the original to the computer and storing it as evidence.
Next, they utilize existing forensic software tools on the market, such as EnCase, Forensic Imager, PTK Forensics, NetAnalysis Forensic Toolkit, and FTK, to index and categorize the contents of the drive copies.
Depending on the size of the hard drive, the process of copying and indexing can take 10-12 hours. Once completed, the information is available only in a raw data format with file, folder, metadata and time stamp information, and the like.
The information, though extremely detailed, “can be like a second language,” says one 14 year computer forensic examiner that has worked as a law enforcement officer, corporate investigator, government investigator, and industry consultant.
The Shadow 3, on the other hand, is a small portable hardware device that is inserted between the hard drive and the motherboard. Originally introduced in 2004, the Shadow product is currently deployed worldwide, in over 100 local, state, and federal law enforcement and justice agencies.
Once the Shadow 3 is properly connected, the computer can be safely turned on. All “write” commands (changes intended for the hard drive) are stored within the Shadow 3 device, never making it to the hard drive. “Read-only” commands that access, but do not change information, are still allowed.
During the course of the investigation, any saved “write” commands stored in the Shadow 3 device are still available to the processor as if they reside on the hard drive.
With this approach, no changes from boot up through operation ever reach the hard drive. Because it is repeatable, evidence produced using the Shadow has already been proven in court to be valid and admissible.
“Prior to using the Shadow 3, I didn’t have a reliable method of looking at a suspect’s computer the same way the suspect would be using it,” says Craig Cilley, a computer forensics expert for the Washington County (Minnesota) Sheriff’s Office since 2006.
Cilley is responsible for cyber crime and ICAC (Internet Crimes Against Children) cases. The agency also assists the probation department, the county attorney’s office, Internal Affairs and social services with computer related issues on occasion.
He initially heard about the digital forensics tool two years ago, which was in use at several other agencies in Minnesota. After a trial of the product, he recommended purchasing it to his superior officer.
“I showed him the capabilities of the Shadow 3 and how we could use it and the time savings it would bring to me,” says Cilley. “In my business, time is money.”
Speeding investigations
For Cilley, the Shadow 3 represents a “scalpel forensics” mode that saves time because he can access data without having to review every bit of information on the computer.
The information in the form of screenshots, printed e-mails, etc. can be retrieved quickly enough to be shown to suspects during questioning, to secure arrest warrants, or to rule out a suspect.
In a recent check forgery case, for example, Cilley was able to launch a check writing application on the suspect’s computer to review all the checks that were printed, as well as all the fictitious bank accounts, routing numbers, and business names and when the checks were printed.
“It made that investigation easy and less time consuming,” says Cilley. “With the Shadow 3, you can quickly go in and get the data you need to prove your case.”
Although the Shadow 3 shows everything the user can see, forensic software can show things behind the scenes that the user cannot see. For this reasons, he still conducts “full forensics” as needed.
“I’m trying to get to a model where I don’t have to do full forensics unless it’s necessary,” says Cilley
The tool also saves time overcoming pesky encryption, user log-in and security dongle obstacles.
If files are encrypted by Windows or third party software, often decryption occurs automatically upon successful login. If a security dongle exists, it need only be left in the USB port as normal.
If the user’s login information is not available, investigators must spend valuable time trying to figure out or socially engineer it. However, there are free tools available that can be installed during the boot up process (while connected to the Shadow 3 to keep the suspect’s drive pristine) that are designed to eliminate the password.
VMware
The closest alternative on the market is VMware, a virtualization software tool that mimics, as best it can, the various hardware and operating systems in use today to load and operate an image of a hard drive.
If the hardware and operating system are identically, that is to say perfectly, mimicked, the virtualized environment will operate in an identical fashion as the original computer system.
However, if it does not, frequent crashes and blue screens occur.
Given the vast and ever-increasing variety of operating systems and applications on the market along with the automatic updates, operating system versions, and device drivers virtualization software may not support the requirements of a particular individual’s computer.
Superior Evidentiary Presentation
Perhaps the most important value in the system is the creation of more powerful and easier to comprehend presentations for attorneys, investigators, judges and juries.
The most powerful evidence, to be sure, is the easiest for the layperson to understand. Those that are not computer experts, but use computers on a regular basis, are most comfortable viewing the information in its native environment – an Excel spreadsheet open in MS Excel, for example.
With the raw data produced by forensic software, computer experts are often tasked with explaining to juries how the data was collected, why it is accurate, and what it means.
With the Shadow 3, a live presentation using the suspect’s computer can be conducted in court or screen shots/video can be shown on a projector exactly as it appears on the suspect’s computer.
As a standard operating procedure, Cilley installs a screen video capture utility to make a “movie” as he goes through the contents of a suspect’s machine. The movie is then turned over to the prosecutor as part of his report.
“If I can show the prosecutor the movie and then they, in turn, show the defense attorney, it makes the case go through the judicial system much faster because everyone can see what the suspect was doing and they are more likely to either plead the case and not go trial,” says Cilley. “It’s a great visual aid.”
