Table Of ContentTony Sammes and Brian Jenkinson
Forensic Computing
Second edition
1 3
TonySammes,BSc,MPhil,PhD,FBCS,CEng,CITP
TheCentreforForensicComputing
DCMT
CranfieldUniversity
Shrivenham,Swindon,UK
BrianJenkinson,BA,HSc(hon),MSc,FBCS,CITP
ForensicComputingConsultant
BritishLibraryCataloguinginPublicationData
AcataloguerecordforthisbookisavailablefromtheBritishLibrary
LibraryofCongressControlNumber:2006927421
ISBN-13:978-1-84628-397-0 e-ISBN-13:978-1-84628-732-9
ISBN-10:1-84628-397-3 e-ISBN10:1-84628-732-4
ISBN1-85233-299-91stedition
Printedonacid-freepaper
©Springer-VerlagLondonLimited2007
Firstpublished2000
Secondedition2007
Apartfromanyfairdealingforthepurposesofresearchorprivatestudy,orcriticismorreview,as
permittedundertheCopyright,DesignsandPatentsAct1988,thispublicationmayonlybe
reproduced,storedortransmitted,inanyformorbyanymeans,withthepriorpermissionin
writingofthepublishers,orinthecaseofreprographicreproductioninaccordancewiththe
termsoflicencesissuedbytheCopyrightLicensingAgency.Enquiriesconcerningreproduction
outsidethosetermsshouldbesenttothepublishers.
Theuseof registerednames,trademarksetc.inthispublicationdoesnotimply,eveninthe
absenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantlawsandregula-
tionsandthereforefreeforgeneraluse.
Thepublishermakesnorepresentation,expressorimplied,withregardtotheaccuracyofthe
informationcontainedinthisbookandcannotacceptanylegalresponsibilityorliabilityforany
errorsoromissionsthatmaybemade.
9 8 7 6 5 4 3 2 1
SpringerScience+BusinessMedia
springer.com
Dedication
ToJoanandVal
Acknowledgements
Theauthorswouldliketothankallthemembersandformermembersofthe
FCGTrainingCommitteefortheveryvaluablecontributionsthattheymade
tothefirsteditionofthisbook.Inparticular,ourgratefulthanksgotoSteve
Buddell, Tony Dearsley, Geoff Fellows, Paul Griffiths, Mike Hainey, Dave
Honeyball,PeterLintern,JohnMcConnell,KeithMcDonald,GeoffMorrison,
Laurie Norton, Kathryn Owen and Stewart Weston-Lewis.For this second
edition we would, in addition, like to thank Lindy Sheppard, Dr Tristan
JenkinsonandJohnHunterfortheirkindsupport.Ourthanksalsogotothe
studentsof the30orsoForensicComputingFoundationCoursesthathave
nowbeenrunforalltheirhelpfulcommentsandsuggestions.Wewouldlike
to add a sincere word of thanks to our publisher and editors,to Catherine
Brett,Wayne Wheeler,Helen Callaghan and Beverley Ford,all of Springer,
who,aftermuchchivvying,eventuallymanagedtogetustoputpentopaper
forthissecondedition,andamostimportantthankyoualsotoIanKingston
of IanKingstonPublishingServices,whohasmadetheresultlooksogood.
Finallyourcontritethanksgotoourfamilies,towhomwedidsortofpromise
thatthefirsteditionwouldbethelast.
Contents
1 ForensicComputing . . . . . . . . . . . . . . . . . . . . . . . . . 1
OriginoftheBook . . . . . . . . . . . . . . . . . . . . . . . . . . 2
StructureoftheBook . . . . . . . . . . . . . . . . . . . . . . . . . 3
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 UnderstandingInformation . . . . . . . . . . . . . . . . . . . . . 7
BinarySystemsandMemory . . . . . . . . . . . . . . . . . . . . . 8
Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
NumberSystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
ComputerPrograms . . . . . . . . . . . . . . . . . . . . . . . . . 27
RecordsandFiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
FileTypesandSignatures . . . . . . . . . . . . . . . . . . . . . . 29
UseofHexadecimalListings . . . . . . . . . . . . . . . . . . . . . 29
WordProcessingFormats . . . . . . . . . . . . . . . . . . . . . . 30
MagicNumbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
GraphicFormats . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
ArchiveFormats . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
OtherApplications . . . . . . . . . . . . . . . . . . . . . . . . . . 44
QuickViewPlus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3 ITSystemsConcepts . . . . . . . . . . . . . . . . . . . . . . . . . 49
TwoBlackBoxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
TheWorkedExample . . . . . . . . . . . . . . . . . . . . . . . . . 53
Program,Data,RulesandObjects . . . . . . . . . . . . . . . . . . 62
PatternsCanMeanWhateverWeChooseThemtoMean . . . . . 63
SoftwareDevelopment . . . . . . . . . . . . . . . . . . . . . . . . 64
BreakingSequence . . . . . . . . . . . . . . . . . . . . . . . . . . 67
AnInformationProcessingSystem . . . . . . . . . . . . . . . . . 70
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4 PCHardwareandInsidetheBox . . . . . . . . . . . . . . . . . . 75
TheBlackBoxModel . . . . . . . . . . . . . . . . . . . . . . . . . 75
TheBusesandtheMotherboard . . . . . . . . . . . . . . . . . . . 77
vii
viii Contents
IntelProcessorsandtheDesignofthePC . . . . . . . . . . . . . 86
AFewWordsaboutMemory . . . . . . . . . . . . . . . . . . . . . 93
BackingStoreDevices . . . . . . . . . . . . . . . . . . . . . . . . 96
FloppyDiskDriveUnits . . . . . . . . . . . . . . . . . . . . . . . 98
ExternalPeripherals . . . . . . . . . . . . . . . . . . . . . . . . . 98
ExpansionCards . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5 DiskGeometry . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
ALittleBitofHistory . . . . . . . . . . . . . . . . . . . . . . . . . 103
FiveMainIssues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
PhysicalConstructionoftheUnit . . . . . . . . . . . . . . . . . . 104
FormationofAddressableElements . . . . . . . . . . . . . . . . . 106
EncodingMethodsandFormatsforFloppyDisks . . . . . . . . . 107
ConstructionofHardDiskSystems . . . . . . . . . . . . . . . . . 112
EncodingMethodsandFormatsforHardDisks . . . . . . . . . . 114
TheFormattingProcess . . . . . . . . . . . . . . . . . . . . . . . 127
HardDiskInterfaces . . . . . . . . . . . . . . . . . . . . . . . . . 130
IDE/ATAProblemsandWorkarounds . . . . . . . . . . . . . . . . 141
FastDrivesandBigDrives . . . . . . . . . . . . . . . . . . . . . . 157
SerialATA(SATA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
ThePOST/BootSequence . . . . . . . . . . . . . . . . . . . . . . 160
AWordAboutOtherSystems . . . . . . . . . . . . . . . . . . . . 172
TheMasterBootRecordandPartitions . . . . . . . . . . . . . . . 173
FATs,DirectoriesandFileSystems . . . . . . . . . . . . . . . . . . 189
RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
6 TheNewTechnologyFileSystem . . . . . . . . . . . . . . . . . . 215
ABriefHistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
NTFSFeatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
NTFS–HowitWorks . . . . . . . . . . . . . . . . . . . . . . . . . 217
TheMFTinDetail . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
AnalysisofaSampleMFTFileRecordwithResidentData . . . . 224
AnalysisofaSampleMFTFileRecordwithNon-ResidentData . 240
DealingwithDirectories . . . . . . . . . . . . . . . . . . . . . . . 247
AnalysisofaSampleMFTDirectoryRecordwithResidentData . 248
ExternalDirectoryListings–Creationof“INDX”Files . . . . . . 261
Analysisofan“INDX”File . . . . . . . . . . . . . . . . . . . . . . 268
SomeConclusionsofForensicSignificance . . . . . . . . . . . . . 270
7 TheTreatmentofPCs . . . . . . . . . . . . . . . . . . . . . . . . . 277
TheACPOGoodPracticeGuide . . . . . . . . . . . . . . . . . . . 278
SearchandSeizure . . . . . . . . . . . . . . . . . . . . . . . . . . 279
ComputerExamination–InitialSteps . . . . . . . . . . . . . . . 288
ImagingandCopying . . . . . . . . . . . . . . . . . . . . . . . . . 291
Contents ix
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
8 TheTreatmentofElectronicOrganizers . . . . . . . . . . . . . . 301
ElectronicOrganizers . . . . . . . . . . . . . . . . . . . . . . . . . 301
ApplicationoftheACPOGoodPracticeGuidePrinciples . . . . . 311
ExaminationofOrganizersandWhatmaybePossible . . . . . . 313
JTAGBoundaryScan . . . . . . . . . . . . . . . . . . . . . . . . . 324
AFewFinalWordsaboutElectronicOrganizers . . . . . . . . . . 324
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
9 LookingAhead(JustaLittleBitMore) . . . . . . . . . . . . . . . 327
BiggerandBiggerDisks . . . . . . . . . . . . . . . . . . . . . . . 328
LiveSystemAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . 332
NetworkedSystemsAddtotheProblems . . . . . . . . . . . . . . 333
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
AFinalWord . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Appendices
1 CommonCharacterCodes . . . . . . . . . . . . . . . . . . . 351
2 SomeCommonFileFormatSignatures . . . . . . . . . . . . 355
3 ATypicalSetofPOSTCodes . . . . . . . . . . . . . . . . . 359
4 TypicalBIOSBeepCodesandErrorMessages . . . . . . . . 363
5 DiskPartitionTableTypes . . . . . . . . . . . . . . . . . . . 367
6 ExtendedPartitions . . . . . . . . . . . . . . . . . . . . . . 373
7 RegistersandOrderCodefortheIntel8086 . . . . . . . . . 379
8 NTFSBootSectorandBIOSParameterBlock . . . . . . . . 387
9 MFTHeaderandAttributeMaps . . . . . . . . . . . . . . . 389
10 TheRelationshipBetweenCHSandLBAAddressing . . . . 411
11 AlternateDataStreams–aBriefExplanation . . . . . . . . 415
AnswerstoExercises . . . . . . . . . . . . . . . . . . . . . . . . . 425
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
1.
Forensic Computing
Introduction
Throughoutthisbookyouwillfindthatwehaveconsistentlyreferredtotheterm
“ForensicComputing”forwhatisoftenelsewherecalled“ComputerForensics”.In
theUK,however,whenwefirststartedup,thename“ComputerForensics”hadbeen
registeredtoacommercialcompanythatwasoperatinginthisfieldandwefeltthatit
wasnotappropriateforustouseanamethatcarriedwithitcommercialconnota-
tions.Henceouruseoftheterm“ForensicComputing”.Havingsaidthat,however,
we will need on occasion to refer to “Computer Forensics”, particularly when
quotingfromoverseasjournalsandpaperswhichusetheterm,andouruseinsuch
circumstances should then be taken to be synonymous with that of “Forensic
Computing”andnotasareferencetothecommercialcompany.
Inpointoffact,wewillstartwithadefinitionofComputerForensicsthathasbeen
given by Special Agent Mark Pollitt of the Federal Bureau of Investigation as:
“Computerforensicsistheapplicationofscienceandengineeringtothelegalproblem
ofdigitalevidence.Itisasynthesisofscienceandlaw”(Pollitt,undated).Inhispaper
hecontraststheproblemsofpresentingadigitaldocumentinevidencewiththoseof
a paper document,and states: “Rarely is determining that the [paper] document
physicallyexistsorwhereitcamefrom,aproblem.Withdigitalevidence,thisisoftena
problem.Whatdoesthisbinarystringrepresent?Wherediditcomefrom?Whilethese
questions,tothecomputerliterate,mayseemobviousatfirstglance,theyareneither
obviousnorunderstandabletothelayman.Theseproblemsthenrequireasubstantial
foundation being laid prior to their admission into evidence at trial.” These are
questionsforwhichwetrytoprovidetherequisitetechnicalknowledgeinChapters
2,3,4,5and6.
Inasecondpaper(Pollitt,1995),SpecialAgentMarkPollittsuggeststhatinthe
fieldofcomputerforensics:“Virtuallyallprofessionalexaminerswillagreeonsome
overriding principles” and then gives as examples the following three: “... that
evidence should not be altered, examination results should be accurate, and that
examination results are verifiable and repeatable”.He then goeson tosay:“These
principles are universal and are not subject to change with every new operating
system, hardware or software. While it may be necessary to occasionally modify a
principle, it should be a rare event.” In Chapters 7 and 8 we will see that these
overridingprinciplesareincompleteaccordwiththepracticesthatwerecommend
andwiththosethathavebeenputforwardintheGoodPracticeGuideforComputer
based Electronic Evidence (ACPO, 2003) of the UK Association of Chief Police
Officers(ACPO).
1
2 Forensic Computing
In short, it is the essence of this book to try to provide a sufficient depth of
technical understanding to enable forensic computing analysts to search for,find
andconfidentlypresentanyformofdigitaldocument1asadmissibleevidenceina
courtoflaw.
OriginoftheBook
Theideaforthebooksprangoriginallyfromacoursethathadbeendevelopedto
support the forensic computing law enforcement community.The then UK Joint
Agency Forensic Computer Group2 had tasked its Training Sub-Committee with
designingandestablishingeducationandtrainingcoursesforwhatwasseentobea
rapidlydevelopingandurgentlyneededdiscipline.Thefirstrequirementwasfora
foundationcoursethatwouldestablishhighstandardsfortheforensiccomputing
disciplineandwouldprovideabasisforapprovedcertification.TheTrainingSub-
Committee,incollaborationwithacademicstafffromCranfieldUniversity,designed
thefoundationcoursesuchthatitwouldgivesuccessfulcandidatesexemptionfrom
anexistingmoduleinForensicComputingthatwasavailablewithintheCranfield
UniversityForensicEngineeringandScienceMSccourseprogramme.TheForensic
Computing Foundation course (FCFC) was thus established from the outset at
postgraduatelevelanditcontinuestobeformallyexaminedandaccreditedatthis
levelbytheuniversity.
TheFCFC,oftwoweeksduration,isjointlymanagedanddeliveredbystafffrom
both the forensic computing law enforcement community and the university. It
coversthefundamentalsofevidencerecoveryfrommainlyPC-basedcomputersand
thesuccessfulpresentationof thatevidencebeforeacourtof law.Thecoursedoes
not seek to produce computer experts. Rather, it sets out to develop forensic
computinganalystswhohaveaprovencapabilityforrecoveringevidentialdatafrom
computers whilst preserving the integrity of the original and who are fully
competentinpresentingthatevidenceinanunderstandableformbeforeacourtof
law.
At the time of writing,some 30 cohorts have successfully completed the FCFC
since its inception in March 1998,and the taught material of the course has been
continuallyrevisedandupdatedinthelightofmuchusefulfeedbackandexperience.
AfullMScinForensicComputingisnowofferedbytheuniversity,ofwhichtheFCFC
isacoremodule,andthefirstcohortof studentsonthisprogramgraduatedwith
1 Documentherereferstoadocumentinthewidestsense.Itincludesallformsofdigital
representations:photographicimages,pictures,soundandvideoclips,spreadsheets,
computerprogramsandtext,aswellasfragmentsofallofthese.
2 TheJointAgencyForensicComputerGroupwasmadeupofrepresentativesfrom
ACPO,theInlandRevenue,HMCustomsandExcise,theForensicScienceServiceand
theSeriousFraudOffice.IthasnowbeenrenamedtheDigitalEvidenceGroupandstill
retainsasimilarcomposition.
Forensic Computing 3
theirMScsin2005.ItisthematerialfromtheFCFCthatformsmuchofthesubstance
ofthisbook.
The structure of the book differs a little from the way in which the material is
presentedonthecourseitself,inordertomakethesequencingmorepertinenttothe
reader. Nevertheless, it is intended that the book will also serve well as a basic
textbookfortheFCFC.
StructureoftheBook
Pickingupononeof thekeyquestionsraisedbySpecialAgentMarkPollittinthe
earlierquotes–“...Whatdoesthisbinarystringrepresent?”–westartourinvesti-
gationinChapter2byconsideringwhatinformationisandjustwhatbinarystrings
mightrepresent.Welookatnumbersystemsinsomedetail,startingwithdecimal
andthenmovingtobinary,rangingthroughlittleendianandbigendianformats,
fixed point integers and fractions,floating point numbers,BCD and hexadecimal
representations. We then look at characters, records and files, file types and file
signatures(ormagicnumbers)andhexadecimallistings.Anumberoffileformats
are then considered,with particular reference to some of the better known word
processing,graphicandarchivefileformats.Tocomplementthischapter,theASCII,
Windows ANSI and IBM Extended ASCII character sets are listed at Appendix 1,
wherementionisalsomadeofUCS,UTFandUnicode,andthemagicnumbersigna-
turesofmanyofthestandardfileformatsarelistedatAppendix2.Inaddition,the
ordercodefortheIntel8086processorislistedinhexadecimalorderatAppendix7.
These appendices provide a useful reference source for the analysis of binary
sequencesthatareinhexadecimalformat.
In Chapter 3, we look at fundamental computer principles: at how the Von
Neumannmachineworksandatthestoredprogramconcept.Thebasicstructureof
memory, processor and the interconnecting buses is discussed and a worked
exampleforasimplifiedprocessorissteppedthrough.Theideasofcodesequences,
ofprogrammingandofbreakingsequenceareexemplified,followingwhichablack
boxmodelofthePCisputforward.
Although the material in Chapters 2 and 3 has altered little, apart from some
minorupdating,fromthatofthefirstedition,thatofChapter4hashadtobesignifi-
cantlyupdatedtotakeaccountofthechangesintechnologythathaveoccurredsince
2000.Chapter4continuesonfromChapter3andaimstoachievetwogoals:toputa
physicalhardwarerealizationontotheabstractideasofChapter3andtogiveabetter
understandingofjustwhatis“insidethebox”andhowitallshouldbeconnectedup.
Weneedtodothislookinginsideandbeingabletoidentifyallthepiecessothatwe
canbesurethatatargetsystemissafetooperate,thatitisnotbeingusedasastorage
boxforotheritemsofevidentialvalue,andthatallitscomponentsareconnectedup
andworkingcorrectly.Weagainstartwiththeblackboxmodelandrelatethistoa
modernmotherboardandtothevarioussystembuses.NextwelookattheearlyIntel
processorsandatthedesignofthePC.ThisleadsontothedevelopmentoftheIntel
processorsuptoandincludingthatofthePentium4andthenabrieflookatsome
othercompatibleprocessors.Discussionisthencentredonmemorychips,andthisis
