By John McCrone (London; John McCrone is a freelance writer based in
London)
WHEN British police raided the home of 26-year-old Christopher Pile, all they found in
his bedroom was a bare desk and a phone line. "There wasn't even a speck of dust on
the table," recalls Jim Bates, the computer forensic expert who accompanied police on
the investigation. In detective slang, the air was thick with the "smell of
Pledge" - the furniture polish someone would use to remove fingerprints and cover
their tracks.
Police believed Pile was the Black Baron, the brains behind a slippery new breed of
computer virus that can change the way it looks, or "re-encrypt" itself, each
time it replicates thereby evading detection. Worse still, the Baron's viruses have been
devilishly engineered to take up to thirty generations to become dangerous - an incubation
period which gives them time to spread.
But how to prove Pile was the creator ? With no computer in evidence at his house, the
next step was to raid the home of one of his friends. There, hidden in a box on top of a
cupboard, was the machine the police were looking for. But once again the Baron seemed to
have covered his tracks: there was no obvious sign of any virus-creating activity on the
40 or so floppy discs found with the computer.
LONE HACKERS
Back in the local police station, Pile was giving nothing away. But working through the
night, Bates came up with the evidence the police so badly needed. Pile's discs might have
looked clean, but armed with the right kind of forensic programs and know-how Bates was
able to unmask their secrets. In November 1995, the Black Baron was sentenced to 18 months
in jail.
From lone hackers and disgruntled systems managers to paedophile rings and
international gangs using the Internet to hold banks to ransom, the papers are full of the
threat of instant and untraceable crime. Out in the real world, though, it's rather
different. Far from offering criminals a safe haven, computers collect clues like flypaper
- you just have to know where to look.
And far from concentrating their efforts solely on cybercrooks, experts like Bates
spend most of their time catching ordinary criminals. The ubiquity of desktop machines and
personal organisers means that police are having to treat computers as a source of clues
in almost any kind of investigation.
In one notorious case, a Californian aerospace engineer was accused of poisoning his
wife with cyanide. Her body had been cremated before police became suspicious so the
evidence was slim. Then consultants Michael Anderson and Joe Enders of computer crime
specialist New Technologies in Oregon were called in to check through the husband's
computer. On one floppy disc, they found fragments of an incriminating personal diary. The
husband had attempted to copy his diary onto a disc that did not have enough space. The
computer rejected the operation. But unknown to the man, the half-saved file could easily
be read by anyone with the right software tools. The fragments were rife with his
suspicions about her fidelity and played a big part in his conviction when the case came
to trial in 1995.
And last year, computer evidence helped catch a serial "date rapist" in
southern England. The man had allegedly been meeting women through a singles club and then
showing them psychiatrists' letters saying he needed regular sex for the sake of his
mental health - a con trick which worked surprisingly well but which was also technically
rape. When police copied the contents of his computer, they discovered a whole file of
fake letterheads on his machine without which the case would have been difficult to
pursue.
But even when faced with a computer whiz - as the police certainly were in the Black
Baron case - finding evidence can be surprisingly easy for real experts like Bates, who is
president of consultancy Computer Forensics. One of life's enthusiasts, Bates stumbled
into the world of police investigations through his expertise writing hardware control
programs for the early IBM PCs. When the first generation of computer viruses showed up
during the mid-1980s, it was Bates who helped to crack them. These days he thinks nothing
of driving from his converted barn in the bucolic backwaters of Leicestershire to join
detectives on a dawn swoop on some suspect's house in Newcastle.
One of the big issues confronting him in every case is demonstrating that the data
found on a machine has been preserved in the form the police found it with nothing added
or removed - a tricky job when you consider that simply turning on a PC and running its
operating system can create new records on a hard disc.
Several years ago, Bates invented a method of bypassing a computer's operating system
to take a forensically "pure" snapshot of whatever is inside. DIBS, an ordinary
optical disc drive with its own specialist software, plugs into the back of a suspect
machine and not only freezes its activity, but is clever enough to find and copy any
hidden files on its hard disc. A "plod -proof" black box version is now being
marketed and its rapid adoption by police forces around the world should make Bates a rich
man.
Using DIBS on the Black Baron's PC, Bates was able to suck out its contents and create
an exact clone of the machine on his own PC. "That is one of the big differences
about working with computers," he says. "When you are testing samples of
clothing or body tissue, the tests usually destroy the evidence. But with a computer, we
can copy the evidence and then test it as often as we want."
The next problem faced by a computer investigator is spotting the smoking gun. The
average PC sold today has a 3-gigabyte disc. Printed out, that would produce a stack of
paper about 80 metres high, so searching for clues can be a daunting task. A few years
ago, says Bates, the police would often turn a blind eye to any computer files they came
across in the course of their inquiries just because processing them would tie up too much
time. But these days, technology is being used to combat technology. A flourishing market
in forensic software has sprung up, offering programs that can search files for particular
words and phrases and dig out any that the owner may believe to have been overwritten or
deleted.
SHADOW COPIES
So, armed with such tricks of the trade, Bates could begin his hunt for the Black
Baron's hidden virus code. The first clue was that Pile had bothered to clean his hard
disc with a "defragger". "That suggested he actually had something to
hide," says Bates. In normal use, a PC scatters a file all over the surface of a disc
platter. When the file is opened and used, each section may drop back to a different
place, creating many shadow copies. A defragger (or more properly, defragmentation
program) tidies the file system, thus removing much - but not all - forensically useful
information.
Bates's solution was to run a simple program that counts the number of times the
remaining files used each one of the standard ASCII characters, a capital A or an
asterisk, for example. From long experience, Bates can immediately tell what sort of file
he is looking at from its ASCII profile. For text files, the peaks coincide mainly with
letter characters .
There was nothing remarkable on Pile's PC. But straight away a tiny program on one of
the floppy discs stood out because its ASCII profile was unnaturally flat and even. The
file had been compressed to save space and then scrambled, or encrypted, by an encoding
program.
"Normally you wouldn't look twice at this file," says Bates. "It was
tacked onto the end of an ordinary commercial program, but why was it the only thing
encrypted ?"
Pile's biggest mistake was to leave a copy of the encrypting program on the hard disc
of the PC. After a few dozen goes at using the program to print out a scrambled file for
each letter of the alphabet in turn, Bates could begin to spot the pattern in the program.
The Black Baron's elaborate safeguards were pierced and Bates's suspicions turned out to
be well founded: the mystery file was the virus-writing program.
Police used to worry that defence lawyers would claim computer evidence had been
tampered with or planted. But so far this hasn't happened, and Bates believes that
doctoring the evidence would be a lot more difficult than it sounds. A crooked detective
would have to fake not just a single file but a history of machine use.
In one case of blackmail that Bates was involved with, the suspect actually claimed
that he was being framed by police. The man - a regular computer user who again thought he
knew how to cover his tracks - was accused of sending threatening letters on a floppy disc
to a person he believed owed him money. The letters not only demanded payment but
threatened the recipient with unsavoury allegations over the use of council funds.
Unfortunately, at the time police seized his PC, they did not have the necessary equipment
to take a forensic snapshot of what was inside. So by the time Bates was called in,
detectives had inadvertently created 144 new files while they were scouring the system for
evidence of the blackmail note.
To add to their problems, all the detectives found was a cleaned-up version of the
letter - a copy with the threats and allegations carefully cut out so that it still made
sense. The suspect had left the letter as an alibi so he could claim that the malicious
content was added to the floppy disc copy after it had been received. With the police
subsequently trampling all over the "crime scene", the chances of a conviction
looked poor. But Bates was able to find the deleted phrases and work out when they were
removed.
Here's how he did it. A modern operating system like Microsoft's Windows, for example,
makes it almost impossible to erase every trace of past activity from a machine. One
feature that regularly catches out even the most sophisticated criminal is the Windows
"swap" file - a memory-extending feature which automatically offloads data from
main memory to a temporary buffer on the hard disc.
These swap files can hold as much as 30 megabytes of information. More importantly,
neither formatting the hard disc nor even running a defragger will normally touch what the
operating system has saved to such spaces. This gives forensic investigators an
"Aladdin's Cave" which is always full of earlier copies of documents and even
files that a user may believe have never been saved to disc.
LAVISH MEMORY
Another design wrinkle that not many computer users know about is disc slack space.
When a file is deleted, or even when the hard disc is reformatted, the only things the
operating system usually erases are file names and any pointers to the location of the
data on the disc - wiping each bit of data would take too long. So the data remains and is
perfectly visible to those with the right tools.
The drawback is that each data location is unprotected and so at risk of being
overwritten by new information. Yet even then, all is not lost, because a PC's operating
system allocates a lavish 32K of disc memory to every block of data and so there is almost
always some data towards the end of every address space that escapes being replaced.
Again, with the right software, it is easy to search these supposedly dead areas.
"It's hard to make data go away," says Anderson of New Technologies.
"You may delete a file but the system has always made four copies and saved them
elsewhere. Operating systems like DOS and Windows were never designed to be secure and so
they are full of these kinds of loopholes."
So, using an insider's knowledge, it was not hard for Bates to find the offending parts
deleted from the blackmailer's letter. More importantly, Bates was also able to prove that
they had been deleted before police took possession of the machine because many of the
fragments had been partly overwritten by the suspect. The way that other letters written
by the defendant lay on top of the blackmail note gave the game away.
Turning this story round, Bates says it shows how hard it would actually be to fake
evidence. "There are so many little things that could catch you out. Look, I'm an
expert and I wouldn't feel confident about manufacturing evidence. A computer that has
been used looks messy and it would be very difficult to recreate a pattern of use
accurately."
Police admit that they expected more of a challenge to the use of computer forensics
from the courts. "We tried to protect ourselves by always using technically competent
people to deal with the machines, yet you could still say that the police have had a
fairly easy ride," says former detective superintendent John Austen, who pioneered
procedures while setting up Scotland Yard's Computer Crime Unit in the 1980s and who now
runs a London-based consultancy called QCC.
Austen says one simple explanation is that the evidence gleaned from a computer usually
seems so detailed and incontrovertible that defendants have tended to plead guilty
immediately. The evidence has rarely had much of a chance to become an issue.
In the same way, the black-and-white nature of computer evidence has meant there has
not been the expected problem with baffled juries. Austen says most evidence is really
just copies of letters and text files. If jurors do need to understand a technical point,
such as how a hard disc saves files, then this is easy enough to explain - especially when
the exact pattern of alleged events can always be replayed in court on a copy of the
defendant's system.
Bates agrees: "The great thing about computer forensics compared with other
branches of forensic science is that it's exact - if we say something exists at this
address or in this cluster, then that is where it is. There aren't any arguments over
interpretation."
Fair enough, but computer forensics is still only a young art and there are a few
clouds on the horizon. One threat facing the police is the easy availability of
heavyweight encryption techniques. The password and encryption tools used by most systems
today are shockingly easy to crack, says Bates - not much harder than doing crosswords
once you know what to look for.
But the kind of encryption developed by the security services, which use two large
prime numbers to generate the scrambled message, could soon present police with quite a
headache as the codes can only be cracked by brute force, using banks of supercomputers to
try out the billions of possible key combinations.
There is also a great deal of talk about the Internet. Not so much because the
transactions will be untraceable - if anything, the Internet creates even more of a paper
trail - but because of the difficulty of international cooperation in police
investigations. "A search warrant is not much use if the data is on a machine in
another country," says Anderson. "Commerce is just starting on the Net. Crooks
go where the money is, so we will soon see how big a problem it is going to be."
But for now, it is the way computers can entrap the ordinary, unsophisticated criminal
that is the real story. Bates's favourite example involves a recent raid on a London porn
shop. A man well known to the Soho vice squad was selling child porn pictures which he
stored on an Apple Macintosh in a room over the shop. As soon as the police came through
the front door, the Mac went flying out of the first floor window, smashing itself to bits
on the bonnet of a taxi.
The good news for the crook was that his computer was a complete write-off. The bad
news was that the hard disc, and all the data on it, was fine. "Those hard discs are
built to withstand 25 "g"," laughs Bates. "The damn thing just
bounced."
|
