Download The BTK Killer and more Study notes Forensics in PDF only on Docsity!
The BTK Killer
Dennis Rader was arrested in February 2005 and charged with committing ten murders since 1974 in the Wichita, Kansas, area. The killer, whose nickname stands for “bind, torture, kill,” hadn’t murdered since 1991, but he resurfaced in early 2004 by sending a letter to a local newspaper taking credit for a 1986 slaying. Included with the letter were a photocopy of the victim’s driver’s license and three photos of her body. The BTK killer was back to his old habit of taunting the police. Three months later another letter surfaced. This letter detailed some of the events surrounding BTK’s first murder victims. In 1974, he strangled Joseph and Julie Otero along with two of their
children. Shortly after those murders, BTK sent a letter to a local newspaper in which he gave himself the name BTK. In December 2004, a package found in a park contained the driver’s license of another BTK victim along with a doll covered with a plastic bag, its hands bound with pantyhose. The major break in the case came when BTK sent a message on a floppy disk to a local TV station. “Erased” information on the disk was recovered and restored by forensic computer specialists, and the disk was traced to the Christ Lutheran Church in Wichita. The disk was then quickly linked to Dennis Rader, the church council president. The long odyssey of the BTK killer was finally over.
Andrew W. Donofrio
Key Terms
bit
byte
central processing unit
(CPU)
cluster
file slack
hard disk drive (HDD)
hardware
latent data
Message Digest 5
(MD5)/Secure Hash
Algorithm (SHA)
motherboard
operating system (OS)
partition
RAM slack
random-access memory
(RAM)
sector
software
swap file
temporary files
unallocated space
visible data
software A set of instructions compiled into a program that performs a particular task.
hardware The physical components of a computer: case, keyboard, monitor, motherboard, RAM, HDD, mouse, and so on. Generally speaking, if it is a computer component you can touch, it is hardware.
Computer Forensics 581
Power Supply
CD/DVD Drive
Hard Disk Drive
Floppy Disk Drive
Motherboard
CPU
RAM
Computer Case/Chasis
Expansion Bus with Expansion Card
ROM
External Drive
FIGURE 17–1 Cutaway diagram of a personal computer. Courtesy Tim Downs
However, sound forensic practices apply to all these devices. The most logical place to start to examine these practices is with the most common form of electronic data: the personal computer.
From Input to Output: How Does
the Computer Work?
Hardware versus Software
Before we get into the nuts and bolts of computers, we must establish the important distinction between hardware and software. Hardware com- prises the physical components of the computer: the computer chassis, monitor, keyboard, mouse, hard disk drive, random-access memory (RAM), central processing unit (CPU), and so on (see Figure 17–1). The list is much more extensive but, generally speaking, if it is a computer compo- nent or peripheral that you can see, feel, and touch, it is hardware. Software , conversely, is a set of instructions compiled into a program that performs a particular task. Software consists of programs and appli- cations that carry out a set of instructions on the hardware. Operating systems (Windows, Mac OS, Linux, Unix), word-processing programs (Microsoft Word, WordPerfect), web-browsing applications (Internet Explorer, Netscape Navigator, Firefox), and accounting applications (Quicken, QuickBooks, Microsoft Money) are all examples of software.
random-access memory (RAM) The volatile memory of the computer; when power is turned off, its contents are lost. Programs and instructions are loaded into RAM while they are in use.
central processing unit (CPU) The main chip within the computer; also referred to as the brain of the computer. This microprocessor chip handles most of the operations (code and instructions) of the computer.
motherboard The main system board of a computer (and many other electronic devices) that delivers power, data, and instructions to the computer’s components.
582 C H A P T E R 1 7
It is important not to confuse software with the physical media that it comes on. When you buy an application such as Microsoft Office, it comes on a compact disc (CD). The CD containing this suite of applications is typically referred to as software, but this is technically wrong. The CD is external com- puter media that contains the software; it is a container for and a medium to load the set of instructions onto the hard disk drive (the hardware).
Hardware Components
Motherboard The main circuit board in a computer (or other electronic
devices) is referred to as the motherboard. Motherboards contain sockets for chips (such as the CPU and ROM, discussed shortly) and slots for add- on cards. Examples of add-on cards are a video card to connect the com- puter to the monitor, a network card or modem to connect to an internal network or the Internet, and a sound card to connect to speakers. Sockets on the motherboard typically accept things such as random- access memory (RAM) or the central processing unit (CPU). The keyboard, mouse, CD-ROM drives, floppy disk drives, monitor, and other peripher- als or components connect to the motherboard in one way or another.
System Bus Contained on the motherboard, the system bus is a vast com-
plex network of wires that carries data from one hardware device to an- other. This network is analogous to a complex highway. Data is sent along the bus in the form of ones and zeros (or, more appropriately stated, as electrical impulses representing an “on” or “off” state—this two-state computing is also known as binary computing.
Central Processing Unit (CPU) The central processing unit (CPU), also
referred to as a processor, is the brain of the computer; it is the part of the computer that actually computes. It is the main (and typically the largest) chip that plugs into a socket on the motherboard. Basically, all operations performed by the computer are run through the CPU. The CPU carries out the program steps to perform the requested task. That task can range from opening and working in a Microsoft Word document to performing ad- vanced mathematical algorithms.
Read-Only Memory (ROM) This rather generic term describes special chips
on the motherboard. ROM chips store programs called firmware , used to start the boot process (in which the computer starts up before the system is fully functioning) and configure a computer’s components. This technology is referred to as the BIOS, for basic input-output system. The operation of the BIOS is relevant to several computer forensics procedures, particularly the boot sequence. As will become clear later, it is important not to boot the ac- tual computer under investigation to the original hard disk drive. This would cause changes to the data, thus compromising the integrity of evidence. The BIOS allows investigators to control the boot process to some degree.
Random-Access Memory (RAM) Random-access memory (RAM) stores
software programs and instructions while the computer is turned on; it takes the physical form of chips that plug into the motherboard. Most of the data on a computer is stored on the hard disk drive (HDD). However, if the com- puter had to access the HDD each time it wanted data, it would run slowly and inefficiently. Instead, the computer, aware that it may need certain data at a moment’s notice, stores the data in RAM. This takes the burden off the computer’s processor and hard disk drive (HDD). RAM is referred to as
cluster A group of sectors in multiples of two; typically the minimum space allocated to a file.
bit Short for binary digit; taking the form of either a one or a zero, it is the smallest unit of information on a machine.
byte A group of eight bits.
sector The smallest unit of data addressable by a hard disk drive, generally consisting of 512 bytes.
partition A contiguous set of blocks that are defined and treated as an independent disk.
operating system (OS) Software that allows the user to interact with the hardware and manages the file system and applications.
584 C H A P T E R 1 7
- Read-only memory (ROM) chips store programs that control the boot (startup) process and configure a computer’s components.
- Random-access memory (RAM) is volatile memory, which is lost when power is turned off. Programs are loaded into RAM because of its faster read speed.
- The hard disk drive (HDD) is typically the primary location of data stor- age within the computer.
Storing and Retrieving Data As mentioned earlier, most of the data in a computer is stored on the hard disk drive (HDD). However, before beginning to understand how data is stored on the HDD, it is first important to understand the role of the operating system (OS). An OS is the bridge between the human user and the computer’s electronic components. It provides the user with a working environment and facilitates interaction with the system’s components. Each OS supports certain types of file systems that store data in different ways, but some support the methods of others.
Formatting and Partitioning the HDD Generally speaking, before an OS can store data on a HDD, the HDD must first be formatted, or prepared to accept the data in its current form. Be- fore the HDD can be formatted, a partition must be defined. A partition is nothing more than a contiguous set of blocks (physical areas on the HDD in which data can be stored) that are defined and treated as an indepen- dent disk. Thus, a hard disk drive can hold several partitions, making a sin- gle HDD appear as several disks. Partitioning a drive can be thought of as dividing a container that begins as nothing more than four sides with empty space on the inside. Imagine that we then cut a hole in the front of the container and place in- side two drawers containing the hardware to open and close the drawers. We have just created a two-drawer filing cabinet and defined each drawer as a contiguous block of storage. A partitioning program then defines the partitions that will later hold the data on the HDD. Just as the style, size, and shape of a filing cabinet drawer can vary, so too can partitions. After a hard drive is partitioned, it is typically formatted. The format- ting process initializes portions of the HDD, so that they can store data, and creates the structure of the file system. There are various types of file sys- tems—methods for storing and organizing computer files and data so they are easier to locate and access. Each has a different way of storing, re- trieving, and allocating data. At the conclusion of these processes, we say that the drive is logically defined. The term logically is used because no real divisions are made. If you were to crack open the HDD before or after partitioning and format- ting, to the naked eye the platters would look the same.
Mapping the HDD As shown in Figure 17–3, disks are logically divided into sectors, clusters, tracks, and cylinders. A sector is the smallest unit of data that a hard drive can address; sectors are typically 512 bytes in size (a byte is eight bits; a bit is a single one or zero).^1 A cluster usually is the minimum space allocated
Computer Forensics 585
Although the HDD is the most common storage device for the personal computer, many others exist. Methods for storing data and the layout of that data can vary from device to device. A CD-ROM, for example, uses a different technology and format for writing data than a floppy disk or USB thumb drive. Fortunately, regardless of the differences among devices, the same basic forensic principles apply for acquiring the data. Common storage devices include the following:
CDs and DVDs
Compact discs (CDs) and digital versatile discs (DVDs) are two of the most common forms of storing all sorts of external data, including music, video, and data files. Both types of media consist of plastic discs with an aluminum layer containing the data that is read by a beam of laser light in the CD/DVD reader. Different CDs are encoded in different ways, which makes forensic examination of such discs difficult at times.
Floppy Disks
Although “floppies” are not as common as they once were, forensic examiners still encounter the 3.5-inch floppy disk. Floppy disks can be used to boot an operating system or to store data. They are constructed of hard plastic with a thin plastic disk on the inside. That thin plastic disk is coated with a magnetic iron oxide material. The disk stores data in a similar fashion to the hard disk drive. By today’s standards, floppy disks don’t hold much data.
Zip Disks
Similar in structure to floppy disks, Zip disks hold a much larger amount of data.
Other Common Storage Devices
Closer Analysis
They come in several storage capacities, each with their own drive.
USB Thumb Drives and Smart
Media Cards
These devices, which can store a large amount of data, are known as solid-state storage devices because they have no moving parts. Smart media cards are typically found in digital cameras and PDAs, while USB thumb drives come in many shapes, sizes, and storage capacities.
Tapes
Tapes come in many different formats and storage capacities. Each typically comes with its own hardware reader and sometimes a proprietary application to read and write its contents. Tapes are typically used for backup purposes and consequently have great forensic potential.
Network Interface Card (NIC)
Very rarely do we find a computer today that doesn’t have a NIC. Whether they are on a local network or the Internet, when computers need to communicate with each other, they typically do so through a NIC. NICs come in many different forms: add-on cards that plug into the motherboard, hard-wired devices on the motherboard, add-on cards (PCMCIA) for laptops, and universal serial bus (USB) plug-in cards, to name a few. Some are wired cards, meaning they need a physical wired connection to participate on the network, and others are wireless, meaning they receive their data via radio waves.
Computer Forensics 587
table clean—for example, by reformatting it—the data itself would not be gone. Both the database tracking the locations of the safe-deposit boxes and the file system table tracking the location of the data in the cluster are maps—not the actual contents.
Key Points
- The computer’s operating system (OS) is the bridge between the human user and the computer’s electronic components. It provides the user with a working environment and facilitates interaction with the system’s components.
- Formatting is the process of preparing a hard disk drive to store and retrieve data in its current form.
- A sector is the smallest unit of data that a hard drive can address. A cluster usually is the minimum space allocated to a file. Clusters are groups of sectors.
- A FAT is a file allocation table. It tracks the location of files and folders on the hard disk drive.
Putting It All Together
Let’s now see how all of the parts of a computer come together to allow a user to access and manipulate data. When a person presses the power but- ton, the power supply wakes up and delivers power to the motherboard and all of the hardware connected to the computer. At this point the flash ROM chip on the motherboard (the one that contains the BIOS) conducts a power-on self test (POST) to make sure everything is working properly. The flash ROM polls the motherboard to check to see that the hardware that is attached, then reads from itself the boot order, thus determining from what device it should boot. Typically the boot device is the HDD, but it can also be a floppy disk, CD, or USB drive. If the boot device is the HDD, the HDD is then sent control. It locates the first sector of its disk (known as the master boot record ), determines its layout (partition(s)), and boots an operating system (Windows, Mac OS, Linux, Unix). The user is then presented with a computer work environ- ment, commonly referred to as a desktop. Now ready to work, the user double-clicks an icon on the desktop, such as a Microsoft Word shortcut, to open the program and begin to type a document. The CPU processes this request, locates the Microsoft Word program on the HDD (using a predefined map of the drive called a file system table ), and carries out the programming instructions associated with the application. The CPU also loads Microsoft Word into RAM via the system bus and sends the output to the monitor by way of the video con- troller, which is either located on or attached to the motherboard. As the user types, data from the keyboard is loaded into RAM. When the user is finished, he or she might print the document or simply save it to the HDD for later retrieval. If printed, the data is copied from RAM, processed by the CPU, placed in a format suitable for printing, and sent through the system bus to a printer. If the document is saved, the data is copied from RAM, processed by the CPU, passed to the HDD controller by way of the system bus, and written to a portion of the HDD. The HDD’s file
588 C H A P T E R 1 7
system table is updated so it knows where to retrieve that data later. This is a very simplistic overview of the boot process. Forensic examiners must possess a much more in-depth understanding of the boot process. The preceding example illustrates how three components of the com- puter perform most of the work: the CPU, RAM, and system bus. The ex- ample can get even more complicated as the user opens more applications and performs multiple tasks simultaneously (multitasking). Several tasks can be loaded into RAM at once, and the CPU is capable of juggling them all. This allows for the multitasking environment and the ability to switch back and forth between applications. (To further enhance this ability, RAM can use a portion of the HDD as virtual memory, which can be very foren- sically valuable—but more on this later.) All of this is orchestrated by the operating system and is written in the language of the computer—ones and zeros.
Processing the Electronic
Crime Scene Processing the electronic crime scene has a lot in common with processing a traditional crime scene. The investigator must first ensure that the proper legal requirements (search warrant, consent, and so on) have been met so that the scene can be searched and the evidence seized. The investigator should then devise a plan of approach based on the facts of the case and the physical location.
Documenting the Scene The scene should be documented in as much detail as possible before disturbing any evidence, and before the investigator lays a finger on any computer components. Of course there are circumstances in which an investigator might have to act quickly and pull a plug before documenting the scene, such as when data is in the process of being deleted. Crime-scene documentation is accomplished through two actions: sketching and photographing. The electronic crime scene is no different. The scene should be sketched in a floor plan fashion (see Figure 17–4) and then overall photographs of the location taken. In a case in which several computers are connected together in a network, a technical network sketch should also be included if possible (covered in greater detail in the next chapter). After investigators photograph the overall layout, close-up photographs should be shot. A close-up photograph of any running computer monitor should be taken. All the connections to the main system unit, such as peripheral devices (keyboard, monitor, speakers, mouse, and so on), should be photographed. If necessary, system units should be moved delicately and carefully to facilitate the connections photograph (see Figure 17–5). Close-up photographs of equipment serial numbers should be taken if practical. At this point, investigators must decide whether to perform a live ac- quisition of the data, perform a system shutdown (as in the case of server equipment), pull the plug from the back of the computer, 2 or a combination thereof. Several factors influence this decision. For example, if encryption is being used and pulling the plug will encrypt the data, rendering it unreadable without a password or key, pulling the plug would not be
590 C H A P T E R 1 7
FIGURE 17–5 Back of a computer showing all connections.
2A
3A 4A 8A
7A
1A
1A
8A
FIGURE 17–6 Back of a computer with each component correlated with its port.
document the scene, prevent confusion of which component went with which system unit, and facilitate reconstruction if necessary for lab or courtroom purposes.
Forensic Image Acquisition Once a computer has been seized, the data it contains must be obtained for analysis. The number of electronic items that potentially store evidentiary data are too vast to cover in this section. The hard disk drive will be used as an example, but the same “best practices” principles apply for other electronic devices as well.
Message Digest 5 (MD5)/Secure Hash Algorithm (SHA) A software algorithm used to “fingerprint” a file or contents of a disk; used to verify the integrity of data. In forensic analysis it is typically used to verify that an acquired image of suspect data was not altered during the process of imaging.
Computer Forensics 591
The goal in obtaining data from a HDD is to do so without altering even one bit of data. Thus, throughout the entire process, the forensic computer examiner must use the least intrusive method to retrieve data. Because booting a HDD to its operating system changes many files and could po- tentially destroy evidentiary data, obtaining data is generally accomplished by removing the HDD from the system and placing it in a laboratory foren- sic computer so that a forensic image can be created. However, the BIOS of the seized computer sometimes interprets the geometry of the HDD dif- ferently than the forensic computer does. Geometry refers to the functional dimensions of a drive, including the number of heads, cylinders, and sec- tor per track. In these instances, the image of the HDD must be obtained using the seized computer. Regardless of the computer in which the HDD is placed, the examiner must ensure that, when creating the forensic image, the drive to be ana- lyzed is in a “write-blocked” read-only state in which no new data can be added to the drive. Furthermore, the examiner needs to be able to prove that the forensic image he or she obtained includes every bit of data and caused no changes (writes) to the HDD. To this end, a sort of fingerprint of the drive is taken before and after imaging through the use of a Message Digest 5 (MD5), Secure Hash Algorithm (SHA) , or similar algorithm. Before imaging the drive, the algorithm is run and a thirty-two-character alphanumeric string is produced based on the drive’s contents. The algorithm is then run against the resulting forensic image. If nothing changed, the same alphanumeric string is produced, thus demonstrating that the image is all-inclusive of the original contents and that nothing was altered in the process. A forensic image of the data on a hard disk drive (or any type of storage medium) is merely an exact duplicate of the entire contents of that medium. In other words, all portions of a hard disk drive—even blank portions—are copied from the first bit (one or zero) to the last. Why would investigators want to copy what appears to be blank or unused portions of the HDD? The answer is simple: to preserve latent data , discussed later in the chapter. Data exists in areas of the drive that are, generally speaking, unknown and inaccessible to most end users. This data can be valuable as evidence. Therefore, a forensic image—one that copies every single bit of informa- tion on the drive—is necessary.^3 A forensic image differs from a backup or standard copy in that it takes the entire contents, not only data the operat- ing system is aware of. Many forensic software packages come equipped with a method to obtain a forensic image. The most popular software forensic tools— EnCase, Forensic Toolkit (FTK), Forensic Autopsy (Linux-based freeware), and SMART (Linux-based software by ASR Data)—all include a method to obtain a forensic image. All produce self-contained image files that can then be interpreted and analyzed. They also allow image compression to conserve storage. The fact that self-contained, compressed files are the re- sult of forensic imaging allows many images from different cases to be stored on the same forensic storage drive. This makes case management and storage much easier (see Figure 17–7).
Key Points
- Aspects of a computer that should be photographed close up at an elec- tronic crime scene include (1) the screen of any running computer mon- itor, (2) all the connections to the main system unit, such as peripheral
swap file A file or defined space on the HDD to which data is written, or swapped, to free RAM for applications that are in use.
visible data All data that the operating system is presently aware of, and thus is readily accessible to the user.
Computer Forensics 593
Visible Data
The category of visible data includes all information that the operating system is presently aware of, and thus is readily accessible to the user. Here we present several common types of visible data considered in many in- vestigations. This list is by no means exhaustive and can include any infor- mation that has value as evidence.
Data/Work Product Files One place to find evidence is in documents or
files produced by the suspect. This category is extremely broad and can in- clude data from just about any software program. Microsoft Word and WordPerfect word-processing programs typically produce text-based files such as typed documents and correspondence. These programs, and a host of other word-processing programs, have replaced the typewriter. They are common sources of evidence in criminal cases, particularly those involving white-collar crime. Also relevant in white-collar crime and similar financial investigations are any data related to personal and business finance. Programs such as QuickBooks and Peachtree accounting packages can run the entire finan- cial portion of a small to midsize business. Similarly, personal bank account records in the computer are often managed with personal finance software such as Microsoft Money and Quicken. Moreover, criminals sometimes use these programs as well as spreadsheet applications to track bank accounts stolen from unsuspecting victims. Forensic computer examiners should fa- miliarize themselves with these programs, the ways in which they store data, and methods for extracting and reading the data. Advances in printer technology have made high-quality color printing both affordable and common in many homes. While this is a huge benefit for home office workers and those interested in graphic arts, the technol- ogy has been used for criminal gain. Counterfeiting and check and docu- ment fraud are easily perpetrated by most home computer users. All that is required is a decent ink-jet printer and a scanner. Including the com- puter, a criminal could set up a counterfeiting operation for less than $1500. Examiners must learn the graphics and photo-editing applications used for such nefarious purposes. Being able to recognize the data pro- duced by these applications and knowing how to display the images is key to identifying the evidence.
Swap File Data When an application is running, the program and the data
being accessed are loaded into RAM. A computer’s RAM can read data much faster than the hard disk drive, which is why the programs are loaded here. RAM, however, has its limits. Some computers have 256 MB of RAM, others 512 MB, and still others as much as a gigabyte or two. Regardless of the amount, though, most operating systems (Windows, Linux, and so on) are programmed to conserve RAM when possible. This is where the swap file comes in. The operating system attempts to keep only data and applica- tions that are presently being used in RAM. Other applications that were started, but are currently waiting for user attention, may be swapped out of RAM and written to the swap file on the hard disk drive.^4 For example, a manager of a retail store may want to type a quarterly report based on sales. The manager starts Microsoft Word and begins his report. Needing to incorporate sales figure data from a particular spread- sheet, he opens Microsoft Excel. Depending on what is running on the computer, the original Word document may be swapped from RAM to the swap space on the HDD to free up space for Excel. As the manager goes
594 C H A P T E R 1 7
RAM module (chip)
Swap space
Swapping of data between RAM and the hard drive's swap space or page file
FIGURE 17–8 As user switches between applications and performs multiple tasks, data is swapped back and forth between RAM and the computer’s hard drive. This area on the hard drive is referred to as swap space.
back and forth between the programs (and maybe checks his e-mail in between) this swapping continues. Data that is swapped back and forth is sometimes left behind in the swap space. Even as this area is constantly changed, some of the data is orphaned in unallocated space, an area of the HDD discussed later in this chapter. Swap file can be defined as a particular file or even a separate HDD partition, depending on the operating system and file system type. Data in the swap space can be read by examining the HDD through forensic soft- ware or a utility that provides a binary view, such as Norton Disk Editor or WinHex (see Figure 17–8).
Temporary Files Any user who has suffered a sudden loss of power in the
middle of typing a document can attest to the value of a temporary file. Most programs automatically save a copy of the file being worked on in a temporary file. After typing a document, working on a spreadsheet, or working on a slide presentation, the user can save the changes, thus pro- moting the temporary copy to an actual file. This is done as a sort of backup on the fly. If the computer experiences a sudden loss of power or other cat- astrophic failure, the temporary file can be recovered, limiting the amount of data lost. The loss is limited because the temporary file is not updated in real time. Rather, it is updated periodically (typically defaulted to every ten minutes in most programs), depending on the application’s settings. Temporary files can sometimes be recovered during a forensic exami- nation. Some of the data that may have been orphaned from a previous version may be recoverable, if not the complete file. This is true even when a document has been typed and printed, but never saved. The creation of the temporary file makes it possible for some of this “unsaved” data to be recovered during analysis. Another type of temporary file valuable to the computer investigator is the print spool file. When a print job is sent to the printer, a spooling process delays the sending of the data so the application can continue to work while the printing takes place in the background. To facilitate this, a temporary print spool file is created; this file typically includes the data to
temporary files Files temporarily written by an application to perform a function.
file slack The area that begins at the end of the last sector that contains logical data and terminates at the end of the cluster.
RAM slack The area beginning at the end of the logical file and terminating at the end of that sector. In some older operating systems this area is padded with information in RAM.
596 C H A P T E R 1 7
HDD
Cluster 1024 Bytes
Sector (512 Bytes)
Sector (512 Bytes) D A T A
Slack Space (924 Bytes)
100 Bytes File Data
FIGURE 17–9 Slack space illustrated in a two-sector cluster. Cluster sizes are typically greater than two sectors, but two sectors are displayed here for simplicity.
of storage space for that 100-byte file. The remaining 924 bytes would be slack space (see Figure 17–9). To illustrate this point, let us expand on the previous example of safe- deposit boxes. The bank offers safe-deposit boxes of a particular size. This is the equivalent of the HDD’s clusters. A person wanting to place only a deed to a house in the box gets the same size box as a person who wants to stuff it full of cash. The former would have empty space should he or she desire to place additional items in the box. This empty space is the equiva- lent of slack space. But what if the box becomes full and the person needs more space? That person must then get a second box. Similarly, if a file grows to fill one cluster and beyond, a second cluster (and subsequent clusters as needed) is allocated. The remaining space in the second cluster is slack space. This continues as more and more clusters are allocated depending on file size and file growth. This example is a bit of an oversimplification because there are actually two types of slack space: RAM slack and file slack. RAM slack occupies the space from where the actual (logical) data portion of the file ends to where the first allocated sector in the cluster terminates. File slack , therefore, occupies the remaining space of the cluster. Let us go back to the 100-byte file with the two-sector-per-cluster mini- mum requirement. Following the end of the logical data (the end of the 100 bytes), the remaining 412 bytes of that sector is RAM slack; the addi- tional 512 bytes completing the cluster is then file slack. See Figure 17– for a visual depiction. The question now becomes: What can I expect to find in slack space and why is this important? The answer: junk—valuable junk. RAM slack is a concept that was more relevant in older operating sys- tems. Remember that the minimum amount of space the HDD can address is the 512-byte sector. Therefore if the file size is only 100 bytes, the re- maining space must be padded. Some operating systems pad this area with data contained in RAM. This could include Web pages, passwords, data files, or other data that existed in RAM when the file was written. Modern Windows operating systems pad this space with zeros, but some examina- tions may still yield valuable data in this area.
unallocated space The area of the HDD that the operating system (file system table) sees as empty (containing no logical files) and ready for data. Simply stated, it is the unused portion of the HDD, but is not necessarily empty.
Computer Forensics 597
HDD
Cluster 1024 Bytes
Sector (512 Bytes)
Sector (512 Bytes)
412 512
D A T A
RAM Slack 0's or Data from RAM
File Slack (Orphaned Data) 100 Bytes
FIGURE 17–10 File slack.
File slack, on the other hand, can contain a lot of old, orphaned data. To illustrate this point, let’s take the 100-byte file example a bit further. Let’s say that prior to the 100-byte file being written to the HDD and occupying one cluster (two sectors totaling 1024 bytes), a 1,000-byte file occupied this space but was deleted by the user. When a file is “deleted” the data still remains behind, so it is probably a safe bet that data from the original 1000-byte file remains in the slack space of the new 100-byte file now oc- cupying this cluster. This is just one example of why data exists in file slack and why it might be valuable as evidence. In one final attempt to illustrate this point, let us again build on our safe-deposit box analogy. Suppose a person rents two safe-deposit boxes, each box representing a sector and the two combined represent- ing a cluster. If that person places the deed to his house in the first box, the remaining space in that box would be analogous to RAM slack. The space in the second box would be the equivalent of file slack. The only difference is that unlike the empty spaces of the safe-deposit box, the slack space of the file most likely contains data that might be valuable as evidence. The data contained in RAM and file slack is not really the concern of the operating system. As far as the OS is concerned, this space is empty and therefore ready to be used. Until that happens, however, an examination with one of the aforementioned tools will allow a look into these areas, thus revealing the orphaned data. The same is true for unallocated space.
Unallocated Space Latent evidentiary data also resides in unallocated
space. What is unallocated space, how does data get in there, and what is done to access this space? If we have an 80-GB hard drive and only half of the hard drive is filled with data, then the other half, or 40 GB, is unallocated space (see Figure 17–11.) Returning to our safe-deposit box analogy, if the entire bank of safe- deposit boxes contains 100 boxes, but only 50 are currently in use, then the other 50 would be the equivalent of unallocated space. The HDD’s unallo- cated space typically contains a lot of useful data. The constant shuffling of
