CSI: Hard Drive


Hate groups, terrorist activity, pimping. A day in the lifeof local law enforcement? No, just a routine sweep ofschool computers. Digital forensic technology isuncovering the bad, sometimes criminal behaviorstudents and faculty are guilty of.

CSI: Hard DriveACTING ON INFORMATION from students who report seeing a classmatelooking at inappropriate material on a school computer, school officials useforensics software to plunge the depths of the PC's hard drive, searching for evidenceof improper activity. Images are found in a deleted Internet Explorer cacheas well as deleted file space. Additional evidence collected from log files is joinedwith the software-gathered evidence to identify the student who was logged on atthe time the images appeared on the computer. Once the investigation concludes,the offending student is suspended for three days.

Later, in a suit brought by the student's parents, the district successfully defends its position by showing the use of proven evidence-collecting methods and procedures— and providing a written appropriate use policy that the student is shown to have violated.

So is the story told by Brent Williams, an educational technology specialist at Kennesaw State University in Georgia. He says there are many more where that came from. "It's happening at school systems everywhere now," Williams says. "The variety [of offenses] is almost endless. If you can think of a technology, someone has figured out a way to abuse it within a school system."

Remember the rumor about Coach Henderson and the cheerleader? Did they or didn't they? Before the advent of the information age, such prurient school gossip never got past the whispering stage. Today, as in the case Williams recounted, such transgressions usually leave a digital trail, where they are dead meat for the investigative powers of computer forensic technology. Forensic software tools can root the truth out of any misappropriated computer, often generating unsettling findings for school administrators when they learn what members of their staff, faculty, and student body have been up to.

Quick Tip

A machine that is being used to steal passwords or attack other computerswill speak up. It may reboot randomly, open five websites when the userasks for one, default to a porn page, or allow users to type in onlycertain keywords.

The worst the kids are usually caught doing are acts of cyberbullying—dissing each other on MySpace or using e-mail to send profanity-laced notes, etc. Posting, in addition to viewing, raunchy photos on MySpace is also a common student offense.

That's small potatoes versus what file searches are coming up with on the grown-ups. A gym coach's dalliance with a cheerleader can seem positively nostalgic compared to the array of untoward activities that experts say forensic tools are unearthing: harassment, participation in hate groups, gun purchases, terrorist activity, pimping. On top of that, Williams says there is a "huge problem with staff or faculty surfing pornography during school hours or on school equipment— actually having child pornography on their PC, or carrying on an inappropriate relationship with a student, using school computers for e-mail or chat."

Because of the danger this kind of behavior presents to schools and the community at large, districts need to have at least basic forensic capabilities in order to bring the culprits to light. Williams says that means "being prepared with the right technical expertise and software to address the situations." He estimates you could call officials in any decent-sized school district with sufficient resources and learn they have invested in computer forensic tools and are currently putting them to work on solving a particular case.

Assembling a Team

School IT professionals are fortunate that they can count on software to do the heavy lifting at every point of an investigation. Software can not only collect forensic evidence, but also help users write the subsequent report to submit to an attorney or the courts. But the real strength of forensic technology is its ability to slice and dice the data it retrieves to help school districts find the needle in the haystack.

According to Brian Karney, senior vice president of the corporate division at AccessData in Lindon, UT, the ability of forensic tools to find evidence is so sophisticated, their credibility goes unquestioned in court proceedings. Instead, defense lawyers attack the operator of the tools, looking for procedural error. "Instead of asking what tools did you use," Karney says, "courts and lawyers ask what was the process you went through."

That doesn't mean school districts can shrug off their investigative responsibilities onto a data forensics vendor. There still needs to be professionals in the district who know what to do with the data once the software has held up its end and produced it. Williams recommends districts train at least one or two people in the IT department in computer forensics. The best candidates are those professionals who understand bits and bytes of PC hardware, PC operating systems, and file systems backward and forward. It's a good idea to include legal counsel and a public relations expert in the loop as well. "It takes a team to deal with these cases," Williams says.

Fortunately for cash-strapped districts, computer investigative software doesn't have to cost an arm and a leg to do an adequate job. The best-known freebie available for downloading is a suite called Helix, which is basically a bootable live CD that allows users to look for images or text, or make an image of the hard drive. Williams describes it as a very comprehensive toolset for the price. WinHex also offers a free edition, in addition to the for-fee suite, that experts say can be ideal for basic needs.

Digging Deep


Helix: A bootable live CD that has beenmodified very carefully to not touch the host computer in anyway. However, the software soaks up a lot of RAM (a minimum of128 MB on a Pentium-class computer is recommended).

EnCase: Version 2 allows organizationsto maintain a strong chain of custody while using thesoftware to efficiently search, collect, and preserve only relevantdata, and process the information for attorney review.According to its website, law firms rank EnCase among the topfive software tools of its kind.

ProDiscover: Finds data hiddenin the most remote places on a hard drive. Designed to theNational Institute of Standards and Technology Disk Imaging Tool Specification 3.1.6, the program also givesyou the capability to compare your files against informationfrom the National Drug Intelligence Center's HashKeeper database of authenticated, or "known to begood," files.

Forensic Toolkit: An integrated solutionthat allows users to create an image, conduct an investigation,decrypt files, crack passwords, and build a report. Lets yousearch, display, and report on data

For the more intense searches, law enforcement and government agencies use programs such as ProDiscover, EnCase, and Forensic Toolkit (FTK). ProDiscover offers a free version that Williams suggests to school IT administrators who attend his classes is a good place to start.

But don't assume all sophisticated software packages come with an astronomical price tag. AccessData's FTK product right now goes for $2,000 for a license and functionality that includes password cracking, imaging, analysis, and support. And that's open to negotiation. "We have worked some deals with entire districts," Karney says, "but typically one person at one school has a copy of it with maintenance for $500 a year."

Sticking to Sound Procedures

An IT professional needs a full week of 8-to-5 classwork to conquer the basics of computer forensics; forensic certifications require additional weeks of study. Training also needs to be ongoing, as the larger vendors release updates to their software at least once a quarter. "Things change fast, so we have to constantly add new features, functionality, and product lines," Karney says. For instance, Microsoft Vista's introduction required that he add multiple layers and changes to FTK.

However, training isn't an end-all. "Just because you take a 40-hour class does not mean that you are qualified to perform a really in-depth forensic examination," says Phil Harrold, a state law enforcement officer in Marathon, FL, who sits on the board of the International Society of Forensic Computer Examiners. "A 40-hour class will train you in basic evidence handling and preservation, but you need practice to become adept at it."

Quick Tip

Do not surround the computer in question and begin by opening files. On a PC,doing that will change dates and times on file, so it's not a forensicallysound procedure.

Remember, too, that while today's software outfits have improved their forensic tools to near foolproof standards, it only takes one ill-trained or too-eager human to taint the results. For instance, Harrold has seen a lot of well-meaning principals and technology teachers with a smattering of hardware knowledge surround the computer in question and begin by opening files. "If it's a Windows computer, doing that will change dates, times, and things of that nature on file, so it's not a forensically sound procedure," he says.

Likewise, if you use ordinary data recovery tools for the job—the kind you'd whip out if the school secretary's computer crashed—you ultimately would tamper with modified access times, which blows your ability to accuse a person of committing an offense on a certain day and time. "If someone's freedom depends upon the veracity of evidence, you certainly don't want to be altering that evidence," Harrold says. "And it's very easy to do accidentally."

Sound procedure requires an IT team to use the software's imaging tool and write-blocking technologies, which prevent users from changing the date on the hard drive. The programs automatically create a "bit copy," which is computer- speak for copying every little bit of data off that hard drive from the first sector to the last. That includes deleted files and surfing paths a user can't pull up from his seat at the keyboard. Think of it as taking a microscope to the hard drive.

"The difference between what you see through your Windows Explorer and what you see from computer forensic tools is night and day," says Karney. "The way the operating and file systems work, there's a whole lot of action that goes on underneath."

Or better yet, says Karney, data capture is like ripping out the table of contents and index to a book, leaving you with just the words to navigate blindly—only in this case, the actual information is reported in binary codes of ones and zeros. The software next steps into the gap to serve as an index, grouping deleted files, data in the recycle bin, internet chat streams, deleted web pages, etc. What's missing? "Well," he says, "there's no such thing as a ‘go find evidence' button."

Phase 2 of a forensic computer investigation requires a human touch: people thinking logically. If, for instance, a student has been accused of buying guns, the examiner needs to sleuth through the files seeking anything related to guns: brokers, bullets, ammunition, rifles, and so forth. "You have to put yourself in the person's shoes and get a sense of what information they'd need to know more about," Karney says. "At the end of the day, you're trying to prove a point with a very high level of certainty. You're asking skilled questions, which is, frankly, the exciting part of this."

But because a positive outcome does require such precise questioning, Karney says that in his experience he's found standard, scheduled computer-checking policies to be pointless. You could easily miss sexual harassment because you were scouring specifically for pornography, and meanwhile nobody noticed that the computer was being used to post speeches of support on terrorist web pages.

Harrold says the popularity of television's make-believe version of forensic investigation gives people the wrong notions about the business he is in. "A lot of people watch shows like CSI, where crimes are solved in an hour because there are no laboratory backlogs and things of that nature," Harrold says. "That is just not reality. It's a long process and not as glamorous as it looks on TV." Kennesaw State's Williams notes that the typical hard drive contains 150 to 200 gigabytes of memory on it, so it can take hours or even days to do one search for an image or text string.

Finding the Culprits

You can't tell at a glance which computers hold ugly secrets, nor has Williams found any reliable patterns—for example, computers in the multimedia room are more likely to contain smut than the one in the counselor's office—that he would warn to watch out for.

On the other hand, it is possible to get a whiff of misbehavior depending on the type of activity you're dealing with. If someone is using a machine to steal passwords or attack other computers, the machine itself will speak up via strange activities. It may reboot randomly, open five websites when the user asks for one, default to a porn page, or only allow users to type in certain keywords, for example.

Macs are less vulnerable than PCs to hacking pranks, but they offer no magic protection against users who are bent on foul play. Some software packages—Williams cites Guidance's EnCase, which police departments and the FBI use— do have the ability to perform computer sweeps remotely in search of various content. The tradeoff is often price, although that too is starting to change. In recent months, Guidance has rolled out a new pricing model for the K-12 market that charges $1 per student rather than its usual $100,000 to $1 million price tag, says David Hydorn, director of North American sales. That doesn't, however, factor in training costs.

"We introduced [the new pricing] after the current budget cycle, but we expect it to catch fire in the next budget round," Hydorn says. At this writing, approximately 20 school districts nationwide are using EnCase.

For many schools, random computer checks involve what the industry calls dead box forensics, a process that requires powering off the machine, taking an image of the hard drive, and then analyzing the data. But random checks are not an ideal solution. "They're very time-consuming," Karney says. "There is a threshold of pain you have to consider." He recommends publicly announcing a random check policy as a deterrent.

"I can't really say I'd recommend computers be checked," says Harrold. "An IT administrator could practically spend his entire day just checking computers, monitoring their use, and forget about everything else."

Williams says most school districts do fine relying on word of mouth to root out suspect machines. Students and staff alike will squeal if they believe they've seen hankypanky, "and when those bits of information reach the right people, then it's time to do a little forensic action and find out for sure what's going on."

When to Act

Just be careful not to react too zealously to a hot tip. Those rumors going around about Coach Henderson and the cheerleader? Administrators don't want to launch an investigation if all the talk is merely baseless student gossip. Ditto when Johnny has been accused of visiting MySpace against school rules in the science lab, especially when a keystroke logger can get to the truth unobtrusively.

One question ultimately arises: Are district IT personnel the appropriate staff to rely on for such sensitive matters? There may be some gray areas where judgment calls have to be made, but Williams says certain activities require IT departments to make an immediate report to law enforcement. "It's an absolute no-brainer if you encounter child pornography— instantly stop what you are doing and go to the police and walk away," says Williams. Add threats to kill to that list, forensic experts advise.

"We're in a situation right now where school systems are just waking up to how important it is to have some kind of forensic capabilities, and to educate their audiences that you can't do this stuff or you will be caught," Williams says. Karney only hopes it won't take a tragedy to get the message home.

"As the wheels start to come off and our kids start to become more frequent targets of evil," he says, "I think there will be greater visibility and a real need to perform meaningful incident response on computers. Schools need to protect the children."

::webextra :: For more information on this topic, visit www.thejournal.com. In the Browse by Topicmenu, click on Security/Privacy.

Julie Sturgeon is a freelance writer based in Indiana.

This article originally appeared in the 01/01/2008 issue of THE Journal.