Computer Crime Investigator's Toolkit: Part IV

by Enterprise Networking Planet Staff

Tips that can help the computer crime investigator wade through slack files; and, the basics of simple and comlex cryptography.

Slack Files

Slack space occurs on a hard drive or floppy when a file gets partially overwritten after deletion. The new file does not completely fill in the space created by the old file's data. So, a slack space of residual data remains in the area between the end of file (EOF) boundary of the new file and the end of the cluster. On a given disk, then, large amounts of "hidden data" exist. These fragments may offer considerable evidence about what was deleted from the disk.

Bitstream copying will preserve slack space. Simple copying will not. Once safely backed up, the contents of slack space will be visible by using software such as Hex editors and the Norton Utilities. Such examination needs to be done by a qualified computer forensics specialist. If you need a list of questions to ask an examiner to evaluate his or her qualifications, try this Web page: http://www.keyco mputer.net/equest.htm. A good article giving an overview of examining a computer is in the March 1997 issue of Security Management, "Confessions of a Hard Drive" by Kristopher A. Sharrar and Jose Granado.

Slack space may reveal

  1. Evidence of pornography.
  2. Records of criminal activity or transactions.
  3. Deleted email used for illegal purposes.
  4. Files used in scams and to commit frauds.
  5. Stolen proprietary files and databases.
  6. Downloads from the Internet and the Web.
  7. Stolen or pirated software.

Digital Evidence and Computer Crime by Eoghan Casey also has a good overview of slack space on hard disks and how bitstreaming preserves the evidence.


Cryptography is a vast subject, and it can be as abstract as quantum physics. The average computer sleuth, though, does not have to know the inner workings of designing cryptographic algorithms. But, he or she does need to know the difference between simple and complex cryptography.

Simple cryptography is much like the decoder rings found in cereal boxes when you were a kid. The classic cipher along this vein is Caesar's Cipher, which rotated the alphabet three letters to the right. In other words, in the ciphertext the letter H substitutes for the letter E in the plaintext. A modern version of this substitution cipher is ROT13, where the shift is thirteen (13) letters.

Another simple technique is to XOR (apply a logical OR to) the plaintext. For a more sophisticated method, using a Vigenere Square (an alphabet matrix: http://www.trincoll.edu/depts/cpsc/cryptography/vigen ere.html) produces a more difficult substitution cipher. Unfortunately, these methods are way too easy for computers to break and result in very weak ciphers and encrypted passwords.

The fact that certain letters in English have a higher frequency than others ("e" being the most common) makes these ciphers vulnerable. Yet, some software packages continue to use them for cryptographic protection. Such software may claim to have a secret, proprietary algorithm for encryption. A computer sleuth can check the strength of a package's cryptography by having it encrypt some known text. If repetitions in letter patterns and frequencies are apparent (you can guess where the letters A or E are), then the encryption is weak. Breaking it using the resources found in the URLs below should be straightforward.

Strong, complex cryptography, suitable for the computer age, takes the form of PGP, Triple DES, Blowfish, RSA, Twofish, and other publicly documented strong algorithms. Tested in the public arena by experts, they will stand up to cryptanalysis for reasonable periods of time, provided they are implemented properly. And, they are only as good as the security precautions used to protect them. If a user is careless about safeguarding the keys used in the cipher, no matter how good the algorithm, the message will be compromised. So checking a computer and the floppies nearby for unencrypted files containing keys is a standard investigative step. If the user has employed complex cryptography to protect a file or password and you can't find the keys, bring in a qualified computer forensics expert to develop a strategy for accessing the data.


Print Sources

Casey, Eoghan, Digital Evidence and Computer Crime, Academic Press, 2000.

Sharrar, Kristopher A. and Granado, Jose, Security Management, March 1997, "Confessions of a Hard Drive."

Singh, Simon, The Code Book, Doubleday, 1999.

Smith, Richard E., Internet Cryptography, Addison-Wesley, 1997.

Syngress Editors, Hack Proofing Your Network: Internet Tradecraft, Syngress, 2000.

Tiwana, Amrit, Web Security, Digital Press, 1999.


Slack Files


"The Third Step- Preserve the Electronic Crime Scene" by Michael R. Anderson.
http://www.for ensics-intl.com/art7.html

"Forensic Procedures for Computers"

"An Examiner's qualifications"
http://www.keyco mputer.net/equest.htm

Vigenere Square and Cryptography

"The Vigenere Cipher"
http://www.trincoll.edu/depts/cpsc/cryptography/vigen ere.html

"Index of /pub/security/cryptography/cryptanalysis" (Has C program, vigsolve.c, for cracking Vigenere ciphers.)
http://sunsite.bilkent.edu.tr/pub/securi ty/cryptography/cryptanalysis/?S=A

"A course on classic cryptography," Lesson One covers letter frequencies and distributions in English.
http://www.fortunecity.com/skyscraper/coding/379/lesso n1.htm

"A brief introduction to cryptology"
http: //www.ridex.co.uk/cryptology/#_Toc439908877

SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)

This article was originally published on Thursday Feb 15th 2001