NCJ Number
203358
Journal
Law and Order Volume: 51 Issue: 11 Dated: November 2003 Pages: 45,48,50,52,54
Date Published
November 2003
Length
6 pages
Annotation
This article describes the recovery of digitally stored computer evidence hidden by cybercriminals.
Abstract
Describing the various places that cybercriminals may store data that would prove useful to criminal investigators, the article cites locations such as cache files, swap page files, temporary files, and leftover data occupying “unallocated” space on computer hard drives. Many computer users, including cybercriminals, believe that when they delete a file it is erased from the hard drive. However, deleting a file merely removes the pointer to that file from the file allocation table, master file table, or other scheme that the operating system uses to pinpoint the location of a particular file on the disk. Following a discussion of the format characters embedded in a “clean” disk, the article describes a number of software packages, such as the GetFree tool and New Technologies Inc.’s Filter I, that may be used to recover files in unallocated space. After describing the ways in which cryptanalysts break the relatively straightforward encryption algorithms used by cybercriminals, the article discusses using a disk editor in order to locate data hidden by cybercriminals. Following a discussion of steganography software that hides files within other computer files, the article describes the development of anti-steganographic software in order to detect such hidden files. After describing ways in which to hide files within a computer system, such as setting hidden attributes and hiding files and directories, the article details the ways in which cybercriminals “hide” files in plain view by naming files so that they appear to contain information that is of no interest to criminal investigators.