omputer forensics is a relatively new and little-known branch of computer security. Like other kinds of forensics, computer forensics are a set of techniques for collecting and explaining evidence - especially evidence that might be gathered during a criminal investigation. What makes it different is that instead of examining fingerprints or DNA, a computer forensics specialist focuses on data left inside a computer system.
The inside of a computer, it turns out, is a surprisingly difficult place from which to collect evidence. One reason is that computers have a lot of places where evidence can hide. My desktop machine has 128 megabytes of RAM and more than 20 gigabytes of hard disk space, roughly the equivalent 3.5 million pages of typewritten text. In this much space it can take a trained investigator days or even weeks to search it effectively.
A second issue complicating the task: It is easy to damage or destroy evidence in the process of looking for it.
Finally, there is the problem of willful destruction: to keep themselves from getting caught, many computer criminals will delete files, modify programs, and otherwise alter a computer system after they have broken into it. To be successful, a computer forensics specialist needs to be able to step around this damage and still find what he or she is looking for.
Last week, a pair of flamboyant computer security experts, Dan Farmer and Wietse Venema, taught a one-day course on computer forensics at IBM's Yorktown Heights' research laboratory. Called ''Murder on the Internet Express,'' the course discussed techniques for analyzing a computer system to find telltale signs left behind by someone using a computer. They discussed common tactics computer criminals use to destroy evidence, and why these approaches frequently fail. And finally, the pair previewed some new forensics tools they plan to release tomorrow.
There are three primary ways in which computer users leave tracks in a computer systems. The first kinds of tracks are in the log files - records most computers keep that detail the machine's activities. Log files are most common when you use services on the Internet. When you call up the Internet from a home PC, a record of your phone call is kept in a log file. Likewise, whenever you send electronic mail or view a Web page, that information is also recorded. If an investigator can get access to the log files, they can be used to paint a comprehensive picture of what the person has been doing on line.
A second way is to look at files on the computer itself. Both the UNIX and the Windows operating systems keep very detailed records of when each file was created, last modified, and last read. By examining these times for every file on the computer, an investigator can create a very detailed picture of what a person did.
A third way is to bypass the computer's files entirely, and instead just examine the hard drive. That's because information written to the hard disk stays there until it is overwritten. Because computer users almost never fill their hard drives all the way, it's common to find information on the disk that was deleted long ago.
One of the main uses of computer forensics today is figuring out what has happened after someone has broken into a computer system. With good tools, an analyst can determine when the break-in happened, how the intruder obtained access, and which files were examined or modified. Forensics tools can also be used to inspect the system to see whether any traps were left behind. For example, the attacker might have left a ''tripwire'' or ''timebomb'' that would automatically wipe out the system. Alternatively, the attacker might have created a ''back door'' so he or she could gain covert access at a later time.
Forensics also can be used by police to analyze computers seized during a criminal investigation. Earlier this summer I learned that the FBI has been using disk recovery tools such as Power Quest's Lost and Found to assist in child pornography investigations.
In one case they were able to see how a suspect had installed a copy of America Online, downloaded some questionable images, and then apparently deleted both the images and the AOL program. A few months later, he allegedly did the same thing again - installing AOL, downloading images, and deleting it all again. Lost and Found let the investigators almost literally look into the past, because parts of the AOL program and the downloaded images were still on the suspect's hard disk, even though they had been technically ''deleted.''
Programs like Lost and Found and Norton Utilities, which combine forensics with data recovery, have been available for the Windows platform for years. The big news at IBM last week was that Farmer and Venema are releasing a series of forensics programs for the UNIX and Linux operating systems. Called ''The Coroner's Toolkit,'' the tools make it much easier to conduct a detailed examination of a UNIX system. That's important, since UNIX is the dominant operating system among Internet servers and, thanks to Linux, is becoming more common on desktop machines as well.
Of course, computer forensics tools can also be used to spy on employees and other legitimate computer users. Indeed, says Farmer, ''Spying and abuse are now easier than ever. It is pretty trivial to find out what people using computers are up to.''
Those are strong words, especially considering their source. Three years ago Farmer and Venema released a security auditing program called ''SATAN'' on the Internet, to the dismay of many computer specialists. SATAN generated hostile responses because it could be used by system administrators to secure computers and by attackers to break into systems. It remains to be seen whether or not The Coroner's Toolkit will generate a similar response.
The Coroner's Toolkit is scheduled to be released tomorrow. Look for it on line at www.fish.com/security/forensics.html
Technology writer Simson L. Garfinkel can be reached at plugged-in@simson.net
Dow:
