New York Times
March 9, 2000

Computer Forensics Teams Learn to Follow Digital Footprints

By DENNIS BLANK

John Leeson smiles as he straightens out a paper clip and inserts it in the back of a portable Zip disk drive of a personal computer that he has put into standby mode.

The disk, which contains an unknown password that allows access to the computer’s hard drive, pops out and Dr. Leeson inserts another disk. When prompted by an on-screen messages he chooses "remove protection" and enters a new password that will give him access to valuable information on the hard drive that had previously been blocked.

That is just part of a bag of tricks - some easily available on the Internet - that Dr. Leeson uses to teach his class of police officers and lawyers ways to retrieve information from computers.

Dr. Leeson, 55, an associate professor at the School of Computer Science at the University of Central Florida in Orlando, is a teacher and practitioner of what is know as computer forensics. In addition to teaching, he also helps the campus police department and the local sheriff’s office with computer-related investigations.

"John is one of a couple of pioneers in this area," said Mark Politt, unit chief of the computer forensics laboratory at the Federal Bureau of Investigation in Washington. "The need for computer forensics is growing exponentially, and we need more people trained in the basic fundamentals.

"The use of computers both as tools and storage devices for crimes is growing. Investigators need to build up teams because things have become so complex, one person doesn’t have all the knowledge."

There is a great demand for more law enforcement investigators trained in digital crime-solving techniques, said Carrie Whitcomb, director of the National Center for Forensics at the University of Central Florida, and the university is developing a graduate certificate program. Dr. Leeson’s course, which is offered in the summer, is part of the program.

Digital evidence can come from many sources in addition to PC’s, Dr. Leeson said. Investigators can also find evidence in Palm devices, fax machines, cell phones and other equipment that keeps or produces data or a record of users’ activities.

"How do you catch a criminal?" Dr. Leeson said. "You try to follow the digital trail, just like the gumshoe would follow the trail of evidence."

In a criminal case, if a computer can be seized by law enforcement authorities, then time is on the side of the investigators as they peel off the necessary information: e-mail and Web site records and hard drive data. If a computer cannot be confiscated, tracking a suspect becomes more difficult.

"Digital is like footprints in the sand," Dr. Leeson said, "and it will disappear rather quickly over time because information is being overwritten constantly. If you overwrite in the digital world, it is virtually impossible to recover it."

Standard detective work may be all that is necessary to recover things like Web site passwords.

"People leave information lying around," Dr. Leeson said. Often, a sticky note with a password might be in an obvious place, like on the PC monitor or underneath the keyboard. Pictures of a pet, grandparents or a friend, if they can be identified, may all be clues to a password.

A typical investigation might involve tracing the electronic path of someone suspected of downloading child pornography. If certain images are hidden or encrypted, Dr. Leeson said, "it adds another layer to the hunt." If a suspect has used a "very good encryption program, it goes from difficult to virtually impossible to unscramble," he said.

One of the hypothetical cases he discusses with his students is that of someone who receives a pipe bomb in the mail. In this case, an estranged wife is suspected. After the authorities get a search warrant, the hard disk of her computer reveals that she has been surfing the Internet and visiting sites that explain how to make the kind of bomb used in the crime. That kind of evidence, though circumstantial, can help link a person to a crime.

There are other, tougher cases, Dr. Leeson said, particularly those involving hackers who have used others’ computer systems to do their damage. In those cases, he said, the investigator has to backtrack to determine how the hacker got into other people’s computers.

Often that entry is through the Internet. "The World Wide Web was not designed with security in mind but was designed to share research," Dr. Leeson said.

But the Web also has features that can aid a forensic computer scientist. Once a user is online, search engines are logging "the fact that you are there and where you are coming from, and those log records can be used to track their way back," Dr. Leeson said. Cookies, tiny data files automatically placed by some sites on a computer’s hard drive with a unique tracking number, are another way that a user’s Web surfing habits are tracked.

"It is possible to falsify your tracks, and that makes the job of finding you much more difficult," he said.

Dr. Leeson acknowledges that some of what he taught in his first introductory graduate course on computer forensics may be old hat when he teaches the popular class again this summer.

For one thing, Windows 2000 may pose some new security issues, while new state laws may have been enacted that will have an impact on the course.

"Any crime that you can conceive of," Dr. Leeson said, "a computer can be an instrument of that crime."

 

 

Dr. Leeson is serving as the lead consultant on the Seminole County Clerk’s web site project.

Seminole County Clerk of Court - Articles(About Us)
New York Times
March 9, 2000

Computer Forensics Teams Learn to Follow Digital Footprints

By DENNIS BLANK

John Leeson smiles as he straightens out a paper clip and inserts it in the back of a portable Zip disk drive of a personal computer that he has put into standby mode.

The disk, which contains an unknown password that allows access to the computer’s hard drive, pops out and Dr. Leeson inserts another disk. When prompted by an on-screen messages he chooses "remove protection" and enters a new password that will give him access to valuable information on the hard drive that had previously been blocked.

That is just part of a bag of tricks - some easily available on the Internet - that Dr. Leeson uses to teach his class of police officers and lawyers ways to retrieve information from computers.

Dr. Leeson, 55, an associate professor at the School of Computer Science at the University of Central Florida in Orlando, is a teacher and practitioner of what is know as computer forensics. In addition to teaching, he also helps the campus police department and the local sheriff’s office with computer-related investigations.

"John is one of a couple of pioneers in this area," said Mark Politt, unit chief of the computer forensics laboratory at the Federal Bureau of Investigation in Washington. "The need for computer forensics is growing exponentially, and we need more people trained in the basic fundamentals.

"The use of computers both as tools and storage devices for crimes is growing. Investigators need to build up teams because things have become so complex, one person doesn’t have all the knowledge."

There is a great demand for more law enforcement investigators trained in digital crime-solving techniques, said Carrie Whitcomb, director of the National Center for Forensics at the University of Central Florida, and the university is developing a graduate certificate program. Dr. Leeson’s course, which is offered in the summer, is part of the program.

Digital evidence can come from many sources in addition to PC’s, Dr. Leeson said. Investigators can also find evidence in Palm devices, fax machines, cell phones and other equipment that keeps or produces data or a record of users’ activities.

"How do you catch a criminal?" Dr. Leeson said. "You try to follow the digital trail, just like the gumshoe would follow the trail of evidence."

In a criminal case, if a computer can be seized by law enforcement authorities, then time is on the side of the investigators as they peel off the necessary information: e-mail and Web site records and hard drive data. If a computer cannot be confiscated, tracking a suspect becomes more difficult.

"Digital is like footprints in the sand," Dr. Leeson said, "and it will disappear rather quickly over time because information is being overwritten constantly. If you overwrite in the digital world, it is virtually impossible to recover it."

Standard detective work may be all that is necessary to recover things like Web site passwords.

"People leave information lying around," Dr. Leeson said. Often, a sticky note with a password might be in an obvious place, like on the PC monitor or underneath the keyboard. Pictures of a pet, grandparents or a friend, if they can be identified, may all be clues to a password.

A typical investigation might involve tracing the electronic path of someone suspected of downloading child pornography. If certain images are hidden or encrypted, Dr. Leeson said, "it adds another layer to the hunt." If a suspect has used a "very good encryption program, it goes from difficult to virtually impossible to unscramble," he said.

One of the hypothetical cases he discusses with his students is that of someone who receives a pipe bomb in the mail. In this case, an estranged wife is suspected. After the authorities get a search warrant, the hard disk of her computer reveals that she has been surfing the Internet and visiting sites that explain how to make the kind of bomb used in the crime. That kind of evidence, though circumstantial, can help link a person to a crime.

There are other, tougher cases, Dr. Leeson said, particularly those involving hackers who have used others’ computer systems to do their damage. In those cases, he said, the investigator has to backtrack to determine how the hacker got into other people’s computers.

Often that entry is through the Internet. "The World Wide Web was not designed with security in mind but was designed to share research," Dr. Leeson said.

But the Web also has features that can aid a forensic computer scientist. Once a user is online, search engines are logging "the fact that you are there and where you are coming from, and those log records can be used to track their way back," Dr. Leeson said. Cookies, tiny data files automatically placed by some sites on a computer’s hard drive with a unique tracking number, are another way that a user’s Web surfing habits are tracked.

"It is possible to falsify your tracks, and that makes the job of finding you much more difficult," he said.

Dr. Leeson acknowledges that some of what he taught in his first introductory graduate course on computer forensics may be old hat when he teaches the popular class again this summer.

For one thing, Windows 2000 may pose some new security issues, while new state laws may have been enacted that will have an impact on the course.

"Any crime that you can conceive of," Dr. Leeson said, "a computer can be an instrument of that crime."

 

 

Dr. Leeson is serving as the lead consultant on the Seminole County Clerk’s web site project.