IT Law Journal

administrator January 3rd, 2005

Computer Forensics¹
by Jhonelle S. Estrada

The National Bureau of Investigation and Computer Forensics

The National Bureau of Investigation (NBI) is the government agency that handles computer crime cases. In 1996, the name of its anti-fraud and action division was changed to anti-fraud and computer crimes division. At first, the division’s mandate was to investigate fraud cases, but due to the change of name, the division now handles computer crime cases for investigation.

In 2003, the State Department of the United States gave several trainings for examination of computer-related evidence. Bureau personnel were taught to use certain software such as EnCase² and Forensics Toolkit (FTK).³ FTK is the software being used by the NBI, but what is acknowledged as the software being used by law enforcement agencies, in general, is the EnCase. After several trainings sponsored by US State Department, and in order for the knowledge learned to be put into use, it was necessary for the Bureau to have its own equipment that can be used for examination; otherwise the things learned through seminars and trainings would have been forgotten, rendering them useless. In order for the Bureau to have its own equipment, it solicited for the acquisition of several equipment in November 2003 through donation. Six forensic workstations were delivered to the Bureau by the US State Department in January 2004, which are now being used for examining computer-related evidence. The software donated with the equipment was the FTK but there are plans to include EnCase soon.

Before the donation of said state-of-the-art equipment, the NBI did not usually examine computer-related evidence. However, ff there is really a need to do so, it was examined by their EDP and, if not, the bureau requests its counterpart from the private industry to conduct the examination. Personnel from the Bureau even had to fly to Hongkong to have evidence examined by the experts there.

Computer forensics, defined

Computer forensics is the analysis of data processing equipment to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose.⁴ It is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. The subject matter includes (a) the secure collection of computer data, (b) the examination of suspect data to determine details such as origin and content, (c) the presentation of computer based information to courts of law, and (d) the application of a country’s laws to computer practice.⁵

Gathering electronic evidence

If there would be a need to apply for a search warrant, the Bureau’s agents would first apply for one. If the judge would grant the application for the search warrant, the search warrant will be implemented, and the establishment where the staging point for the computer crime was committed, such as in case of hacking,⁶ would be raided. If during the raid, the computer used was identified, it will be confiscated and will be taken to the forensics laboratory. Afterwards, the search warrant will be returned to the issuing court with the prayer to allow the Bureau to conduct a forensic examination. Evidence gathered will not be examined immediately as the approval of the court is necessary, so as to avoid questions or issues involving tampering of evidence. If the court allows the examination, it will require the complainant and representatives of the respondent to witness the examination. The examination of the evidence will thereafter be scheduled.

In other cases, when there is a private offended party, such as a company, where the assistance of the Bureau is requested, NBI agents would prepare an image copy of the hard disk of the computer machine which is alleged to have been used in a computer crime or in conducting an anomalous transaction. The image copy will be brought to the Bureau, and a mirror copy of which would be examined. This is for purposes of knowing of how the offense was committed and if there are existing files.

Once the evidence is secured, the persons most knowledgeable about the crime or the person who discovered the offense will be interviewed. In the process, the agents would look for the owner of the computer and the officers supposedly responsible for the computer. The agents may also use logbooks and directories of computers, when they run the computer per se. Sometimes, when there were traces left, it would give the NBI agents an idea of the person who used the computer before the discovery of the crime.

Electronic evidence

Electronic evidence has to be qualified by the Rules on Electronic Evidence.⁷ As far as documentation is concerned, as part of the duties of the Bureau’s agents, actions taken in order for them to come up with the findings will have to be mentioned in the report. The software, hardware, and techniques used should also be noted therein. The preparation of report is the same as in documentary evidence, it is in its presentation that the variation comes in.

Developments in the Philippines

In the Philippines, computer forensics is still new. Bureau agents cannot really be said to be experts in the field, as they are still exerting all efforts to gain expertise. They attend trainings in forensics, computer crime investigations, and incidents in smugs. Although attending seminars and trainings do not make anyone an expert, expertise may be gained by experience, through new computer-related cases being assigned to the agents. Their growing experience in investigation will help them in future and more complex cases that will be assigned to them. Furthermore, there has been a commitment from the US State Department to upgrade the knowledge of the Bureau’s agents involved in computer forensics.

Since the pieces of equipment were donated, at least 20 cases have been examined. The tools have been effective and efficient in all cases wherein a computer is used, allowing evidence coming from formatted hard disks and systems with deleted files and changed operating systems to be secured and used for investigation. In one case involving malicious electronic mails(e-mails), the e-mail was traced through domain check⁸ and trace scouting. The moment the origin was traced, the Bureau applied for a search warrant and recovered the computer used. In another case involving drug trafficking, a raid upon a syndicate’s premises allowed the recovery of a computer, which maintained records of its customers and suppliers.

1. Based on an interview with Agent Palmer Mallari, Executive Officer of the Anti-Fraud and Computer Crime Division (AFCCD) of the NBI. [↩]
2. EnCase is a product of Guidance Software. The integrated functionality of EnCase allows the examiner to perform all functions of the computer forensic investigation process. EnCase’s EnScript, a powerful macro-programming language and API included within EnCase, allows investigators to build customized and reusable forensic scripts. EnCase (1) supports the acquisition of virtually all media that can be attached to a system: hard drives, Zip disks, USB devices, flash cards, Palm Pilots, etc.; (2) performs media acquisitions by producing an exact binary duplicate of data from the original media, by generating MD5 hash values of both the original media and all data contained within the resulting evidence file, and assigning a CRC value for each 64K block of the evidence file; (3) has an Optimized Search Engine, wherein the latest algorithm gives multiple-term keyword searches near-identical throughput to single-term keyword searches; (4) can read PST files, the file format associated to Outlook, whether having compressible encryption and full encryption, and extract e-mail for plain-text analysis; (5) features multiple case management, allowing investigators to simultaneously run multiple cases on multiple media targets; (6) fully supports Unicode, and thus displays the characters in various language correctly; (6) fully supports Dynamic Disk Configurations, i.e. Dynamic Disks being hard drives that are upgraded to Dynamic Disks by Microsoft Windows 2000 or XP using the Disk Manager; (7) comes with both a parallel-port lap-link cable for parallel-port cable acquisitions and a crossover network cable for crossover network cable acquisitions; (8) stores evidence files on shared media for either data retention or examination at a later date; (9) maintains complete records of all keyword searches that have been conducted including the time of the search, the scope of media examined, the keyword and GREP expression and the number of search results, with bookmarks being easily displayed and incorporated into the final EnCase report; (10) automatically generates a customized report that details the contents of the case, including relevant evidence, investigator comments, bookmarks, recovered images, search criteria, search results and search information such as when the search was executed, length of search and more; (11) provides powerful search and analysis tools that allow investigators to view many different types of files in plain-text format, including registry files, e-mail files, and more; (12) attempts to interpret file structures and show a representation of all files and folders, supporting thusFAT12 (Floppy), FAT16, FAT32, NTFS, HFS, HFS+, UFS, Sun Solaris, EXT2, Reiser, Palm, CDFS, Joliet, UDF and ISO 9660; (13) offers different Views that quickly and easily allow the investigator to find specific investigation/case information, through (a) Table view, where files can be sorted by name, extension, file created date, logical file size and other criteria in a spreadsheet-style format, (b) Gallery view, which displays images of BMPs, JPGs, GIFs, and TIFFs, (c) Timeline view, which allows the investigator to view a calendar-style graphic of all file activity, illustrating file attributes such as when files were created, last written or deleted, (d) Report view, wherein reports can be generated on any file, folder, volume, physical disk or the entire case; and that reports typically include reference information regarding the acquisition, drive geometry, folder structures, bookmarked files and bookmarked images. Encase also has (1) an EnCase Encrypting File System (EFS) Module, which provides Encrypting File System (EFS) folder and file decryption capabilities, for locally authenticated users; (2) an EnCase Virtual File System (VFS) Module, which enables examiners to mount computer evidence as a read-only off-line network drive, which allows further examination of the evidence using Windows Explorer and 3rd party tools; and (3) a Network Authentication Server (NAS) Module, which provides complete flexibility in EnCase software licensing. NAS enables EnCase software licenses to be utilized in 3 ways; local on the Examiner computer, remotely with Terminal Services, and across the network using the License Manager. See http://www.guidancesoftware.com/ [↩]
3. Forensics Toolkit (FTK) is a product of Access Data. Forensics Toolkit (FTK) allows one to view over 270 different file formats with Stellent’s Outside In Viewer Technology. Its FTK Explorer allows one to quickly navigate through acquired images. It can generate audit logs and case reports. Its features include (1) Advanced Searching, which includes (a) Full text indexing powered by dtSearch® yields instant text search results, (b) Advance searches for JPEG images and Internet text, (c) Locate binary patterns using Live Search, (d) Automatically recover deleted files and partitions, and (e) Target key files quickly by creating custom file filters; (2) E-mail & Zip File Analysis, which includes (a) support for Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN e-mail, (b) viewing, searching, printing, and exporting e-mail messages and attachments, (c) Recover deleted and partially deleted e-mail, and (d) Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files; (3) Known File Filter™ (KFF™), which (a) Identify and flag standard operating system and program files, (b) Identify and flag known child pornography and other potential evidence files, (c) Includes hash datasets from NIST and Hashkeeper; and (4) Registry Viewer™, which (a) Access and decrypt protected storage data, (b) View independent registry files, (c) Report generation, and (d)Integrates with AccessData’s forensic Tools. Supported File formats include NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3. Supported image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD. See http://www.accessdata.com/ [↩]
4. Computer Forensics. Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Computer_forensics [↩]
5. Computer Forensics. DIBS USA Inc. http://www.dibsusa.com/methodology/methodology.html [↩]
6. Hacking is taken herein in its general and legal, and not technical, meaning. [↩]
7. The Rules of Electronic Evidence, A. M. No. 01-7-01-SC, approved by the Supreme Court En Banc on 20 July 2001. For an outline of the Rules, see Volume 1, Issue 1, page 7 of the Philippine Quarterly IT Law Journal. [↩]
8. An example online tool is available at Anti-fraud.com. See http://www.antifraud.com/ipcheck.htm [↩]

• ITLJ 2-1
• Comments(1)