[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Police computer forensics interview

There is an article on page 122 of this weeks UK PC User (26 July - 22
August) by the head of the technical support unit for Essex Police.
Here's a few choice cuts from the article:


Now, what we do is go out on raids, or at least instruct officers on
how to seize computers and bring them back to the computer evidence
lab.  The first thing we do with a computer is to make an exact copy
of the hard disk and any floppies that come with it.  It is essential
that we have an exact image, rather than just a file copy, so we get
everything, like the remaining bits of deleted files.  We can
interrogate the free space and slack space where there could be
important evidence.

To do this we've developed our own imaging system.  This is basically
a bit copier:  it just copies every single bit of a hard disk onto
either an optical drive or a hard drive, and saves it as a long file.
We reconstruct the disk on our own computer, a Vale machine with a
90Mhz Pentium processor, and then we can perform the investigation.


What we look for depends on the case: if it's a fraudster's machine,
we'll be looking for sets of accounts, if we're dealing with a
paedophile, we're looking at graphic images.  We basically start by
looking for erased material, which is always the most interesting, and
the slack space.


One of our biggest problems is getting around passwords and
encryption.  Not the base passwords -- they're easy to get around --
but the passwords on the applications themselves, and encryption can
be very difficult to crack.

We do have special programs to get around them, but you need
individual ones for each application.  The programs can crack most
Microsoft applications in minutes, but some, Paradox for example, are
a lot harder.

The biggest headaches are the pocket organisers from Psion or Sharp.
On a PC you have password protection, but you can always get in
through the motherboard, but with a Psion you can't get in without the
manufacturer's assistance.

Interviewer:  Ken Luxford
Interviewee:  Andrew Johnson