Computer Forensics Files: The Case of the Little Dame That Wouldn't
Computer Forensics Files: The Case of the Little Dame That Wouldn't Real CSI Cases from Burgess Forensics #14
The stories are true; the names and places have been changed to protect the potentially guilty.
A dame, a rich guy, and an email account: what more do you need for a story?
I was in my office one fine spring day in Marin studying the benefits of Eastern philosophy, engaged in my special snoring meditation, when the buzzing of the telephone dragged me back to the present. It was Sam & Dave - not the Soul Men, but the lawyers in the Valley. They had a situation. A computer expert was heading over to their offices to make a copy of their client's computer - the dame's laptop - to try to prove that she sent endearing emails to a scorned male - the rich guy...Mr. Silicon Valley.
See, rich guy had not been so rich until some computer hardware of his design had been snapped up by a big player in the computer world for a hefty sum. Newly rich Mr. Silicon decided to try his hand at picture books - picture books of natural looking young ladies in their native birthday attire. The hook was that they would be all natural - no silicone for Mr. Silicon.
One day, Mr. S was driving through the Rockies when he espied a liberated young lady. Liberated in the sense that she was 17, but living on her own. S offered to liberate her from a deadend waitress job if she would come live in his Valley mansion. It would all be very Platonic - they'd each have their own end of the mansion - and she would work with the picture book office staff.
But as our young lady reached adulthood, Mr. S became enamored enough to make our lovely waif a bit uncomfortable. She thought he was acting like a creep. She wanted out - out of the office and out of the mansion. The word "harassment" strikes fear into the heart of many an employer, and Sam & Dave were looking for a settlement to enrich all involved. But Mr. S was not to give up so easily. He maintained that the lovely Miss had been sending him endearing loveletters from her America OnLine account. Sure enough, her account had sent those letters - but had she been the one to send them? AOL has a setting that allows a user to sign in automatically - that is, to sign in without having to type in a password. This setting is nearly always a mistake, unless no one else is ever near your computer. I always recommend to my clients that they take the extra 5 seconds out of their busy schedules to type an actual password. You might have guessed that her AOL was set to automatically login.
But the letters had been sent after she had already left the office. That meant that if she had sent them, she must have drafted them on her laptop from home. A deal was made. Mr. S hired a computer expert to do some digital discovery. He'd make an identical copy of the hard disk from her laptop, while sitting in Sam & Dave's conference room. This is where I entered the picture. S & D wanted me to make sure that the hired thugs ... er, experts ... would not pull any funny stuff. I went to observe on the day of the copying.
Just a short half hour or so after their scheduled arrival, the other experts arrived. They were decked out in full company regalia. Their bright jackets, hats, and business cards announced their offices in New York, Tokyo, London, Hong Kong, and Los Angeles. These guys were apparently internationally jetting big shots. As it turned out, only one was the bigshot - the other guy was the gofer. Bigshot sat in a chair and bragged about his exploits while Gofer unloaded their equipment. A large, high-powered desktop computer, with external drives hooked up through an Adaptec SCSI host adapter appeared on the tabletop. A briefcase full of secret computer forensic software was opened to reveal its treasures. The golden floppy disk was removed from the briefcase. Bigshot examined the laptop, and announced, "We can't do this copy - there's no floppy drive."
I was a little dumbfounded. Surely these guys had all of the computer forensic equipment known to mankind. "I have EnCase and ByteBack," he said, "but I need to boot from a floppy drive to make a copy." This was at least half accurate. Whenever a drive is operated in a Windows environment, Windows writes bits and pieces of data to the drive. Under such circumstances, the data is changed and is not a true identical, "bit-for-bit" copy. It's not a forensic image. But when the system is booted from a DOS diskette, nothing gets written to the hard disks. This is what the fellow was looking to do.
I suggested he remove the hard disk from the laptop, and hook it up through a write-blocker to his desktop computer. "What's a write-blocker?" he asked. "Gofer, do we have any write blockers?" Gofer's look of befuddlement answered for him. I explained to Bigshot International that a write blocker is a device that can be hooked up between the hard disk and the cable it is attached to, or between an external enclosure holding the hard disk and the USB cable leading to the computer. The MyKey NoWrite FPU is one of my favorites. The Tableau works well. The Disk Jockey Forensic wasn't around then. The DriveDock & others would have been fine. But he didn't have any by anyone.
Still, removing the hard disk, attaching it to his system and booting the system from his floppy diskette should have been fine. I suggested as much. "How do you take out the hard disk?" he asked. Apparently laptops are different in London and Hong Kong and those other places he had offices.
I asked S & D's secretary for a little Phillips screwdriver, and removed the hard disk for Our Man. "It doesn't hook up to my IDE cable," he said. You see, laptop IDE hard disks and desktop IDE hard disks are different sizes. Most in laptops are 2.5" and most in desktops are 3.5" and never the twain shall meet - at least, not on the same cable. The 40-pin connector on the laptop is, unsurprisingly, smaller in size. "How about an adapter?" I said. "Have you a 2.5" to 3.5" adapter?"
"Have we got one, Gofer?" Befuddlement answered wordlessly again. I suggested a quick run to the local computer store. I even volunteered to go, for the Mensa-level technical skill was getting to me a little at that point.
Twenty minutes later, we had an adapter from a local Mom & Pop computer shop. Some adapters for laptop drives hook up the opposite way from what is intuitive. Once I warned against hooking the laptop drive up backwards, Bigshot got everything set up right, the computer booted, and a good copy seemed like it was only minutes away. That is, until I heard, "My target disk drive isn't big enough." Well, I didn't want him to have to go all the way to Tokyo or New York for another. I suggested hooking up additional drives from his special briefcase to the SCSI bus, then changing the image size. Many computer forensic programs allow one to acquire a large drive as several or many contiguous images of a smaller size. By changing his configuration, Mr. B could make many successive CD-sized images of about 650 MB each, instead of one giant one that wouldn't fit in the available space in any one of his hard drives.
With the copy proceeding apace, I asked S&D what I should do next. We saw the estimated time of completion was about five hours away! I wondered if sitting waiting for electrons to move was the best use of my time and their money, and they seemed to think it was not. I explained what to look out for - any cables being unplugged, any keyboards being typed on, any utterances of "oops" or "oh no!" from the Dynamic Duo making the copies. The job should be mostly babysitting until the copy was completed. I headed back to the airport, and to my offices at Burgess Forensics to finish my interrupted meditation.
How did it all turn out? There were no loving emails drafted on the laptop. The computer she had used at the office was being used to send bogus emails from her auto logon AOL account. Mr. S was ready to settle... after just one more meeting.
As part of the settlement, Mr. S & our lovely Miss had one last lunch together. They met at an outdoor café. It might have been romantic, but Miss sat well out of reach, her lawyer sat just out of earshot a couple of tables to the West. The attorney for S sat just out of earshot a couple of tables to the North. Everybody ate lunch. S paid the bill - three bills, actually - one for lunches, one for the lawyers, and one settlement for the lovely lady. She then walked away and never looked back.
While I never met the lady, I was alerted to look for her on a fashion show. There she was, on the TV, looking like the waif models are apparently supposed to resemble. I couldn't tell if she looked any richer, but I hoped she would spend some of the settlement on a few more lunches - she could have filled out a little and looked a bit more...natural. But that's outside my area of expertise. A nutritionist I'm not - I do computers.
This is just one of the many "CSI (Computer Scene Investigation) - Computer Forensics Files: Real Cases from Burgess Forensics" cases in the file. Stay tuned for more stories of deceit uncovered by science.
by Steve Burgess
Keyword : Computer Forensics Files