{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}
{\f16\froman\fcharset238\fprq2 Times New Roman CE;}{\f17\froman\fcharset204\fprq2 Times New Roman Cyr;}{\f19\froman\fcharset161\fprq2 Times New Roman Greek;}{\f20\froman\fcharset162\fprq2 Times New Roman Tur;}
{\f21\froman\fcharset186\fprq2 Times New Roman Baltic;}{\f22\fswiss\fcharset238\fprq2 Arial CE;}{\f23\fswiss\fcharset204\fprq2 Arial Cyr;}{\f25\fswiss\fcharset161\fprq2 Arial Greek;}{\f26\fswiss\fcharset162\fprq2 Arial Tur;}
{\f27\fswiss\fcharset186\fprq2 Arial Baltic;}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;
\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{\widctlpar\adjustright \fs20\cgrid \snext0 Normal;}{\*\cs10 \additive 
Default Paragraph Font;}}{\info{\title Folks, }{\author JDG}{\operator JD Glaser}{\creatim\yr2000\mo3\dy31\hr1\min7}{\revtim\yr2000\mo3\dy31\hr1\min7}{\version2}{\edmins0}{\nofpages12}{\nofwords4538}{\nofchars25868}{\*\company NT OBJECTives, Inc.}
{\nofcharsws31767}{\vern113}}\widowctrl\ftnbj\aenddoc\hyphcaps0\formshade\viewkind4\viewscale100\pgbrdrhead\pgbrdrfoot \fet0\sectd \linex0\sectdefaultcl {\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl2
\pnucltr\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang{\pntxta )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl6
\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl8\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl9\pnlcrm\pnstart1\pnindent720\pnhang
{\pntxtb (}{\pntxta )}}\pard\plain \widctlpar\adjustright \fs20\cgrid {\f1\cgrid0 
\par Seizing and Searching Computers and Computer Data
\par 
\par With the explosion of computers and technology, investigators of all types
\par are more often faced with analyzing computer-generated and/or maintained
\par information relevant to their cases.  The U.S. Department of Justice has
\par issued as guidance to prosecutors and agents "Federal Guidelines for
\par Searching and Seizing Computers".  These guidelines are the product of the
\par Computer Search and Seizure Working Group, whose members were drawn from the
\par FBI, Secret Service, IRS, DEA, ATF, DOJ, Customs, the Air Force, and US
\par Attorneys' offices.
\par 
\par The guidelines include general principles of search warrants, consent
\par searches, chain of custody, and other legal aspects as well as addressing
\par the technological aspects of searching and seizing computers.  In this
\par summary, the focus will be on the technological aspects, but the guidelines
\par provide a good primer on operating in the legal environment of prosecutors
\par and law enforcement.
\par 
\par Before any search or seizure begins, a determination must be made of the
\par computer's role in the offense.  This determination drives decisions such as
\par whether to seize the hardware, software, data, or all components and whether
\par the search can be conducted on-site or the computer should be taken to a
\par field office or laboratory.  Fourth Amendment rights apply to computer
\par searches as well as traditional ones, and can affect the admissibility of
\par any evidence subsequently found.  
\par 
\par HARDWARE
\par Without going into the specific legal detail here, generally seizure of
\par computer hardware can be justified on one of three theories:  (1) the
\par hardware is contraband; (2) the hardware was an instrumentality of the
\par offense; or (3) the hardware constitutes evidence of an offense.  In many
\par cases, more than one theory may apply.  For example, when a hacker uses his
\par computer to spread viruses, the computer may be both an instrumentality of
\par and evidence of an offense.  When hardware is seized, it is important to be
\par sure that required components be taken.  
\par 
\par In some cases, the computer workstation may be just a dumb terminal and the
\par desired evidence (data) resides on a server.  At the same time, the
\par investigators must take care to only seize required components to the extent
\par it is possible to make that determination.  For example, in a networked
\par environment the data could reside on any of multiple machines.  However, to
\par protect the legality and admissibility of the evidence, the investigator
\par should be able to articulate a reason for each component that is taken.
\par 
\par The computer must be transported from the scene properly to avoid damage to
\par the evidence.  This may require researching the related operating manuals on
\par how to secure the equipment, or may require having a technical expert assist
\par in the seizure.  Before disconnecting cables, it is helpful to videotape or
\par photograph the site and prepare a wiring schematic.  This will document the
\par condition of the equipment at the scene and ensure the system can be
\par reconfigured for later analysis.  Once this is done, the equipment should be
\par disassembled, tagged and inventoried prior to the move.  Any disks, drives,
\par or other magnetic media should also be secured to prevent damage, such as
\par avoiding strong magnetic fields, temperature extremes, or buildup of static
\par electricity.  
\par 
\par SOFTWARE AND DATA
\par Searches and seizures of data and software are more complex, and fall into
\par two distinct groups: (1) instances where the data is stored on a computer at
\par the search site, and (2) those where the information is stored off-site and
\par the computer at the search scene is used to access the off-site location.
\par In some cases, the difference is insignificant.  On the other hand, there
\par are certain unique issues that arise only in a networked environment.  A
\par search warrant is required to be issued by a court in the district where the
\par property is located.  Thus, if a network is involved, the data may reside on
\par a computer in a different jurisdiction/district and a second search warrant
\par may be required.
\par 
\par Furthermore, some computers may contain privileged information, such as that
\par of doctors, lawyers, or clergy, and require extra care in being accessed.
\par For these confidential fiduciaries, the computer data is very likely to
\par include confidential information about persons not connected to the
\par investigation.  In 42 USC 2000aa-11(1)(3), Congress has recognized a
\par "special concern for privacy interests in cases in which a search or seizure
\par for ... documents would intrude upon a known confidential relationship such
\par as that which may exist between clergyman and parishioner; lawyer and
\par client; or doctor and patient."  A search warrant can be used if using less
\par intrusive means would substantially jeopardize the availability or
\par usefulness of the materials sought; access to the documents appears to be of
\par substantial importance to the investigation; and the application for warrant
\par has been recommended by the US Attorney and approved by the appropriate
\par Deputy Assistant Attorney General.    Congress has also expressed a concern
\par for publishers and journalists in the Privacy Protection Act, 42 USC 2000aa.
\par Generally speaking, agents may not search for or seize any "work product
\par materials" (defined by statute) from someone "reasonably believed to have a
\par purpose to disseminate to the public a newspaper, book, broadcast, or
\par similar form of public communication."  In some cases, a court may appoint a
\par special master to search a computer containing privileged information and
\par identify that, which is pertinent to the case.  The guidelines caution
\par investigators to ensure the master is neutral computer expert with no
\par connections to the investigated parties.  Understandably, if the person who
\par holds the documents is a target rather than a disinterested party, the rules
\par are different.  In those cases, the investigator may get a warrant to search
\par the files, but the warrant should be narrowly written to include only
\par information that is pertinent to the investigation.
\par 
\par As with hardware, computer data can be contraband, an instrumentality, or
\par evidence of an offense.  In addition to the computer data files, computer
\par printouts or manuals with handwritten notes may be significant to the case.
\par Data may also be contained in laser printers (before they are moved), hard
\par disk print buffers of some laser printers, some specialized keyboards, hard
\par cards, or fax machines.  These devices, and others, sometimes contain memory
\par of varying sizes that holds data until it is overwritten or the machine is
\par turned off.  Backup systems provide another source for obtaining data
\par depending on how regularly and frequently data backups have been made.
\par 
\par In networked systems, investigators could end up with nothing more than
\par hardware if they have not gathered information, whether from sources or
\par surveillance, on how the system is operated.  The file server which stores
\par the programs and data files for the network can be in a separate physical
\par location from the networked computers, perhaps in a different judicial
\par district.  Electronic mail might be stored on a server until the addressee
\par retrieves the messages.  Even deleted messages may be accessible from the
\par network server if mail is backed up before the messages were deleted.  Voice
\par mail systems are computer systems that can provide necessary evidence
\par (data).  Again, messages may be accessible from the backup system even if
\par they have been deleted.  
\par 
\par Another quirk of seizing data from a networked system is the need to control
\par access to the files during the seizure.  When seizing paper files, the
\par perimeter can be secured to prevent unauthorized access.  Electronic records
\par on a network are more susceptible to alteration or destruction even while
\par the seizure is underway.  Therefore, it is important to prohibit access to
\par the data, either by software commands or by disconnecting the network cables
\par to the computer.  This should only be performed by an expert to avoid
\par damaging the data or system.
\par 
\par In deciding whether to search computer data at the scene or seize it to
\par review at an off-site location, many factors should be considered.  Concerns
\par for "best evidence" must be weight against the civil liability created by
\par closing a business down.  Providing an exact image on a replacement drive to
\par the business can satisfy your need for "best evidence" and limit any civil
\par liability.  
\par 
\par The search warrant should be written as specifically as possible by focusing
\par on the content of the records.  Then, as a separate logical step,
\par investigators should address the practical aspects of whether the data can
\par be searched on-site.  The volume of data may take days to search for
\par relevant information, thus taking available data off-site becomes
\par reasonable.  While data seized should be limited where possible, a search
\par does not become invalid merely because some items not covered by the search
\par warrant are seized.  As long as the investigators do not demonstrate
\par flagrant disregard for the search warrant's limitations, the items covered
\par by the warrant will be admissible.  Sometimes documents are so intermingled
\par that it is not feasible to sort them on-site.  Another factor to consider is
\par location of the data.  When a search is conducted at a home, courts seem
\par more understanding of the choice to seize the data and search it at an
\par off-site location later.  As cited in United States v. Santarelli, 778 F.2d
\par 609 (11th Cir. 1985), "To require an on-premises examination ... would
\par significantly aggravate the intrusiveness of the search by prolonging the
\par time the police would be required to remain in the home."
\par 
\par Once the data has been obtained, analysts with specialized skills are often
\par required to ensure the data is properly processed to maintain its integrity.
\par These analysts use specially designed software utility programs to search
\par for specific names, dates, file extensions, etc.  They can also recover
\par deleted data, search for and expose hidden files, recover encrypted or
\par password-protected data.  The analyst can assist in searching the data by
\par using keyword searches and by printing file directories for the investigator
\par review.  Typically, the computer expert will prepare a mirror image of the
\par computer's files to allow the analysis to be conducted without harming the
\par original data.  A well-intentioned investigator with amateur skills could
\par inadvertently, but irretrievably, damage the data or admissibility of the
\par evidence.  Computer experts have to track their procedures so they can
\par recreate their steps in court if necessary.  Also, computer-literate
\par suspects may install commands to destroy the computer's data if a required
\par password is not entered at periodic intervals, or some other hidden trap.
\par To ensure the proper expertise is available, information such as the
\par operating system, the software being used, the hardware configuration,
\par should be gathered.  Computer forensic experts can help prosecute cases with
\par advice about how to present computer-related evidence in court.  Further,
\par many are experienced expert witnesses and can help anticipate and rebut
\par defense claims.
\par 
\par The full text of these federal guidelines can be found on your Expert
\par Witness CD.
\par 
\par WIN95 DATE/TIME STAMPS
\par 
\par The Win95/98 operating systems maintains three different dates.  These dates
\par are visible when using EXPERT WITNESS are Last Accessed, Last Written, File
\par Created.   Norton Diskedit and DOS DIR /V /S command list the dates as (1)
\par Date/Time, (2) Creation/Time, and (3) Access.  Norton Navigator refers to
\par these data as (1) Last Modified, (2) Created On, (3) Last Accessed.
\par 
\par The logical conclusion for the first date would be that it corresponds to
\par the date the file was modified, but as we have now determined, there are
\par other circumstances that change this date.
\par  
\par The logical conclusion for the second date seems to correspond to a date
\par when a file is created in the current folder.  But again, we found there are
\par situations when this date does not represent that date it was placed into
\par the current folder, but rather a date it was placed into a different folder
\par at an earlier date.
\par  
\par The third date would seem to be self-explanatory and simply means the last
\par time the file was accessed.  Of course, the question arises; what does
\par access mean?  Our research has determined that access means to modify a
\par file, to open a file but make no changes, copy a file to another location,
\par and rename a file.  Doing a "DIR" listing of a folder does not change the
\par access date.
\par 
\par The question of which operating system uses all three dates can provide
\par insight to which OS wrote files to a disk.
\par 
\par DOS 6.22 and earlier and Win 3.x do not use the three dates, only the first
\par date mentioned above.
\par 
\par While in Windows 95 operating system the three dates are displayed when
\par using Norton Diskedit and Norton Navigator or the DOS "DIR /S /V" command.
\par When using Norton Diskedit to look at files created with DOS 6.22 or Win
\par 3.x, the date 0/00/80 is displayed in the creation and access date fields.
\par When using Norton Navigator to look at files created with DOS 6.22 or Win
\par 3.x, the date 1/01/01 is displayed in the creation and access date fields. 
\par 
\par 
\par WIN95 DATE/TIME STAMPS (cont.)
\par 
\par Using DOS 6.22 or Win95 MSDOS mode commands on a file created in the Win95
\par GUI also presents some date issues.  A file created in the Win95 GUI gets
\par all three dates, but when using the DOS mode commands to modify or copy the
\par file, the creation date and access will change to 0/0/80. 
\par 
\par After doing testing, it appears that making black or white conclusions based
\par on the three dates can be risky business. 
\par 
\par 
\par Following are results of the testing that has been done.  As mentioned
\par earlier, input is welcome.  If you have come across other situations that
\par need to be added or discussed, let us know.
\par 
\par Modification date/time is updated to system date when:
\par 
\par - Create a new folder.
\par - Create a new file.
\par - Make changes to a file.
\par - Copy file to new location where file name does not exist.
\par - Copy folder with files, to a new location; folder and all files updated.
\par - Download a file from the Internet (including ZIP file)
\par - Use the "Save As" command to save a file
\par 
\par Modification date/time is changed to something other than current system
\par date:
\par 
\par - Unzip a file.  The date will be what was listed at the time the file was
\par zipped.
\par  
\par Modification date/time is not changed when:
\par - Rename a folder.
\par - Rename a file. 
\par - Doesn't matter if MSDOS mode or Win95 was used to rename the file.  
\par - Doesn't matter if the original file was created in MSDOS mode or Win95.
\par - Copy a file to hard disk from a floppy.
\par - Copy a file (source file) to new location where same file name exists and
\par overwrites a file in the target folder.  
\par - The modification date and time of the source file is maintained.
\par - Move a file to a new location.
\par - Move a folder, with or without files, to a new location.  
\par - If there are files in the folder, none of the file's modification date and
\par time is changed.
\par - Delete a file; Send file to recycle bin.
\par 
\par 
\par Creation date/time is updated to system date when:
\par - Use Win95 to create a new folder.
\par - Use Win95 to create a new file.
\par - Use Win95 to copy a file to new location.
\par - Use Win95 to copy a file from floppy diskette.
\par - Use Win95 to download a file from the Internet.
\par - Use Win95 to download a ZIP file from the Internet.
\par - In the Win95 GUI, Unzip files in a ZIP file.
\par - Use the "Save As" command to save a file.
\par - Use Win95 to copy a file created with MS-DOS mode to new location
\par - Replaces the 0-0-80 with current system date.
\par 
\par Creation date/time is changed to 0-0-80 when:
\par - Use MS-DOS to copy a file to new location. Doesn't matter if the file was
\par created in MSDOS mode or Win95, Date will be changed to 0-0-80 (shown as
\par 1-1-01 with Norton Navigator).
\par - Use MS-DOS to create a file. Date will be 0-0-80 (shown as 1-1-01 with
\par Norton Navigator).
\par 
\par Creation date/time is not changed when:
\par - Rename a folder
\par - Modify existing file. Doesn't matter if MSDOS mode or Win95 used to modify
\par file.
\par - Rename a file. Doesn't matter if MSDOS mode or Win95 used to rename file.
\par Doesn't matter if the file was created in MSDOS mode or Win95.
\par - Delete a file; Send file to recycle bin.
\par *\tab Move a file with Win95, or a folder with files, to a new location.
\par 
\par 
\par Creation date of target file is maintained when:
\par - Copy a file to new location where the same file name exists and overwrite
\par the file in the target folder. The date listed by the target file is
\par maintained.
\par 
\par Access date is updated to system date when:
\par - Use Win95 to create a new folder.
\par - Use Win95 to create a new file.
\par - Use Win95 to modify file.
\par - Use Win95 to copy a file to new location.
\par - Copy a file to new location where same file name exists and overwrite the
\par file in the target folder.
\par - Use Win95 to rename a file. 
\par - Use Win95 to copy a file from floppy diskette.
\par - Open a zipped file
\par - Use Win95 to download a file from the Internet.
\par - Use Win95 to download a ZIP file from the Internet.
\par - Use the "Save As" command
\par - Use MS-DOS to create new file.
\par - Use MS-DOS to copy a file to new location
\par - Use Win95 to copy a file from floppy diskette.
\par - Use Win95 to copy a file created with MSDOS mode to new location; replaces
\par the 0-0-80 with current system date.
\par 
\par Access date is not changed when:
\par - Rename a folder
\par - Use MSDOS mode to modify existing file created with Win95.
\par - Use MSDOS mode to rename a file.  
\par - Doesn't matter if the file was created with DOS or Win95.
\par - Delete a file; Send file to recycle bin.
\par - Move a file with Win95, or a folder with files, to a new location.
\par 
\par WIN98 CHANGES TO DATE/TIME STAMPS 
\par     Right Click Drag and Drop
\par *\tab MOVE HERE will now change the access date to the system date.  File
\par Creation and Last Written dates remain the same.
\par 
\par *\tab LEFT CLICK-DRAG'N DROP (same as right click CUT and PASTE) make no
\par changes to the date/time stamps.
\par WINDOW 95/98 RECYCLE BIN 
\par \tab \tab \tab \tab \tab \tab \tab 
\par This section is designed to provide an understanding of the functionality of
\par the RECYCLED BIN feature and using the program generated files to document
\par forensic issues within Windows 95/98. 
\par 
\par Windows stores deleted files in a hidden directory (folder) \\RECYCLED, which
\par has an icon, located on the desktop.   Files can be deleted to the Recycle
\par Bin by using the drag and drop feature or selecting a file in the explorer
\par or other window and pressing the delete button.   Viewing the Recycle Bin
\par within the GUI (Graphical User Interface) presents to the computer operator
\par a listing of the deleted files remaining within the Recycle Bin.
\par 
\par There is a RECYCLED folder located on each logical partition on a hard
\par 
\par drive, unless the drive is set as removable media in the SYSTEMS folder.  An
\par examined drive should always be set to removable to prevent the writing of a
\par \\RECYCLED directory to the examined drive.  This directory will be created
\par on DOS volumes, if it does not already exist.  Only files deleted from a
\par particular logical partition are maintained in the \\RECYCLED directory
\par (folder) located on that partition.  The Windows Recycled Bin icon on the
\par Windows desktop lists all files deleted from all logical partitions.  On
\par logical drive C: the filenames will begin with "DC."  For logical drive D:
\par the file names will begin with "DD," and so on. 
\par 
\par Systems by default have a hidden file named INFO in the \\RECYCLED directory
\par (folder).  Systems with Internet Explorer 4.0 installed with the active
\par desktop option, the file name is INFO2.  If Internet Explorer 4 is installed
\par and the active desktop option was not selected, then the INFO file will be
\par present.  The INFO and INFO2 files are similar in function, however, there
\par are some significant differences between the two.
\par 
\par These files have no distinct header information and are a table of deleted
\par files.  The first 20 bytes of each entry are a binary embedding of the file
\par date/time information.  The following procedure discusses how to interpret
\par the information contained in the INFO or INFO2 files (we will provide the
\par binary translation as we translate it):
\par 
\par USING EXPERT WITNESS TO VIEW THE INFO FILE:
\par 
\par \tab \tab a.\tab Right click on the INFO(2) file entry and select
\par default view.
\par \tab \tab b.\tab Right click within the data area and change the line
\par length from 70 to 280.
\par 
\par This will place all the entries into a column that will make reading the
\par PATH and FILE name easier.  Note:  the path will not have the logical volume
\par letter in front of the :\\.  That is incorporated within the deleted file
\par entry within the Recycled folder, i.e., DC0.JPG.
\par 
\par DISCUSSION: 
\par 
\par When a file is deleted and moved to the Recycled Bin, all three dates
\par (modified, created and last accessed) are not changed.  The deleted hex E5
\par file in the original folder and the corresponding Recycle Bin "DC" file have
\par the same starting cluster, file size information.  File recovery should
\par begin within the original folder locations and not the Recycle Bin
\par (otherwise the file in the original location will be found to be in use by
\par another file).   File deletion occurrence can be dated by the INFO file
\par created/modified date/time.
\par 
\par The INFO file: Restoring files from the Recycle Bin causes the first
\par character of a DC file to be replaced with the hex E5 character.  After a
\par restore, the INFO file is rewritten to list all remaining DC files in the
\par Recycle Bin.  Fortunately, the file is rewritten at a different starting
\par cluster, leaving the previous file in unallocated area.  Unfortunately, the
\par INFO file has no distinct header to search for, only the 20/280 offset
\par pattern of file entries.
\par 
\par A file that is later deleted and sent to the Recycle Bin is assigned the
\par next highest DC number, taking into account all of the DC files, INCLUDING
\par those with the hex E5 character.  Files that are subsequently sent to the
\par Recycled Bin causes an update of the INFO file in such a manner that the
\par first listed file in the INFO file corresponds to the lowest number "DC"
\par file.  This is different than what happens with the INFO2 file, see below.
\par Any files that have been restored, and their associated DC file, point to
\par the same starting cluster and are in allocated space.
\par 
\par The INFO2 FILE: Restoring files from the Recycled Bin causes the first
\par character of a restored DC file to be replaced with the hex E5 character (a
\par deleted file entry).  The INFO2 file is rewritten and still lists the
\par restored file with the associated DC file name directly following, however,
\par the drive letter is removed from the full path and file name entry.  A file
\par that is later deleted and sent to the Recycle Bin causes an update of the
\par INFO2 file in such a manner that the order of the full path and file names
\par are listed for all DC files.   This includes those files that have been
\par dumped from the Recycle Bin and the "D" has been replaced with the hex E5
\par character.  
\par 
\par Emptying the Recycled Bin causes all files to be deleted and the first
\par character replaced with hex E5 character.  These files are no longer
\par recoverable with Windows 95 Recycled Bin features.   They are recoverable as
\par normal hex E5 deleted files.  At the next file deletion, a new INFO2 file is
\par written (at a different starting cluster) and a DC0.* is written over a
\par directory entry of a deleted DC file.  The remaining deleted DC files can
\par still be viewed as hex E5 files (with Diskedit) and the previous INFO2 file
\par will be located in unallocated area (NO DIRECTORY ENTRY).  
\par 
\par For clarification, the DC file count will not be reset to begin with zero
\par until the "Empty Recycle Bin" command has been run from the pull down menu.
\par Deleting files from DOS or a DOS window will not be placed in the Recycle
\par folder.
\par 
\par RUNNING ANY DEFRAGMENTATION PROGRAM WILL REMOVE ALL DIRECTORY ENTRIES OF
\par DELETED FILE NAMES.   THE DATA IS STILL RECOVERABLE IN UNALLOCATED AREAS
\par UNLESS OVERWRITTEN.
\par 
\par NOTES:
\par 
\par 
\par 
\par SEARCH ENGINE SYNTAX 
\par Use of the Internet would be near impossible without Search Engines.
\par Because of that, we are provided with a forensic path into the computer
\par operator's intent.  The following are complete search syntax for each of the
\par major search databases currently in use.  The principle used here can be
\par applied to any function that requires an entry.
\par 
\par USAGE:  Import the ten keyword segments of the search engines into Expert
\par Witnesses Search Feature.  Examine each return to identify complete search
\par syntax.  Bookmark the hit as it is proof of intent.  Copy the complete
\par syntax and paste it into a logged on browser's URL line.  The return will be
\par the exact screen seen by the computer operator.  However, if time has passed
\par since the search was originally ran, the return may not be the same.  The
\par return then becomes Demonstrative Evidence.
\par Search Engine Syntax:
\par }{\f1\ul\cf2\cgrid0 http://www.excite.com/search.gw?s=porn&lk=excite_netscape_us&c=web}{\f1\cgrid0   (Excite)
\par }{\f1\ul\cf2\cgrid0 http://altavista.digital.com/cgi-bin/query?pg=q&what=web&kl=XX&q=Porn}{\f1\cgrid0   (Alta
\par Vista)
\par }{\f1\ul\cf2\cgrid0 http://www.search.hotbot.com/hResult.html/?SM=MC&MT=porn&DV=7&RG=.com&DC=10&}{\f1\cgrid0 
\par DE=2&search.x=14&search.y=14    (HotBot)
\par }{\f1\ul\cf2\cgrid0 http://www.infoseek.com/Titles?qt=porn&col=WW&sv=N4&lk=noframes&nh=10}{\f1\cgrid0 
\par (InfoSeek -- WEB)
\par }{\f1\ul\cf2\cgrid0 http://www.infoseek.com/Titles?qt=porn&col=NX%2Crf_i500sRD%2Ckt_N%2Cak_news1}{\f1\cgrid0 
\par 486&sv=N4&lk=noframes&nh=10  (InfoSeek - NEWS)
\par }{\f1\ul\cf2\cgrid0 http://search.dejanews.com/dnquery.xp?query=porn&site=infoseek}{\f1\cgrid0   (InfoSeek -
\par USENET)
\par }{\f1\ul\cf2\cgrid0 http://www.lycos.com/cgi-bin/pursuit?query=Porn&matchmode=and&cat=lycos&x=15}{\f1\cgrid0 
\par &y=7  (Lycos)
\par }{\f1\ul\cf2\cgrid0 http://www.looksmart.com/r?look=3p&pin=1c7206da28890390a93&key=porn&search=1}{\f1\cgrid0 
\par (LookSmart)
\par }{\f1\ul\cf2\cgrid0 http://webcrawler.com/cgi-bin/WebQuery?searchText=porn}{\f1\cgrid0   (WebCrawler)
\par }{\f1\ul\cf2\cgrid0 http://www.search.com/Infoseek/1,135,0,0200.html?QUERY=porn&COLL=WW}{\f1\cgrid0 
\par (Search.Com)
\par }{\f1\ul\cf2\cgrid0 http://search.yahoo.com/search?p=porn}{\f1\cgrid0   (Yahoo)
\par }{\f1\ul\cf2\cgrid0 http://netfind.aol.com/search.gw?search=porn&lk=excite_netfind_us}{\f1\cgrid0   (AOL
\par NetFind)
\par }{\f1\ul\cf2\cgrid0 http://x4.dejanews.com/dnquery.xp?QRY=porn&defaultOp=AND&svcclass=dncurrent&}{\f1\cgrid0 
\par maxhits=20&ST=QS&format=terse&DBS=2   (DEJANEWS)
\par &logon=  (Hotmail.com)
\par 
\par Testing has been done to make the following keywords large enough to limit
\par the hits to valid returns, yet small enough maintain speed during the
\par search.  Use the following keyword list to return all search engine queries
\par with EXPERT WITNESS search feature:
\par search.gw?s=
\par XX&q=
\par MC&MT=
\par Titles?qt=
\par ?query=
\par &key=
\par ?searchText=
\par search?p=
\par ?search=
\par ?QRY=
\par &logon=
\par collections=
\par 
\par DETERMINE O/S VERSION, O/S REGISTERED OWNER
\par Issue:\tab Determine the OS Version, OS Registered Owner, and Email Address (if
\par any), Without Starting the OS.
\par 
\par OS:\tab Windows 3x
\par \tab \tab a.\tab The information is maintained in the file
\par "\\Windows\\System\\User.exe."
\par \tab \tab b.\tab Using Expert Witness, copy the file to a known
\par location. 
\par \tab \tab c.\tab Use DOS Edit program to open the file and search for
\par the character string "BOULAMITE". The registered user information directly
\par follows as well as the version of the OS.
\par 
\par O/S:\tab Windows 95/98
\par 
\par \tab 
\par The OS version and registered owners information is stored in the file named
\par "System.dat" that is located in the \\Windows folder.   
\par 
\par Email account information is stored in the file named "User.dat" that is
\par located in the \\Windows folder. 
\par 
\par Use Expert Witness to, copy both files to a known location and use the DOS
\par edit program to open them to conduct the following searches.
\par 
\par 1.\tab Search the System.dat file for the character string
\par "VersionWindows". Once found, you should see '95' following this character
\par string to confirm Windows 95. 
\par 
\par 2.\tab Search the System.dat file for the character string "VersionNumber"
\par which is directly followed with something similar to "4.00.1111". (4.00.1111
\par represents SR2).
\par 
\par 3.\tab Search the System.dat file for the character string
\par "RegisteredOwner". Following directly thereafter is the registered owner
\par information.  
\par 
\par 4.\tab Search the System.dat file for the character string
\par "RegisteredOrganization". Following directly thereafter is the registered
\par organization information.
\par 5.\tab Search the User.dat file for the character string "SMTP Email
\par Address". Following directly thereafter is the email address of an account
\par that is set up. If the character string is not found, then no email mail
\par account is set up. 
\par 
\par 6.\tab Search the User.dat file for the character string "SMTP Display
\par Name". If it exists, following will be the return name that is listed on
\par outgoing email messages.
\par 
\par 7.\tab Search the User.dat file for the character string "Address Book".
\par When found, this character string will be found in the full path name for
\par the address book, if it exists.
\par 
\par 8.\tab Once the user name is found, you can search the User.dat file for
\par user name and possibly determine other information such as the Internet
\par provider.
\par 
\par NOTES:
\par THE SWAP FILE 
\par 
\par WIN95 - DYNAMIC SWAP FILE (DEFAULT):
\par Condition: Testing a known swap file (size and starting cluster) that was
\par set to the default "allow Windows" to manage the size of the swap file.  A
\par normal shut down was completed.
\par 
\par Result:       The WIN386.SWP directory entry located in C:\\WINDOWS\\ is not
\par deleted (the file size and starting cluster is each set to 0.).  The FAT is
\par not zeroed out.  The OS simply retains the directory entry for whatever
\par purpose with the size and starting cluster zeroed out.  After re-booting to
\par the GUI, only when a process is ran does the OS grab a new starting cluster
\par to begin the swap file. It appears to be random selection on which cluster
\par it chooses.
\par 
\par Pulling the power plug maintains the swap file intact (size and starting
\par cluster directory entries).
\par 
\par WIN95 FIXED SIZE SWAP FILE:
\par Result:       The WIN386.SWP directory entry is moved to the root of C:\\.
\par The swap file size and starting cluster is not affected by normal shutdown
\par and remains static. 
\par 
\par WIN98 DYNAMIC SWAP FILE:
\par Change:  WIN98 no longer zeroes the file size and starting cluster during
\par normal shutdown.
\par 
\par WIN98 FIXED SIZE SWAP FILE: 
\par No Change: The swap file is moved to C:\\ as in WIN95.
\par 
\par 
\par Microsoft Word: Fast Save Feature
\par There is a 'feature' in Microsoft Word which has forensic implications, and
\par which can lead to serious problems of loss of confidentiality if you ever
\par send Word files electronically to anybody else.   
\par 
\par Word has a setting ('Allow fast saves') which reduces the time taken to save
\par changes to a document. It has two other less desirable side effects. The
\par first is that the file size continues to grow and grow, even if the contents
\par of the file are quite short. This is because rather than saving just the new
\par version of the file, Word saves the old version plus a record of all the
\par changes you have made to the file.  If (as many people do) you continue to
\par make changes to a file as needed (e.g. revise an existing letter to one
\par client by editing a similar letter to a different client), then the original
\par version of the file will be stored as well as the 'new' version. If the file
\par stays on your computer, then there's no real problem. If it gets sent to
\par someone else, there may be a serious problem. 
\par 
\par To follow the example above, if you were to send the Word file containing
\par your 'new' letter to the second client, they may well be able to (trivially,
\par and accidentally) see your original letter to another client (this can
\par happen if they open the file in a simple text editor rather than in Word). 
\par 
\par Go to Options on the Tools menu, select the Save Tab, and make sure there is
\par no cross (Windows 3.1 and Windows 3.11) or tick (Windows 95) next to Allow
\par fast saves. If you are about to send a Word file to someone else,
\par particularly to someone outside your organization, can I suggest that you
\par Open the file in Word, make some trivial editing changes to it (e.g. add
\par some blank lines and spaces at the end of the file), and then re-save it
\par before sending it. This should ensure that there are no 'old bits' left in
\par your file.
\par 
\par 
\par }{
\par }}