Computer Crime Investigator's Toolkit: Part II
Windows tricks for the computer crime investigator, as well as handy techniques involving browsers and passwords.
In examining a computer using Windows, important information may be under your very nose. Don't forget to check the Recycle Bin for deleted files long forgotten by the user. If you have a specific file name that you are looking for, don't overlook using the Windows Find utility to search the hard drive. Also, checking for temp files created by the word processing program may uncover evidence the user thought was safe from prying eyes just because he never intentionally saved it from RAM to disk. Users forget that many programs like MS Wordâ automatically save work-in-progress (WIP) as temp files.
In Windows 3.1, remember that you can use Undelete and Unformat to recover information. And yes, as indicated before, these dinosaurs are out there. Expect old versions of word processors too, so maintaining a library of "obsolete" manuals and software has great investigative value.
Unerase and Unformat are available through Norton Utilities. You can use them from the Norton Utilities Emergency/Data Recovery Disk. Both options are available from the disk's command menu. Unformat, however, will not work with DOS 5.0 or earlier. When unformatting, pay attention to the list of files and directories Norton identifies that may be lost when executing the process.
Finding cache and "cookie" files tell where a user has been on the Internet. Whether anyone likes it or not, these small text files create a "paper trail." They become a silent electronic witness.
In Win 3.1 you use the File Manager to find the Netscape folder and then the subfolder marked Cache. The Cache folder contains the history of where the user's been on the Web including graphics, URLs, and even email information. Netscape Navigatorâ has the cookies stored in "cookies.txt" that Notepad reads easily.
In Win 95 Disk Detective recommends pulling up File Manager from Winfile in Windows Explorer and locating the respective folder for the browsers used on the computer. (Just enter "winfile" at the RUN box from the Startup Menu.)
In Win 98 use Windows Explorer to get to \windows\cookies and \windows\temporary Internet files.
Internet Explorer's History function is incredibly easy to use and most users aren't even aware that it is tracking their every move in cyberspace. You can access it in the IE browser whether it is in the online or offline mode. Just go to the Toolbar in the browser and click on History, and you get to see the computer's recent URL activity.
NSClean and IEClean are commercial utilities for Netscape and Internet Explorer that enable one to see and to wipe clean virtually all historical record in the respective browsers. These are powerful tools to peek at every thing the browser has done. The URLs for these tools are:
The screensaver password is often the easiest to defeat. Usually to bypass it in Windows 95 and 98, one simply has to reset the computer and then immediately right-click on the Desktop. Then go to Properties and then Screensaver, and change the password before the screensaver has a chance to cut in again.
The Network Password may be bypassed with clicking on Cancel in the password box. Windows will let you into the local machine. However, the personal settings of the user may not be visible on the Desktop because Windows doesn't know who is coming in.
Industrial Strength Passwords prevent a lot of security problems for users. Fortunately for computer investigators, most users do not use them. The striking quality of strong passwords is that they are statistically random, a product of a Random Password Generator. They are very difficult to crack. (If you are interested in obtaining a generator, simply enter "Random Password Generator" as a search on Google, and you'll get pages full of download sites. Protect Your Privacy on the Internet has a whole chapter on the subject. You will realize passwords considered strong by the user are illusions. People do not generate statistically random passwords.)
Password cracking is usually child's play for investigators armed with cracking tools available off the Internet. But before you start using a cracker, learn some theory first. An excellent place to do this is to read "Password Cracking Using Focused Dictionaries" found at http://www.sans.org/infosecFAQ/cracking.htm. In this article you will learn how most users make mistakes in selecting passwords, how the use of regular expressions and a search matrix makes cracking apparently "strong" passwords simple, and how dictionary attacks work.
Password Recovery is often a matter of some simple research. Cryptologia, a journal dedicated to cryptography (indexed at http://www.math.utah.edu:8080/ftp/pub/tex/bib/toc/cryptologia.html#) has articles from time to time on the weaknesses of certain password protections on various software packages. Assume always that the password protection for off-the-shelf software will be weak, so crackers learn of the flaws quite readily. These flaws become public knowledge on the Internet. As a part of the research for this article, I ran "Password Recovery," "MS Word Passwords, " "WordPerfect Passwords," and "Windows Passwords" on Google. Each search produced pages of resources about recovery utilities or advice on how to do the recoveries.
Pfaffenberger, Bryan, Protect Your Privacy on the Internet, John Wiley, 1997.
Rathbone, Andy, Windows 95 for Dummies 2nd Edition, IDG Books, 1997.
Syngress Editors, Hack Proofing Your Network: Internet Tradecraft, Syngress, 2000.
Zaenglein, Norbert, Disk Detective, Paladin Press, 1998.
"Microsoft Windows Page"
"CNET Topic: Browsers" (A good overview of browsers including those that are not IE or Netscape.)
"Password Cracking Using Focused Dictionaries" (An interesting article on the philosophy of cracking passwords.)
"Password Crackers: Downloads"
"index to Cryptologia"
SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)