For example, they like to keep trophies. Searches of their computers and their work areas often turn up all kinds of evidence of their "triumphs," including stolen codes, credit card numbers, viruses that they have written, and illegal pornography files.
Many computer crooks keep trophies the way many proud fishing enthusiasts or hunters do; they "mount" them. But instead of taking them to the local taxidermist and having them affixed to a plaque, the computer crook's form of mounting involves burning the "trophy" files to optical media (CDs or DVDs) that he can pop in his computer any time, show his friends, or just enjoy behind closed doors.
There are several reasons why hackers and assorted other computer bad guys like to keep their trophies on CDs and DVDs. For one, optical media are pretty permanent. Cared for properly, a CD or DVD can accurately store data for decades. Also, it's a way of organizing data that you may not want to keep on your hard drive. As one suspect once told me, "I wouldn't want all that 'stuff' clogging up my hard drive and slowing it down."
But there's another reason why bad guys like to store their trophies on optical media. Unless an investigator has the right expertise and the right tools to find hidden, deleted, and renamed files, a CD or DVD can be a safe place to store a trophy.
Fortunately, forensic computer experts are becoming more skilled and their software is getting better at finding these suspicious files. For example, one excellent tool for ferreting out evidence of a cyber criminal's misdeeds that may be stored on optical media is InfinaDyne's new version of CD/DVD Inspector.
Grayslake, Ill.-based InfinaDyne (formerly Arrowkey) has been writing software applications for reading and burning data to optical media discs for the past seven years. On the law enforcement side, the company's clients include the FBI and numerous local agencies nationwide.
Inspector's newest version (2.1) comes with a simple-to-use graphic user interface that allows intensive analysis and extraction of data. When I say "intensive," that's exactly what I mean. Inspector often can read a disc that other software has labeled as "unreadable." My advice is, don't believe it's unreadable until you let Inspector loose.
Inspector is so thorough because it knows what to look for and how to find it. It can gather information from the source material in all major CD/DVD file formatting systems, including ISO-9660, Joliet, UDF, HFS and HFT+, and is compatible with multiple operating systems and discs burned on both Macintosh and Windows systems.
The easy-to-understand displays describe the contents of the disc by folder, application icon, file name, and detail information, with or without MD5 hash (electronic "fingerprint" information for the disk or file). What this means is that when a suspect goes to the trouble of using multiple file systems to attempt to conceal incriminating data, "Inspector" uncovers that fact and reveals all the details. In addition, by right clicking on any object that Inspector finds, you can copy the file contents, see its properties, and display the sector contents just in case someone is trying to pull a fast one on you by renaming the file or hiding data in the slack space.
One of Inspector's best features is its ability to make a ZIP image of an entire CD. This "true copy" captures everything that ever was burned onto the subject disc, including files that are not listed in the directory, damaged files, and deleted files. That's bad news for crooks who think they can hide their nefarious activities merely by erasing the files.
Inspector also offers you some great shortcut features. A warrant to search a cyber criminal's office might yield hundreds of CDs and you may be seeking one specific piece of information, for example, an e-mail address. Inspector can search all files on the disc and all sectors on the disc for that e-mail address.
Also, with Inspector, you can search "inaccessible" discs for scan specification syntax. This is a great feature for any officer investigating a child pornography case because it lets you identify files containing graphic content regardless of their file extension. In other words, your local pervert can't hide his porn collection merely by removing the BMP, GIF, JPG, or TIF extensions because Inspector will tag them as image files regardless of their extension.
Inspector also features built-in tools found under its drop-down menus that run extensive analysis routines, providing vital information for forensic analysis. Unfortunately, InfinaDyne chose to display this information in an undersized dialog box that forces the user to manipulate the horizontal and vertical sliders to read it. But this dialog box has its good points as well. You can use the "Copy Text" button to copy the contents of the dialog box onto the clipboard, which allows you to paste it into any other appropriate application such as a word processor for making your report.
As a cop who actually has some hands-on forensic experience with computers, I give CD/DVD Inspector Version 2.1 a solid thumbs up for both its ease of use and its versatile analysis tools.
A 25-year police veteran, Bob Davis currently runs the San Diego Police Department's computer lab.
