The History of Computer Forensics

by Janet Smith

Computer forensics is still relatively new to experienced investigators and seasoned legal professionals alike.  While it is becoming a more common investigative practice among professionals, it is being forced upon the veterans of various disciplines.  In the past, retrieving items from computers was considered too expensive and difficult to validate, especially in court.  This is because electronic evidence is very volatile.  It can be easily changed and often these changes leave little or no audit trail.  So if you found the “smoking gun” for your investigation, how could you prove that you did not create it?  Even if you wanted to use computer forensics or data recovery in your investigation, who would you call?  It seems as if every day I run into someone who claims to be doing computer forensics.  When I ask them what classes they have attended, they proudly list two or three and pronounce “I’m an expert.”  The other end of the spectrum is a traditional computer security professional, who has hung his/her shingle out as a forensic examiner.  They mistakenly believe their computer security training makes them a forensic examiner.  While there is a small amount of overlapping knowledge when it comes to log files and IP addresses, computer forensics is very different from computer security.  A network security person does not need to be able to explain what the Master File Table is or what it is used for.  However, it is critical for a forensic examination on an NTFS formatted hard drive. 

Another critical element is evidence handling; the lack of experience in evidence handling can prove to be fatal.  It many cases it seems to be treated as a glib after thought.  For a good example, just ask one of these self proclaimed forensics experts for a copy of their evidence sheet.  When you see the blank look on their face, you know that you are dealing with forensic hobbyist.  A forensic hobbyist is akin to a script kiddy in the computer security community.  This might come as quite a shock to many people; however, it is nevertheless true.  They might be able to talk the talk; however they can’t walk the walk.  This is why there has been a trend for experienced law enforcement officers retiring or otherwise leaving their respective agencies to fill the upper ranks of the private sector computer forensics community. 

Computer Forensics has finally emerged as a completely separate discipline in and of itself.  It has developed its own language and terminology.  Classes on computer forensics are taught around the world.  In fact Guidance Software, the industry leader, boasts over 14,000 clients worldwide.  In order to fully understand where its roots lie – it is helpful to take a walk down memory lane of the personal computer perspective. 

Intel released the first commercial microprocessor on November 15, 1971.  In 1975, Bill Gates and Paul Allen founded a small company called Microsoft.  The second generation of microcomputer was sold under the title of a home/personal computer.  In 1979, while working at Apple computer, Jeff Raskin started a project called Macintosh.  During this time, the fight over who would dominate the personal computing market was on.  IBM was backing the Intel PC, and Apple was pushing Macintosh.  As these personal computers began to play a larger role in daily life, the California Department of Justice recognized that criminals could capitalize on computer technology.  In response, it created a computer security training program.

Conception of Computer Forensics (1980s)

By 1981 Microsoft released the Disk Operating System (DOS) for the personal computer.  DOS was a command line or shell interface for an individual user to control their computer.  DOS was a vast departure from the Terminal Emulation programs of that era.  The user was no longer constrained by the administrators of the mainframe computers in the back room.  When a user typed in “c:>delete *.*” by mistake or on purpose, it deleted everything on their hard drive.  This also meant that any user could wipe out critical business data.  Understanding the possible damage a user could do, Peter Norton released a program called “The Norton Utilities.”  One of its programs was an unerase utility.  Many users considered this a miracle tool.  Along with unerase, other programs soon followed to help increase a computer system’s performance.

In 1983, Apple released its first computer with a Graphical User Interface (GUI) called Lisa.  GUI meant it was a departure from the good old days of typing commands at a command prompt and ushered in the age of point-and-click.  The purpose of the operating system was to provide an easy to use environment for a user.  This same year Microsoft released its first Windows based operating system (OS), which could be purchased for approximately $100.  Windows is considered a graphical user interface (GUI).  During its earlier days, the focus of the Windows operating system was end user functionality.  This was just the beginning of the age of personal computers. 

Keep in mind that up until this time computer records existed on mainframe computers.  The personal computer began a shift in office records management.  Many records that were kept on mainframes or in paper form could now be stored electronically on the personal computer.  When a police officer believed that someone was conducting fraud, they would get a search warrant and go into the businesses and look at their records.  In most cases, they would try to identify the pertinent ones and have their records copied.  Many times the originals were retained and the duplicate records were placed back into the business so it could continue to operate.  However, as they began to enter more and more businesses, these financial investigators and auditors began to encounter personal computers.  This posed a problem; they needed the records to prove their case.  They were the very first profession to really need computer forensics. 

As an organization, one of the first to seek training in this area was the Association of Certified Fraud Examiners.  During their fraud audits more and more of the records were kept on computer media.  In order for this information to be accepted in the court, a methodology needed to be developed.  But computers were not just limited to businesses.  Now anyone could have a personal computer right in their home.  Although most people didn’t realize it, a new profession was being conceived called computer forensics.   

In the mid 1980s, it is rumored that Don Ingram of the Alamana County District Attorney’s Office wrote and obtained the first search warrant for computer data.  This case involved two competing mainframe computer companies.  It was alleged that one computer company had taken information and data from the other.  Mr. Ingram obtained a search warrant for the digital evidence.  During its execution, the owner of the computer company was very uncooperative until one of the deputies took a crow bar and placed it on top of one of the computer mainframe computers and asked Mr. Ingram if the data that he needed to search for was located inside.  The computer owner quickly realized that it was in his best interest to assist the police with their “search,” and the incriminating information was located.

In 1984, computer forensics was conceived because of two separate driving forces.  As businesses began to be impacted by crimes, it became clear there was a gap in knowledge between the law enforcement community and private sector.  In order to combat this, Leo Himmelsbach, from the Santa Clara District Attorney’s office met with the Industrial Security Managers Group.  Himmelsbach obtained a grant from the Office of Criminal Justice Planning Project for $238,216.00.  On August 31, 1984, Bill 1078 was passed by the California Legislature.  It provided for the creation of the District Attorney’s Technology Theft Association (DATTA).  This same year, another small consulting company was created, which would end up playing a huge role in computer forensics.  It is called ASR Data, which stands for Andrew S Rosen Data.  Andy began this company; it focused on custom computer software.

In the late 1980’s, a group of professionals including Fred Cotton and Bill Spernow from the SEARCH Group as well as Chuck Rehling, Michael Anderson, Andrew Fried of IRS/CID at the Federal Law Enforcement Training Center, Howard Schmidt Chandler, AZ PD, and Gail Thackery from the Maricopa County DA’s Office began teaching “high tech” classes in the state of California and at FLETC in Glynco, GA.  At this time there was little or no other training available. As a result, these dedicated professionals were to improvise most of the classes they taught.  Generally, these trainers were law enforcement officers who happened to enjoy working with computers.  Some of the tools they relied on were home grown, made by the examiner as they did their investigations.  At that time, many computers did not have a hard drive, but had a 5 ¼ inch floppy disk drive or, if they were really cutting edge, they would have a 3 ½ inch floppy disk drive.  Those would cause the investigator to have dozens, or possibly hundreds, of floppy disks to review.  Each floppy would take some time to process depending on how much information was contained on it, and some exams could take months to complete.  At this time, the forensic examiner used these tools to work on the original media, typing the needed commands in on the command line (that is the ‘C:>’ prompt).  The exam of a 10 – 20 megabyte hard drive could take weeks of tedious work.  As a rule-of-thumb eight hours of analysis time was required per megabyte of data.

Investigators would use Norton’s file recovery tools and other command line tools to recover intact deleted files on the computer storage media.  After this, they would get to examine the media manually with a Sector Editor such as Norton’s Disk Editor.  Using Disk Editor, investigators could now view the data very close to the form it was stored on the physical media.  This view of the data is still used in almost every major computer forensics product.  It is also taught in most introductory computer forensic courses.  By using this view, a computer forensics professional can locate partial files in the unallocated areas of the floppy or hard disk and partial files in the file slack area on the disk.  In these early years this process required long hours at a computer and lots of caffeine as the examiner reviewed each chunk of data, and often recovered the deleted files one at a time manually.  Considering the difficulty in conducting an exam, the time it consumed, the lack of any previous case law, the expense, and the small number of people actually experienced doing this type of work, it is no wonder that computer forensics was not even a consideration in an investigation much less a legal proceeding.