Ryan Purita of Totally Connected Security
is one of the leading computer forensic experts in private practice in Canada. He is a
holding one of the most advanced security qualifications in the world.
Working for both the prosecution and the defence in legal cases, Purita has also taught computer security to
law enforcement agencies, probation officers and social workers, and is currently developing programs for the
Justice Institute of British Columbia. Much of his daily work
is an extension of a system administrator's activities. A good part of it involves the advanced use of open
source tools, including several standard system tools. His work methods offer fresh perspectives on
security, privacy issues and the relative merits of Windows and GNU/Linux -- to say nothing of a niche industry where
open source is more than holding its own.
"Computer forensics" is a term that is usually applied to an investigation after a system has been
cracked. And, in fact, Purita's work does sometimes fall under this definition. However, the term is
also used more narrowly to define investigations that find evidence for legal purposes. Illegal
possession of trade secrets, intellectual property or child pornography, the dismissal of employees,
divorce, insurance fraud, insider trading, counterfeiting, criminal or sexual harassment -- any of these could
require a forensic investigation of a hard drive, removable media, or network.
Although open source tools are not the only ones available for computer forensics, they are among
the most widely used. A GNU/Linux enthusiast, Purita often prefers the open source tools. However, he frequently
uses proprietary ones as well. The proprietary tools, he explains, are "pretty," with better developed GUIs that are
easier for clients to understand. Moreover, the precedence for accepting their evidence in court is well established although,
increasingly, their open source equivalents are not far behind.
According to Purita, the most widely used piece of forensic software is
EnCase, a proprietary
Windows program. Purita describes Encase as "the most court-validated software on earth,"
noting that evidence produced by Encase has been used over 2700 times in court. A close
second is The Coroner's Toolkit (TCT),
an open source project from Dan Farmer and Wietse Venema, the co-developers of
Satan. Another widely
used program is SMART, a proprietary GNU/Linux program.
All these programs have roughly similar functionality.
Securing the File System
In order for results to hold up in court, the file system under investigation must remain unaltered.
If a single file has a time stamp later than the date and time that the file system was surrendered
as evidence, an opposing lawyer can call the entire investigation into question. "You screw one
little thing up," Purita explains, "and everything else is gone" in the case.
For this reason, Purita's first efforts are to ensure the integrity of the original medium. Physically,
that can mean working in a locked room if a case is sensitive, such as an allegation of possession of
child pornography. When working with a hard drive, it means attaching a Write-Blocker such as
Firefly before attaching the
drive to a computer. The Write-Blocker has the added benefit of keeping any logic bombs in
a disc-wiping program from being activated when the system is turned off.
As an added precaution, Purita may access a file system via GNU/Linux. "Windows," he notes, "will
always try to interfer with everything," adding a recycling bin and other features. By contrast,
on a GNU/Linux system, he can control when and how the the file system is mounted, providing
an additional safeguard against writing to the drive.
Finally, Purita copies a disk image of a file system to CDs or DVDs. If the forensic software he is using
does not have an imaging tool, he uses
dd instead. The original drive is then placed in a company safe
until the case is over or it is surrendered to a search warrant. Purita then works from the copy,
accessing the original only if an additional copy is needed.
Conducting an Investigation
No matter what forensic software is used, an investigation comes down to a series of searches through the
files and wiped space for evidence. Sometimes Purita is given clues in the form of key words and
names, a date, or a type of file. At other times, he may have only a general sense of what he is looking
for and the type of file in which it might be found -- an email or office program file, for example.
Some forensic programs, such as EnCase, come with a wide variety of file-type searches already defined
by extensions. They include extensions used by many open source formats, including OpenOffice.org.
However, Purita cannot always rely on these pre-defined search scripts. Changing a Windows file extension
is a common way to hide files, and extensions are not used on UNIX-like systems
to the same extent as they are on Windows.
Instead, Purita may search for file headers and footers using
grep tools and a full range of
regular expressions. In general, these searches are far more reliable than ones based on file extensions. Even
EnCase relies on a Windows version of grep, providing a functional GUI for adding regular expressions.
An even more reliable search item is digital signatures retrieved using
md5. According to
Purita, databases of md5 signatures are maintained by the
National Institute of Science of Technology "for everything from
child porn to hacking tools to counterfeiting software." By comparing the results of the investigation against these
databases, Purita can quickly narrow the focus of his search. This comparison is especially easy with TCT,
which can write a complete log of all the digital signatures on a file system.
Context can also play a role in an investigation. For example, Purita may know from preliminary
statements that a particular witness claims she only uses her home computer to work on spreadsheets. If
he finds that an e-mail in which her company's trade secrets are given away was sent a couple of minutes
after a spreadsheet was closed, then he has established the possibility that the witness might have sent the email. The
connection is tenuous, but further questioning from a law enforcement officer or cross-examination from a
lawyer may produce additional proof or even a confession.
To establish such context-based evidence, Purita relies on ordinary file information and logs, as well as meta-tags used by
HTML and office program files and even keys in the Windows registry. Purita points out that both Windows and MS
Office record far more information about users' activities than most people realize. Unless a firewall is in place,
Windows XP even records and transmits information
about the searches conducted and help files accessed. While Purita wonders why this information is collected, he
concedes that it makes forensic investigations far easier on Windows than on GNU/Linux.
Unsurprisingly, the time for an investigation varies wildly. The size of the file system, the scope of the investigation, and
the clues provided are the main variables. Some of Purita's investigations have taken less than an hour. Others have
taken over 500 hours. On networks, the required time is kept reasonable by searching for only key computers or usernames
rather than the entire system. In most cases, Purita will only expand network searches if this preliminary approach
fails to give results.
Purita identifies several common problems with forensic investigations. First, security is so lax on some
systems that many witnesses convincingly claim that damning files were downloaded after the system was compromised by Internet-borne malware.
Such claims are particularly common in pornography cases. In response, Purita has developed the habit of searching for
viruses and trojans at the start of each investigation. If none are found, then the claim is immediately disproved. If one is found,
Purita then checks whether it can behave as the witness claims.
Second, similar claims are made about pop-ups that download files automatically without the computer user's knowledge. With pop-ups, Purita checks the time that
the files were accessed. If those files were not accessed or were accessed at a time when the person being investigated was was not at the computer, he or she may be telling the truth about the files.
A third problem for an investigation is the password policy on a system. This is especially a problem on home
machines running Windows. Unless passwords are unique to each user and a secure password policy is enforced, proving
that a particular user has done something is difficult. Usually, more information from users is
required. In this respect, most UNIX-like systems and networks that require each user to have unique login are easier to investigate than Windows systems, especially those used at home.
Increasingly, cryptographic and disk-wiping tools are also a problem. Used properly, either can defeat Purita's investigation.
Sometimes, however, witnesses will disclose cryptographic keys. As for wiping tools, many of those on Windows are less
effective than advertised. Purita also notes that the mere presence of such tools does not indicate criminal or dishonest
intent. Having used such tools himself, Purita recognizes that privacy advocates and people working with sensitive material
may have legitimate reasons for possessing these tools -- a point that he sometimes has to make to law enforcement officers
Purita's expertise stands in marked contrast to that of most law enforcement officers. Although Purita believes that
computer and security awareness is higher among law enforcement personnel than it was five years ago, their general level
of knowledge remain low. Law enforcers who become forensic computer experts often jump to private industry, where
their knowledge receives greater financial rewards. Meanwhile, the policies of such agencies as the Canadian RCMP
result in over nine-tenths of computer forensics investigations being conducted internally by overworked and undertrained employees.
Although his services are in high demand, Purita continues to research his chosen field on his own time. Increasingly, this research
involves open source technology. One of his concerns is that, just as open source development provides new tools
for computer forensics, it can also arm those whom he investigates. In this respect, he admits, open source is a "two-edged
sword" that "could make my life a nightmare." Thinking about the situation, he takes comfort from the belief that, if an act
cannot be committed via computer, it will simply be done another way. If a man cannot remove data from a hard drive, for
instance, he will simply break and enter to steal the whole computer.
All the same, Purita seems to view the spread of GNU/Linux, whose architecture is more secure than Windows, with a mixture of private
delight and professional dismay. From Purita's professional perspective, "The great thing about Windows is that even though [people]
think they have covered their tracks, they haven't."