mopdf.com

Setting up anOnline Investigative Computer:Hardware, Connectivity and SoftwareRecommendationsKeith I. DanielsSEARCH Training ServicesJune 2004SEARCHThe National Consortium for Justice Information and Statistics7311 Greenhaven Drive, Suite 145 Sacramento, California 95831Phone: (916) 392-2550 Fax: (916) 392-8440 Internet: www.search.org

IntroductionThere are many considerations a justice agency should address in setting up anundercover investigative computer. This computer will, after all, contain sensitivedocumentation that at some point will become real evidence to be used in courtproceedings. Continuity and preservation of evidence will come into play every timedefense counsel feels there has been a breach. With this in mind, agencies also mustcreate a machine that is not only legally secure but also operationally protected fromhackers. It is also imperative that investigators have as many of the tools they mayneed to conduct the wide array of investigations they will be called upon to perform.As with the rapidly changing face of technology and the criminals who use it, theconfiguration of a computer such as the one described here will also change withtime. This list is by no means exhaustive and will be updated at regular intervals asrequired. For online updates, see SEARCH’s Training Resource Links page(www.search.org/training/resources.asp), which also offers a wide range of usefulinvestigative and forensic links.The Undercover Computer: General Guidelines The computer must be standalone and must not be networked with anothercomputer in any way. In and of itself, this network issue can raise considerablediscussion among investigators. However, the fewer people who have contactwith the potential evidence on the undercover hard drive, the better. This leavesfewer “smoke and mirror” arguments from defense attorneys. The computer should have removable drive-trays. This permits theinvestigator to remove and lock up a particular drive when it is not in use. Thisalso permits other investigators to utilize the computer using their own drives. Online investigators should work in an office that is not open to pedestriantraffic from coworkers or visitors. This type of work can be very demanding,requiring concentration and minimal distractions. With respect to the computer configuration, there are many schools ofthought, but no “hard and fast” rules. Consider the following guidelines somesuggest in setting up a computer for investigative purposes:Use the largest, fastest computer availableUse the largest-size drive availableUse the maximum amount of RAMUse an internal CD burnerUse an external Firewire or USB2 DVD burnerConsider a video card with as much onboard RAM as possibleConsider dual flat-panel monitors with the largest screen size possible (thispermits more usable space for investigative tools and is easier on the eyes)Use a laptop that permits 802.11b or g wireless access (g is preferred)Note: Using a laptop computer as the main investigative unit is notrecommended, for a variety of usability and expense issues.Setting Up an Online Investigative Computer SEARCH Group, Inc. 20041

Connectivity RecommendationsThe following are our minimum recommendations for providing Internet connectivityto the undercover computer: 1 high-speed connection not shared with the department 1 dialup 1 America Online (AOL) account 1 cold phone lineMultiple connections permit the investigator to attack a suspect from several angles.There are occasions in which one connection is just not enough. It is possible that theinvestigator may want to pretend to be two different people when communicatingonline with a suspect.Software RecommendationsWhile software programs are as varied as online investigations, there are somestandard programs that we recommend—some that offer general functions, and somemore specific to online investigations.General Microsoft Office Suite (http://office.microsoft.com/home/default.aspx), whichoffers desktop business applications, specifically: Microsoft WordOutlookPowerPointExcel— Access— Live Meeting— Front PageWindows XP Professional (www.microsoft.com/windowsxp/pro/default.asp).With Microsoft being the de facto standard operating system for both home andoffice usage, Windows XP Professional is preferred over the Home edition.Online investigators are considered “power users” who may wish to takeadvantage of the added features of XP Professional, such as:EFS (Encrypting File System)System restore, which is more robust and offers more options in the event of asystem crashWeb Browsers Internet Explorer (www.microsoft.com/windows/ie/default.mspx). Mozilla offers some interesting alternatives in Web browsing and can greatlyassist in a hacker investigation (www.mozilla.org/). Netscape Navigator .jsp).Setting Up an Online Investigative Computer SEARCH Group, Inc. 20042

Image Viewers/Enhancers and Log Viewers PowerDesk Pro is like Windows Explorer, but on steroids. It aids in viewinglogs and images very quickly. There is a free version but it does not offer theviewer. The viewer for this software makes it possible to scroll rapidly throughimages, moving files and text documents, and can save considerable time in thelog/image review process (www.v-com.com). Photoshop 7 or CS is desktop digital imaging software that enables investigatorsto enhance images, even at a basic level. While expensive, this tool canmanipulate images in ways that other programs cannot. This permits investigatorsto view parts of an image that ordinarily cannot be seen using regular viewers.The ability to do this can open up other avenues in the investigation by providingadditional evidence (www.adobe.com/products/photoshop/main.html). Irfanview is a free graphic viewer program (www.irfanview.com). Quick View Plus provides added features for a viewer, such as print, copy, paste,compile and archive functions (www.avantstar.com/).System ProtectionSystem protection is extremely important and often overlooked as an unnecessaryexpense. It is not until a virus strikes or a system attack is launched that theseprograms pay for themselves. Norton SystemWorks Suite (www.symantec.com). McAfee Internet Security Suite(http://us.mcafee.com/root/package.asp?pkgid 144).FirewallsA good firewall can be invaluable in protecting the online computer and can functionas an investigative tool (such as by capturing IP addresses). Tiny Personal Firewall is freeware (www.tinysoftware.com). ZoneAlarm Pro (www.zonelabs.com). Sygate personal firewall (www.sygate.com).Spyware UtilitiesWith the ever-increasing problem of computers being bombarded with spyware, it isimperative that online investigators download one or more of these utilities and keepit up-to-date at all times. Ad-Aware, a spyware removal program, is free to agencies, organizations andindividuals, but is not free to corporations (www.lavasoftusa.com). Spybot-Search & Destroy is a free spyware removal program (www.safernetworking.org). Spy Hunter (www.enigmasoftwaregroup.com/).Setting Up an Online Investigative Computer SEARCH Group, Inc. 20043

Screen/Image/Webpage Captures and TrackersDuring the online investigation, the ability to capture images, moving files and entireWeb pages can enhance the evidence capture, continuity and court preparation. Camtasia Studio is an outstanding screen capture utility that can also makemoving image captures in “real time” of images like Webcam sessions. It is alsopossible to record a complete online session and create an audio voiceover toaccompany it. Bear in mind that Camtasia does not capture all moving files froma Web page—this has to be done using other methods (www.techsmith.com/). Photo Studio is a small utility program that permits investigators to read the Exifheaders of digital photographs, thus providing a myriad of information about thecamera, its settings, and the date and time that the image was taken. In the eventthat there is a partial download of an image, a complete thumbnail of thoseimages arrives first and is embedded into the EXIF header. This is a free program(www.stuffware.co.uk). Cogitum Co-Citer is a tool used to create collections of texts from the Internet. Itcaptures the selected text, its Internet address, its title and the date it was added tothe collection (www.cogitum.com). Cogitum Image Co-tracker 2.0 is a tool used to create a database of imagesfrom the Internet. It captures the image itself, its Internet address, the Internetaddress where it refers to, its name and the date it was added to the database. Thisis a free program (www.cogitum.com). Adobe Acrobat 6.0 enables Web page captures and converts documents to .PDFformat for evidence disclosure ml). Web capture utilities. A number of shareware or freeware Web capture utilitiesare available; these tend to vary in ease of use and cost. (Review potentialdownloads at www.tucows.com/.)Chat/Instant Messenger Utilities Peer-to-Peer file-sharing programs, such as Kazaa(www.kazaa.com/us/index.htm) MIRC, a shareware chat script, which provides a user-friendly interface forInternet Relay Chat (www.mirc.com). Instant Messengers:— Yahoo! Instant Messenger, a free service (http://messenger.yahoo.com/).— America Online Instant Messenger (AIM), a free service(www.aim.com/get aim/win/latest win.adp?aolp ).— I.M. Frame, an AIM Instant Messenger logger (www.bpsssoft.com). PowerTools Professional, which logs AOL chat sessions and manageschatrooms. For example, while attempting to enter rooms that are full, it willactually continue to “knock on the door” until someone leaves; at that point, theuser is automatically entered into the room (www.bpssoft.com/IMFrame/). Dead AIM, an AIM chat log capture utility (www.jdennis.net).Setting Up an Online Investigative Computer SEARCH Group, Inc. 20044