Your Computer ForensicToolkit

Kelly J. (KJ) Kuchta

KELLY J. KUCHTA is the National Director for the METASeS DefenseONE Computer Forensic andLitigation Support Services, based in Phoenix, Arizona. He is an active member of the High TechnologyCrime Investigation Association (HTCIA), Association of Certified Fraud Examiners (ACFE), ComputerSecurity Institute (CSI), International Association of Financial Crime Investigators Association (IAFCI),and the American Society of Industrial Security (ASIS). He currently serves as the Chair of the ASISStanding Council of Information Technology Security.

The last article was Part 1 of theseries and was about building acomputer forensics laboratory

and what it should include. That arti-cle briefly discussed forensics toolsthat you might need. This articletakes a more detailed look at the typeof tools that are used in computerforensics. In Part 1, forensic softwarewas categorized into seven differentcategories: (1) imaging, (2) analysis,(3) conversion, (4) viewing, (5) moni-toring, (6) security utilities, and (7)over-the-counter software. These cat-egories to define tools will be used inthis article.

The forensic software to bereviewed here is probably used by avast majority of computer forensicprofessionals, and it is the most com-mon in the field. The latest informa-tion on Linux-based forensic tools willbe provided. Most businesses useMicrosoft Windows products, so thetools that are going to be reviewed

will provide good results for this envi-ronment. There are also other prod-ucts which are useful, but will not bereviewed here because of the focus ofthe article and the space allotted forthis topic. The areas covered will beproduct functionality, limitation, levelof expertise required, price, and mis-cellaneous information needed to usethe application.

New forensics software is beingintroduced on a weekly basis. Conse-quently, this article should not beconsidered to contain an all-inclusivelist of forensics software products. Iwrite about tools that I am familiarwith. The biggest concern in usingthese tools should be that the user iscomfortable with the results and howthe product works. The currentdebate among the forensic communi-ty is with “point and click” tools.Purists argue that in order to reallyknow what is going on with tools,users must understand exactly what

L A W , I N V E S T I G A T I O N S , A N D E T H I C S

S E P T E M B E R / O C T O B E R 2 0 0 1

L A W , I N V E S T I G A T I O N S , A N D E T H I C S

they are doing. The purists furtherargue that most users really do notknow what is going on when they“point and click” their way around a computer forensic examination.Additionally, the professional is notencouraged to validate the results,instead relying on the output of theapplication. To their point, whatapplication is bug free? These individ-uals tend to prefer utilities, DOSapplications, or working with applica-tions that require a great deal ofunderstanding about the process.

Neophytes argue that this line ofthinking is out of date, pragmatic, andlimiting. They argue that using “pointand click” tools provides a shorterlearning curve and helps bring agreater number of professionals intothe field more quickly. There is also thefeeling that the old guard is reluctantto change and thereby makes claims ofhypocrisy. Whatever the stance, thepoints that most everyone agrees onare: validate and understand results,be able to explain how the tool works,and never violate the “basic principles”of computer forensics. An individualwho works in this area for any amountof time must be prepared to sit downin front of a client, boss, judge, or juryand explain what the tools do.

BASIC PRINCIPLESEverything that a computer forensicsprofessional does should be groundedin certain principles. They are:

�� Never work on original evidence.�� Use tools that have been testedand are capable of replicating find-ings.�� Take copious notes or have track-ing capabilities of all efforts.�� Strictly follow established proce-dures for evidence preservation.�� Maintain chain of custody.

�� Use the highest standards of con-duct to obtain results.

This article will focus on two ofthese principles. The others will becovered in subsequent articles. Theprinciples covered here are the use oftested tools to replicate findings andpreserve evidence.

I have yet to find one tool that doeseverything I need it to do. Some toolshave multiple functions and will bementioned throughout the article. Justas tradesmen have many tools in theirtoolboxes, so should users anticipatetheir needs and bring along familiartools. Let’s dig into the toolbox!

IMAGINGAn important part of computer foren-sics is the acquisition and preservationof evidence. To complete this process,an application is needed that makesan exact copy of the data or lack ofdata in each sector of the targetedhard drive. This must be accomplishedwithout changing any of the data. Thisprocess is called “making an image” orproducing a “mirror image.” The imagecan then be searched for items of inter-est or it can be restored to anotherhard drive or media. Because an exactimage of the suspected hard drive hasbeen made, the restored image can beused in place of the original drive andsearched without the concern of alter-ing the original data. Some commonimaging applications will be described:

SafeBack www.forensics-intl.comSafeBack was originally created in1990 and marketed by Sydex, Inc. InMarch 2000, New Technology, Inc.(NTI) purchased the SafeBack prod-uct and currently markets it with therest of their products which will bementioned here.

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

An individual who works in this area for any amount of time must be prepared to sit down in

front of a client, boss, judge, or jury and explain what the tools do.

FunctionalitySafeBack is an MS-DOS-based pro-gram which makes an exact bitstream imaging of media like a harddrive without altering the data. As ofthis article, the latest version avail-able is 2.18. What makes SafeBack sopowerful is that it is not file oriented.Therefore it will make an image ofjust about any hard drive that can beread by a computer, regardless of thetarget system’s operating system.

SafeBack has a robust audit fea-ture that gives the user the ability tocompare the original data to thecopied data. The application usesboth a 16-bit CRC checksum for eachblock of data and a 32-bit CRC check-sum for the file itself to create a hashof the original evidence and the copy.Both hashes are compared to deter-mine that both the original and thecopy are exactly the same. The math-ematical likelihood of getting a CRCmatch from different data is astro-nomical. This information can besaved to a file and used to verify thatthe data is in fact “authentic.” Thisprocess can be replicated numeroustimes to determine the accuracy ofthe data so long as the informationhas not been changed. Note: Data iseasily modified. This fact will beaddressed in the article on computerforensic methodology.

LimitationsSafeBack is a non-GUI MS-DOSapplication.

Level of Expertise RequiredWhile SafeBack is not hard to use, itdoes require the user to have at thevery least a basic understanding ofMS-DOS.

PriceAt the time of this article, the pricefor this single product could not bedetermined. Contact NTI to deter-mine if SafeBack can be purchased

separately or if it is included in theirother forensics tool suites.

Miscellaneous InformationSydex stood behind its product andits functionality. If necessary it sent arepresentative to the court to sub-stantiate the product’s functionality.It is unclear whether the new ownerNTI will continue this practice.However, NTI’s track record of tech-nology support is equally as impres-sive. SafeBack is an application thatis well established and has been bat-tle tested in court. Users should feelreasonable confidence in using thisproduct.

EnCase www.guidancesoftware.com

FunctionalityEnCase’s latest version, 2.16a, has anumber of different features thatmake it useful. It is a Windows-basedapplication with a GUI that gives it apolished look and feel. Forensic pro-fessionals should take advantage ofits unique evidence acquisitionfeatures.

The newest Professional versionscan be used to acquire evidence fromvarious operating systems such asFAT12, FAT16, FAT32, NTFS, EXT2,CD-ROM, and Macintosh. While nothaving the track record of SafeBack,Encase is a solid imaging tool. It pro-vides an audit feature to verify andauthenticate evidence. It will auto-matically record details about the evi-dence acquisition process and placethem into a report format. This typeof information might include drivespecifics, dates and times, hash val-ues, etc. It allows the forensic profes-sional to create and organize theevidence file to individual prefer-ences. A sample of the report view inEnCase version 2.14 is illustrated inExhibit 1.

Limitations

S E P T E M B E R / O C T O B E R 2 0 0 1

L A W , I N V E S T I G A T I O N S , A N D E T H I C S

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

It has been reported that EnCase hassome difficulty in imaging large evi-dence files. This limitation can beovercome by using certain techniquesand the newest version is thought toaddress this issue.

Level of Expertise RequiredEnCase does not take a great deal oftraining to master the basic function-ality. Persons who attend a trainingclass and can use their newfoundskills on a regular basis can quicklycontribute to your practice. GuidanceSoftware also provides a better thanaverage user manual.

PriceEnCase has two versions: Standardand Professional. A single-user licensefor Standard is $995 and the Profes-sional version is $1,650.

Miscellaneous InformationGuidance Software provides bothtechnical support and an EnCaseuser group to answer questions.Guidance was scheduled to release a

new version of EnCase, 3.0, sometimein the second quarter of 2001.

ForensiX http://all.netFor Linux gurus, the “dd” commandmakes a forensics-quality image ofthe media to be copied. I know of onlyone Linux forensic utility. It’s devel-oped and sold by Fred Cohen &Associates.

FunctionalityThe preferred operating system forForensiX version 1.0 is RedHatLinux, although other versions ofUNIX will partially support it. It iscapable of imaging Mac, DOS,Windows, UNIX, and other disks andfiles. It can also image PCMCIAcards, IDE, SCSI, parallel, serial, etc.Other important features are that itautomatically produces chain-of-evi-dence information, does not modifythe original evidence, accommodateslarge amounts of data (reported to be16 terabytes), and will replay theanalysis with automatic analysisintegrity verification.

Report View in EnCase v2.14EXHIBIT 1

S E P T E M B E R / O C T O B E R 2 0 0 1

L A W , I N V E S T I G A T I O N S , A N D E T H I C S

LimitationsNone noted.

Level of Expertise RequiredIt is strongly suggested that users befamiliar with RedHat Linux becausemany of the features require the useof UNIX like code to execute certaincommands.

PriceAt the time this article was written asingle copy of ForensiX was offeredfor $899.

Miscellaneous InformationDr. Fred Cohen is very well respectedin the computer forensic area and hasan excellent reputation of being accu-rate and knowledgeable. From allaccounts, this tool is a good one.

There are other imaging tools that Ihave not mentioned such asSnapback, Drive Image Pro, ByteBack, and, of course, Linux. Snapbackand Byte Back are utilities that arefavored by the law enforcement com-munity; however, they are only offeredto the law enforcement community.

ANALYSISIn Part 1, “analysis” tools weredefined as: “conducting document,application or word searches, filecomparisons, matching data from aknown document to an unknown doc-ument, reviewing deleted data orcomparing source code.” I will outlinea few of the more popular tools belowand mention several that may war-rant further research.

EnCase www.guidancesoftware.com

FunctionalityEnCase provides the ability to searchfor the text in GREP, Case Sensitive,and Unicode. It also provides theexaminer with the ability to viewthumbnails of graphic files. It canbookmark files of interest into thecase folder for future reference andplace them into reports. It allows formultiple views of files in Hex, Text, ora report summary. It also allowsinformation to be exported to otherformats or files. Exhibit 2 illustratesthe typical view seen with EnCase.

Typical View with EnCaseEXHIBIT 2

LimitationsEnCase appears to have difficulty inviewing Linux file structures and isnot as powerful on Linux as it is onWindows products.

Level of Expertise RequiredEnCase does not require a great dealof training to master the basic func-tionality. Persons who attend a train-ing class and can use their newfoundskills on a regular basis can quicklycontribute to your practice. Most ofthe analysis functionality is fairlyintuitive. Guidance Software also pro-vides a better-than-average usermanual.

PriceEnCase has two versions: Standardand Professional. A single-userlicense for Standard is $995 and theProfessional version is $ 1,650.

Miscellaneous InformationEnCase is probably one of the mostpopular forensic analysis tools usedin the computer forensics community,providing the user with a good sup-port group of other professionals whoare familiar with the product.

NTI Forensic Utilities www.forensics-intl.com

FunctionalityNTI has been in the business of pro-viding forensic tools since 1996 and isthe owner of “SafeBack.” NTI’s toolsare actually a collection of utilitiesdesigned to do specific tasks such ascapturing file slack, deleted files, orchaining fragmented files. The utili-ties are designed to accommodateDOS, FAT, and NTFS file structuresof Windows operating systems. NTIhas a robust suite of tools for justabout every forensic need.

LimitationsA user looking for a fully integratedGUI product to shorten the learningcurve, is looking in the wrong place.

Plan on allowing plenty of time tomaster these tools and the resultswill be pleasing.

Level of Expertise RequiredThe user must be comfortable andfamiliar with MS-DOS and DOS-based products such Disk Edit andSystem Commander. If a user cannotmaster a majority of the DOS com-mands it will be difficult to use thistool to its fullest potential. Therequired time to master these toolscan be much longer, but once accom-plished the examiner will generallyknow the ins and outs of computerforensic examinations.

PriceThese utilities can be purchased in apackage or “Suite” or they may bepurchased individually. Contact NTIfor price information.

Miscellaneous InformationThe price for NTI tools includes atraining class on how to use them.Each utility is licensed to the user tohelp establish ownership of the toolsand validate their use. Most NTI toolscannot be purchased without attend-ing their training classes.

Access Data’s Forensic Toolkit or “FTK” www.accessdata.com

FunctionalityFTK provides full text indexing,advanced searching, known file filter-ing, graphical file viewing, hash veri-fication, and interoperability withAccess Data’s password recoveringkit (sold separately). It can accommo-date all FAT operating systems,NTFS, EXT2, and CDFS.

LimitationsNone.

Level of Expertise RequiredAs with most forensics tools, sometraining is suggested to maximizeeffective use. Access Data provides

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

S E P T E M B E R / O C T O B E R 2 0 0 1

L A W , I N V E S T I G A T I O N S , A N D E T H I C S

training with the purchase of theirsoftware, although the product maybe purchased separately.

PriceA single licensed copy is $995.

Miscellaneous InformationA new version of FTK was scheduledfor release in the second quarter of2001.

ForensiX http://all.netMost have heard a commentary abouthow powerful and flexible Linux canbe. ForensiX provides these featuresand more.

FunctionalityIts biggest virtues are that ForensiXcan quickly search through large vol-umes of data, examine deleted files,swap space, and other key areas ofinterest. It has the ability to viewgraphics files from disks at the rate ofone every second and provides pro-grammable and customizable analy-sis capabilities along with a Web-based user manual and audio train-ing built into the application.

LimitationsNone noted.

Level of Expertise RequiredIt is strongly suggested that users befamiliar with RedHat Linux becausemany of the features require the useof UNIX-like code to execute certaincommands.

PriceAt the time this article was written asingle copy of ForensiX was offeredfor $899.

Miscellaneous InformationNothing noted.

Other tools that are often used inthe forensic community are ILookand Drive Spy. ILook is only offered tothe law enforcement community sounless you are a law enforcement offi-

cer, you are out of luck — especiallysince it is free.

CONVERSIONTo get data into a format that can beviewed, searched, or even recognized,conversion tools are sometimes neces-sary. Today more tools allow for bothimporting and exporting of data fromand to other applications. Most textfiles can be converted to similar appli-cations, therefore, I will not belaborthe point. However, e-mail presents amuch different issue. For e-mail, Istrongly suggest using UniAccess.

UniAccess www.comaxis.com

FunctionalityUniAccess supports the conversion ofe-mail between the following e-mailapplications: Exchange, Outlook,Notes, GroupWise, Netscape, Eudora,IMAP4, Pegasus Mail, ExpressIT,cc:Mail, daVinci, Notework, Compu-Serve, Calypso, and HTML. It is alsopowerful if users need to view a largenumber of e-mails on an e-mail appli-cation that is unfamiliar: e-mail canbe exported to a familiar application.

LimitationsNone noted.

Level of Expertise RequiredBecause UniAccess is not a main-stream product, a good dose ofpatience is needed. As with most dataconversion processes, things do notalways work as planned. Do not put ajunior person on this process until aprocess or methodology has beendeveloped.

PriceUniAccess is $295 and allows up to 50licensed users.

Miscellaneous InformationUniAccess cannot be purchaseddirectly from Com/Axis Technology.However, their Web site providesauthorized dealers by area. Exhibit 3

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

illustrates the initial step of the con-version process with UniAccess.

VIEWINGMany times a forensic professionalwill be asked to find certain graphicsfiles or to determine their contents.The law enforcement communitydeals with this issue frequently in thearea of child pornography. Some oftechnologically savvy individualswith illegal, immoral, and unethicalintent attempt to hide the presence ofcontraband in these files by changingthe file header to disguise its con-tents. To really know what is in thefiles, they must be viewed. A viewingapplication is instrumental to viewnot only graphics files, but also othertypes of files. Viewing applicationspresent the forensic examiner with athumbnail picture of the file contentsor an image of the document.

EnCase and FTK have built-in fileviewers, which allow the forensicexaminer to view several pages ofthumbnail pictures at one time andthen concentrate on a particular fileto determine key information aboutthe file such as creation date, size, etc.An example of the thumbnail view inEnCase is illustrated in Exhibit 4.

There are a number of stand-aloneviewers to consider. Specifics abouteach of them follows.

Quickview Plus v 6.0 http://www.jasc.com

FunctionalityQuickview Plus has the ability toview over 200 different file formats.This makes it a good all around prod-uct to view many different files with-out having to purchase and open thedifferent types of applications en-countered. It supports Win 95, Win98, WinNT, and Windows 2000.

LimitationsNone noted.

Level of Expertise RequiredQuickview is very easy to use andrequires only a basic amount ofknowledge to use the applicationproperly.

PriceThe price for Quickview Plus variesfrom the low $40 range to as high as$59.

Miscellaneous InformationNone noted.

Step 1 of Conversion Using UniAccessEXHIBIT 3

S E P T E M B E R / O C T O B E R 2 0 0 1

L A W , I N V E S T I G A T I O N S , A N D E T H I C S

Thumbs Plus v 4.10 http://www.cerious.com

FunctionalityThumbs Plus provides a full page ofthumbnail graphic files allowing aquick visual review of the contents tolook for things of interest. It is compat-ible with Win 95, Win 98, WinNT, and2000. It allows the user the ability toadjust the image quality of the pictureand preview movie clips (including theaudio portion) and offers a conversionfeature for converting multiple files.

LimitationsNone noted.

Level of Expertise RequiredThis application is very easy to use andrequires only a basic amount of knowl-edge to use the application properly.

PriceNew users of Thumbs Plus shouldexpect to spend $79.95 for a licensedcopy.

Miscellaneous InformationThis is a robust application thatCerious Software, Inc. has made a

commitment to improve. A number ofenhancements are planned betweennow and 2009. I have heard nothingbut good things about technical sup-port issues.

MonitoringIn Part 1, I mentioned that occasion-ally the events that the user is tryingto investigate are ongoing. After theelectronic evidence is preserved, theevent may be monitored in a near- orreal-time basis. There are plenty ofdifferent types of applications avail-able. However, for this article, I willfocus on two; keystroke capture pro-grams and sniffers.

Keystroke capture programs can beinstrumental in obtaining a confes-sion from the instigator — especiallywhen it is in their own words as cap-tured on the keyboard. The premise isthat all of the activity on the key-board is recorded and preserved. Twoprograms that might warrant atten-tion are Investigator and SilentWatch.

Thumbnail View in EnCaseEXHIBIT 4

Investigatorwww.winwhatwhere.com

FunctionalityThis application has many interest-ing features that make it appealing ininvestigating IT events. The companyWeb site describes it as follows:“WinWhatWhere Investigator pro-vides a highly detailed audit trail ofall computer activity. This includesdate, time, elapsed time, windowtitles, URLs, and keystrokes — pro-viding an accurate picture of usage onthe monitored computer.”

A forensic professional must haveaccess to the target computer’s harddrive. Investigator allows the applica-tion to be loaded onto the target com-puter, making it invisible to the user.The forensic professional chooseswhere the application is placed in thetarget computer’s directory. Then theprogram is only visible by using a cer-tain combination of keystrokes whichis how the forensic professional willneed to access the application in thefuture. The data must then beretrieved through direct access to thecomputer or through its “StealthEmail” feature. This feature willallow the forensic professional tocompress the captured data and e-mail it to an account of their choice,unknown to the user. The frequencyand time of the e-mails are customiz-able to permit updates as often asnecessary.

LimitationsNone noted.

Level of Expertise RequiredInvestigator is fairly easy to use, butI highly recommend testing and usingthe product first before using it in thefield. If not set up correctly, yourefforts can be compromised.

PriceA single copy of WinWhatWhereInvestigator may be purchased for$99.

Miscellaneous InformationAs with all of the monitoring softwareI discussed, there are privacy issuesthat must be addressed. Pleaseunderstand which issues that arepertinent to the situation beforedeploying these tools or any othertools of this nature.

Silent Watch www.adavi.com

FunctionalityThe company Web site describesSilent Watch as follows: “ADAVISilent Watch allows you to controlmisuse of your computers and restrictobjectionable content that may harmor distract others on your computernetwork. ADAVI Silent Watch willalso track computer idle time, recordkeystrokes, URL logs, monitor incom-ing and outgoing e-mail and monitoran unlimited number of computers onyour network.” The single user or “athome” application is call “SilentGuard.”

LimitationsNone noted.

Level of Expertise RequiredSilent Watch has evolved into a net-work-based product. Because of thecomplexity of network issues, itrequires the forensic professional tohave network skills. It is highlyadvisable to test and use the productprior to using it in the field. SilentGuard, its stand-alone product, ismuch more user friendly.

PriceA single copy of Silent Watch includingfour seats may be purchased for$199.95. Additional seats can be

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

Just remember that the bad guys can also use software against you. So be careful.

The type of workthe computerforensics profes-sional isinvolved withdetermines thesoftware toolsthey carry.

S E P T E M B E R / O C T O B E R 2 0 0 1

L A W , I N V E S T I G A T I O N S , A N D E T H I C S

purchased in incremental blocks. A sin-gle license of Silent Guard is $49.95.

Miscellaneous InformationMany in the news media prominentlymention Silent Watch and Win-WhatWhere Investigator. The newsmedia seems to indicate that theseproducts are being used by a fairnumber of individuals. Most of theexamples given by these accountswere of private citizens monitoringchildren, spouses, or significantothers. However, it is also mentionedthat businesses use the products withsome success. Just remember that thebad guys can also use softwareagainst you. So be careful.

Sniffers come in many shapes andsizes. Use the one that provides thehighest level of comfort and confi-dence for its purpose. One considera-tion is that sniffers can collect hugeamounts of data. When zeroing in ona target, it is essential to have theability to control the device’s collec-tion activity. These logs must be pre-served for future reference.

The diversity of sniffers that areavailable to forensics professionals isnot covered in this article; however,there are two that I would like tomention. I have had very good experi-ences with Session Wall 3 andNetwork Flight Recorder.

SECURITY UTILITIESIf given a chance, look at an experi-enced, computer forensics profession-al’s toolkit. It will contain a potpourriof utilities that have been collectedover the years. The list will likelyinclude

�� 1. Password crackers — Cain,L0pht Crack, John the Ripper, etc.�� 2. Encryption software — PGP�� 3. Erase utilities — Wipe Info,Secure Clean, etc.�� 4. Comparison utilities — AraxisMerge 2001 Professional�� 5. Hash utilities — MD5, etc.

�� 6. DOS utilities and operating sys-tems — Disk Edit, etc.�� 7. Search and indexing utilities —DT Search, etc.�� 8.Back-up software — BackupExec, ARCserve, etc.

The type of work the computerforensics professional is involved withdetermines the software tools theycarry. If their skill sets are used pri-marily in an incident response mode,the toolkit may be more heavilyweighed to password cracking, en-cryption, and the hash utilities.Computer forensics professionals whospend much of their time in the litiga-tion support area will likely consider asearch or indexing software such as“DT Search” to be their best friend.The software must index the data andthen allow the user to search by key-words, finding every instance of thekeyword. The most time-consumingpart is the indexing piece; however,after the indexing is completed, searchtime is minuscule.

OVER-THE-COUNTER SOFTWAREAND HARDWAREAt this time, things are changing fre-quently and without warning. Istrongly recommend that organiza-tions save at least one copy of everyversion of operating systems theyhave used as well as e-mail applica-tions and proprietary software. Thebest way to accomplish this is byapproaching the person in the ITgroup who is in charge of the “BoneYard.” Every organization has a“Bone Yard.” Its the place where oldand used equipment and software goto after their purpose has beenserved. Before any item is tossed, askthis IT person to contact you to deter-mine your interest. You can start anice little library of old software. Whoknows, one day it might be worthsomething. Better yet it will make thejob much easier when you are trying

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

to recreate data from the “age ofNoah.”

The same can be said for hardware.Ask for the same privileges as forsoftware. Reconstructing records anddata from 5 or even 10 years ago maybe accomplished only by havingaccess to old equipment. Think of theold “8-track” tapes or “vinyl” records.Their use is very limited without theright hardware.

WRAP UPNow that you have had some expo-sure to some of the tools that a foren-sic professional might use, you needto get some training. The next articlein this series will cover what kind oftraining programs are available,what to look for in the curriculum, thenumber of hands-on exercises thatyou should receive, where to findthese training courses, and finallysome pitfalls to avoid. �

E n h a n c e y o u r p r o f e s s i o n a l p r e s t i g eS h i f t y o u r c a r e e r i n t o h i g h s p e e d

Write for Information Systems SecurityIf you’ve written white papers, conducted professional seminars, or solved important real-

world problems, you can probably contribute to Information Systems Security. It’s not as

difficult as you think.

Under the guidance of editor Jeff Ott, Information Systems Security has become the

leading publication for information security professionals and managers, network admin-

istrators, and systems administrators at all levels. We’re looking for papers and books on

all aspects of information systems security, including

� Access control systems and methodologies

� Computer operations security

� Business continuity and disaster recovery planning

� Application and systems development

� Telecommunications and network security

� Security architecture and models

� Physical security

� Cryptology

� Security management practices

� Law, investigations, and ethics

We invite you to submit a proposal for an article or a book. For author guidelines,

please contact one of the editors, or visit our Web site: www.auerbach-publications.com.

Rich O’Hanley, Publisher Jeff Ott, Editor

Auerbach Publications METASeS

535 Fifth Ave., Suite 806 jeff.ott@metagroup.com

New York, NY 10017

212-286-1010

ro’hanley@crcpress.com