Computer Crime Investigator's Toolkit: Part I

Tuesday Feb 13th 2001 by Enterprise Networking Planet Staff

DOS and Unix tricks that every computer crime investigator should know.

Computer crime investigators come from differing backgrounds. In the private sector a wide range of certifications exist: CISSP, MCSE, Internet Security Specialist, Computer Forensics Specialist, and the like. Developing a common body of knowledge is often a response to the particular examination program one wishes to pass through. Yet, professional practice often dictates the areas of an investigator's expertise. Those with an emphasis on forensic issues (such as police investigators) may concentrate on techniques pertaining to "black" or illegal email, illegal pornography, and common-law crimes committed using a computer. Those with an emphasis on security issues may deal with technologies related to combating hacking, denial of service (DoS), intrusion, and business espionage.

What I've tried to do is devise a summary of basic, practical knowledge, "tricks," if you like, that should interest all computer crime investigators. While they may not be the final word in preparing for an examination, these techniques will provide some insight into the ways and means of computer criminals. I hope to get you into the spirit of the hunt. Learning to think how a criminal looks at twisting, altering, hiding, and diverting information will definitely make the game more interesting. This is a pathfinder, a starting point to discovering other resources.

Part One will cover:

  1. DOS Tricks
  2. Unix Tricks

Part Two continues with:

  1. Windows Tricks
  2. Browsers
  3. Passwords

Part Three will discuss:

  1. Perl Scripting
  2. Networking Fundamentals
  3. Tracing Email

Part Four concludes with:

  1. Understanding Slack Files
  2. Understanding Cryptography Basics

Not So Dead DOS

For those who grew up in the IT field with MS-DOS, they found Unix and scripting not all that cryptic. Knowing command line instructions gives one a backstage pass to what's happening behind the GUI. Understanding how to examine a computer using MS-DOS with Windows 95 and 98 gives an investigator a firm foundation for other tricks of the trade. When users get cute with trying to hide information, MS-DOS can uncover the hidden structure. So, forget any notion that MS-DOS is dead; it will be a valuable forensic tool for some time to come.

Before we go into the specifics of DOS tricks, keep in mind that any time you examine a computer you run the risk of changing the evidence. These articles will not give you enough knowledge to make you a certified computer forensics expert. Accordingly, in a sensitive, crucial case a bitstream backup copy of the hard drive and possibly a memory dump of the RAM need to be done by a qualified specialist prior to examination. Copies of floppies need to done with DOS Diskcopy (version 6.22) with the /v switch turned on. The rule needs to be "preserve and then examine." Chain of custody issues also become a problem if the copy is not properly hashed and then digitally signed.

Users may try to hide files by using extended ASCII characters in the file name. "Find" searches for "Joes_2000_files" may not pull up "Joe£_2000_files." The Alt key depressed while entering the character number on the numeric pad generates these characters. For example, Alt + 241 is "±." Alt + 156 is "£." Having an ASCII chart is vital to figuring out which key sequence will produce nonstandard characters not found on the keyboard. Most MS-DOS manuals and Dan Gookin's DOS Secrets will have the chart. On the Web you can find a chart at for the extended set. For a general discussion of ASCII try To locate these files, make sure your "Find" utility has good parsing capability (finding "Joe" no matter the adjacent characters). Or, consider searching using a specialized "regular expression" engine described in (see "Passwords").

Another way to hide files is by using the DOS command "Attrib." Attrib +h hides a file from directory listings produced by the "Dir" command. However, the command dir /a:h will list all the hidden files in a directory. Remember, the Dir command can be an effective tool to view what's in a hard drive's file structure even if running Windows. Just go to the DOS prompt.

DEBUG has a lot of dust on it, something almost forgotten. Yet it is a tool still found in MS-DOS in Windows 95 and 98. It lets you view in hexadecimal and ASCII format what's in a file, on a floppy, or on a hard drive. A poor man's hex editor, it can fill in when a more sophisticated viewer is not at hand. It is useful for dumps of data and for writing assembly language programs. (Hex editors are nifty tools to have too. For more information on keeping one in your toolkit, see the Resources section below.)

Also, don't forget the Undelete and Unformat tools available in MS-DOS. They can move the picture of a hard drive one step back, if needed, in examining a computer, but they do require caution in execution. Their use may result in unforeseen data loss. They cannot be used with Windows 98, or NT. Windows 95 can do Undelete with a bit of sleight of hand, as we shall see later in the Windows section. But if you're checking an old machine, a dinosaur, running Windows 3.1 or MS-DOS 5.0-6.22, the commands may come in handy. For syntax specifics see and And, don't forget there are a lot of dinosaurs out there, so keep those old MS-DOS reference books.

Wild, Wild Unix

Unix serves as a wonderful training ground for computer security specialists. It teaches about access permissions for objects; learning about those rwx's in directory listings gives one an appreciation for granular security. It builds on MS-DOS knowledge: hidden files are "dot files" in Unix. They become visible by the "ls-al" command (very similar to dir /a:h). Unix expands on MS-DOS' piping and redirection capabilities. Searching or manipulating files and directories using FIND and SORT, an investigator, for example, can search a directory for inactive files (by date) and pipe the results into a report file.

Using Unix's scripting capabilities (similar to DOS batch files), an investigator may create combinations of commands into specialized programs to conduct security audits and to do file checking as a part of an inquiry. The GREP command searches files or directories that contain a particular character string. This capability provides for granular searching.

For example, /usr/bin/grep 'ron' trade > ronlist searches for all occurrences of "ron" in the file "trade" and prints them into "ronlist."

Unix also has the capability to list processes actively running on the machine by executing the command ps -ef. Processes may be deleted using the Kill command. The Top, Head, and Tail commands allow examination of portions of logs or process lists. Here are some examples of each:

root 0 0 0 Sep 07 ? 0:04 sched
root 1 0 0 Sep 07 ? 242:49 /etc/init -
root 2 0 0 Sep 07 ? 0:39 pageout

ps -ef | head
root 0 0 0 Sep 07 ? 0:04 sched
root 1 0 0 Sep 07 ? 242:49 /etc/init -
root 2 0 0 Sep 07 ? 0:39 pageout

ps -ef | tail
johnjones 29805 29696 0 Nov 23 pts/26 0:00 -bash
happy 10732 10731 0 0:01 <defunct>
root 3450 12314 0 Nov 22 ? 0:04 /usr/local/sbin/sshd


last pid: 11027; load averages: 4.31, 4.70, 4.99 01:20:40
272 processes: 198 sleeping, 65 zombie, 6 stopped, 3 on cpu
CPU states: 0.5% idle, 15.9% user, 15.3% kernel, 68.3% iowait, 0.0% swap
Memory: 8192M real, 914M free, 876M swap in use, 1172M swap free

7596 peter 132 0 0 60M 60M cpu4 378:00 5.45% smd
22049 john 139 10 0 48M 48M cpu8 214:29 3.91% smd
3130 carl 136 58 0 45M 44M sleep 169:59 2.69% smd

Unix also serves to introduce regular expressions, a powerful means to search for strings. And, later we'll see that regular expressions can serve as the basis for cracking passwords. Used in conjunction with Unix commands and scripts, AWK is a program language especially suited for regular expression searching. AWK searches for patterns and manipulates them when needed.

In the statement awk '$1 < $2 {print $0, $1/$2}' file1 > file2, a file called "file1" with two columns of numbers pipes into a new file called "file2" with columns 1 and 2 as previously, but also adds a third column which is the ratio of the numbers in columns 1 and 2. The ">" shows the piping into "file2," and the "<" shows that the program takes the input from "file1." AWK has the ability to search for specific transactions in logs and generate reports for the investigator.


Print Sources

Dougherty, Dale and Arnold Robbins, Sed & Awk, O'Reilly, 1997.

Gookin, Dan, DOS Secrets, Computer Publishing Enterprises, 1990.

Lasser, Jon, Think Unix, Que, 2000.

Microsoft, MS-DOS Version 5.0, Microsoft, 1991.

Syngress Editors, Hack Proofing Your Network: Internet Tradecraft, Syngress, 2000.

Zaenglein, Norbert, Disk Detective, Paladin Press, 1998.



Hex Editors

"Free 'Hex' Editors",htm



Ronald L. Mendell's article on Hex Editors

"About DEBUG"


"A Listing and an Explanation of Commands"


"The Unix Reference Desk"

"Solaris Man Pages"

"About AWK"

SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
Th e Focal Point for Security on the Net (tm)

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved