Do you ever wonder what your spouse is doing online? Are you fearful of what the kids might be downloading? Want to know what your employees are doing on the internet?
Find out today with SPY!
CONTENTS 1 – Introduction 2 – How to use SPY 3 – Interrogating the web browser – – – – –
Introduction Cookies History Temporary Internet Files Passwords and Form Data
4 – Forensically examining your hard drive – – – –
Introduction Deleted Files Common File Is Anything Really Deleted?
5 – Filesharing – – –
Introduction Finding filesharing software Locating shared files
6 – What next? 7 – Copyright & disclaimer information
Chapter 1 – Introduction A very quick point – the copyright for SPY belongs to the author, feel free to share this document but please do not pass it off as your own! Any queries may be directed to the author at
[email protected]. Okay, let's get on with it, shall we? Virtually everyone in the developed world has access to the internet, whether it be through their home internet connection, a library terminal, their office workstation, or even their mobile telephone. It is arguably the greatest and most impactive technological development of our lifetime, and its uses are uncountable. However, what we are here to investigate is not use of the internet, but misuse of it. If you operate a small business, big enough to have employees but not big enough to have an I.T. department, how can you know whether your staff are misusing the workplace internet connection? As a boss you will know that if somebody can get away with something, then they very probably will get away with something! Are you paying your employees wages to sit and browse eBay or watch videos on YouTube for eight hours a day? It's not just cheeky employees that can be misusing the internet, though. Perhaps your teenage kids have access to the 'net at home – after all, it's a great research tool for homework, and then can keep in touch with friends at the same time. But what else might they be doing? It doesn't matter how sweet and angelic you think they are, because teenagers are teenagers are teenagers. Do you really think they've never typed 'sex' or 'porn' into Google? Just as worrying is the trend for illegally downloading music and movies. Piracy costs the entertainment industry a lot of money, which means that they are willing to spend a lot of money to stop it. Over the last five years, the industry has initiated early-morning search warrants, arrests, and prosecutions of people for downloading pirated songs and films. Did you think that the culprits were all 'knock-off Nigels', those guys who go around the pubs selling DVDs from a holdall? Wrong. By far the biggest group of people who illegally download is teenagers. Ask yours if they have ever heard of Limewire, for example. They have? Uh-oh... better fast-forward to Chapter 5 (Filesharing) to find out what they're up to,
before the police come knocking at 6am! The good news for you, whether you are a parent, an employer, or even a suspicious spouse, is that it is quite easy to find out how your internet is being used. Computers constantly make records of what they are being used for. Sometimes the records are open, easy to find, read, and delete. Often, they are not. Even somebody who is trying to cover all trace of their internet use, for whatever reason, will find it virtually impossible to get rid of all the evidence. SPY will take you, step-by-step, through a forensic examination of your computer. It will show you where to look, and how to interpret what you find. You don't need to be a computer expert to use SPY – you just need to be able to switch on the computer and use the mouse. Everything else is explained in the book in all its simplicity. Best of all, all of the techniques that are used in a SPY examination are entirely free. Some of the more sophisticated methods might require the use of some free software, and most of them can be completed with nothing more than what you already have in front of you – the computer, a monitor, a mouse and a keyboard. So, good luck in your detective work! If you have any comments about SPY, please feel free to email me at the address at the start of this introduction – and of course, a positive feedback on eBay is always welcome! ML
2 – How to use SPY
As I have mentioned, SPY is designed for everyone – including people who have very little knowledge of computers. As such, some of the explanations may seem as though they are teaching you to suck eggs – feel free to skip the parts that you already understand! At present, SPY is written for PC and laptop users, but not Mac users. Apple Macs are fundamentally different to PCs, and SPY techniques may not be not suitable for them. SPY is written for use with the Windows operating system, whether it be Windows XP or Windows Vista. Most of the techniques will also work with older versions of Windows, however. All of the techniques in SPY work on the assumption that you have access to the computer you are examining, under the same username as the person you are investigating. You may find that Windows asks you to select a user when you switch on the computer, and it may be set up with a seperate user account for each member of the household. If you want to know what 'John' has been using the internet for, you'll need to select 'John' in order to access the relevant files. As a small aside – you should have authority to access any areas of the computer that you examine. If you own the computer, then it's very likely that you have such authority! Likewise if it is a family-owned computer and you are part of the family – but be aware of the legal implications of accessing somebody else's computer without their permission.
3 – Interrogating the web browser
Introduction A major element of the internet is the 'world wide web'. A lot of people think that the world wide web is the internet, which is not far from the truth. When you hear about websites, and web pages, they are things that are found on the world wide web – or 'www' for short. Indeed, this is why websites have 'www' at the start of their names. The 'web browser' is the program that your computer uses to look at things on the world wide web. The vast majority of computers use the web browser called Microsoft Internet Explorer ('IE' for short) – there are alternatives, but very few computers are supplied with anything other than IE installed, and people who use alternatives are usually experienced computer users who download them from the internet. SPY is written with IE in mind. IE is started as soon as you open the internet on your computer. This is usually done by clicking the IE icon, which appears as a blue letter 'e' somewhere on the desktop. If you open any web page, you should see at the very top of the window the name of that web page, followed by the words 'Microsoft Internet Explorer' – congratulations, you are using IE. While someone is using IE to look at the internet, the program is making records – thousands of records – of what they are doing. Technically, every time that person looks at a web page, IE actually makes a copy of that web page and stores it. Although it is quite simple to access and delete these records, there are a lot of people who don't know how to do so. What's more, even if somebody does know how to do so, they probably won't bother unless they think somebody else might go looking for them. This chapter will take you through finding and opening these records, and interpreting what you find.
Cookies
Nope, not the choc chip kind. We're talking about computer cookies. Lots of people have heard of them, not many people know what they are, and there is a common misconception that they are fundamentally bad. So what is a cookie? A cookie is a small computer program, that web designers build into some web pages. When someone views that web page, the cookie installs itself onto their computer. Then, next time that same person views that same web page, the cookie communicates with the web page and remembers some of what happened last time that person viewed the page. For example – if you go onto the BBC website, you can tell the website your current location so that it displays local news and local weather. If you then go back onto the BBC website a week later, it already knows where you are – and displays that local information automatically. How? A cookie! A cookie installed itself the first time you went there, remembered what happened when you told it your location, and used that information to tell the website automatically when you returned. Cookies are one type of record that are kept when someone is using IE to view the internet, and if you know where to find them and what they look like, you can get a glimpse of how IE has been used. Here's how:
–
Open IE – however you usually do this, to access the internet.
–
At the top of the screen, there is a 'Tools' menu. It may be in the menu bar near to the topcentre of the screen, or it may be over in the top-right corner, depending on which version of IE you have. Click 'Tools' once.
–
This will open a drop-down menu, and at the bottom of this menu is 'Internet Options'. Select this.
–
You should now have a small window on the screen, entitled 'Internet Options'. Around halfway down this window is a section named 'Browsing history', within which there are two buttons: 'Delete...' and 'Settings'. Click on 'Settings'.
–
Another small window should open, entitled 'Temporary Internet Files and History Settings'. Within this window there are several buttons – one is named 'View files'. Click this.
At this point, a further window will open. This window is called an 'explorer' window, and it allows you to view all of the files on a computer's hard drive. This window has opened on the 'Temporary Internet Files' section, and you should see a long list of files within it. Those files which are cookies always stay at the top of that list, and you should see them now – cunningly, they all start with the word 'cookie:'! Now that you have found the cookies, what do they all mean? Well, all cookies are named in a particular way: they start with 'cookie:' followed by the name of a user (eg. John), an '@' symbol, and the name of a website. So the following cookie... cookie:
[email protected] ...indicates that John has used IE to view the BBC website. Get it? Without getting really technical, there isn't a great deal you can find out from cookies other than the names of the websites that generated them. Scroll down the list of cookies (it may be very long!) and see what sort of websites have been viewed on your computer. Be aware that sometimes, cookies can be stored simply by viewing an advert for a particular website, and so by themselves they aren't strong evidence of internet misuse. If you view an innocent website that has on it an advert for a casino, for example, you might find a cookie called... cookie:
[email protected] ...and it doesn't necessarily mean that John has been gambling away the mortgage money! Look at the list as a whole. Expect to see a few 'dodgy-looking' cookies scattered around, that's normal. If you find that half the list is made up of cookies from one kind of site – casinos, dating sites, porn – then it might be an indication that a lot of these sites have been visited. A final note on cookies – if you follow the above instructions and find NO cookies, this suggests that the user may have deleted them after they last used the internet. They could do this to cover their tracks, or for legitimate reasons such as general computer maintenance. All
is not lost, however... we're just getting started! History Unlike cookies, 'history' is fairly self-explanatory. IE keeps an index of all previously-visited websites – pretty useful, huh? There are a few different methods of finding out what's in this history, depending on which versions of Windows and IE you are running. The most straightforward method is to see a list of recently visited addresses. Here's how:
–
Open IE.
–
At the top is a long white bar, where the address of the current web page is displayed. This is called the 'Address Bar', and it should contain a web address – probably www.msn.com or www.google.com, for example. Found it?
–
To the right of the address bar is an arrow -
- that, when clicked, opens a drop-down
box. Try it. This drop-down box should contain the last ten or so web addresses that have been entered into the address bar by that user. Note that it will only display addresses that have actually been typed in – it won't necessarily include addresses that have been visited by the user clicking on links to get them there. Although the contents of the drop-down box are limited in this way, it does mean that whatever you see in here has actually been typed into the address bar, manually, on the keyboard. So now 'www.thecasino.com' showing up in the list isn't just the result of an advert or a misplaced click – somebody has physically entered that address into the browser. But what about the other sites – the ones that have been visited without the user actually typing the address in? Now, here's a nifty trick to find that information:
–
Open IE
–
Click in the address bar, so that you can type into it directly
–
Type 'www.' followed by any letter of the alphabet.
You should see the drop-down box appear again, this time containing a number of web
addresses that are in the IE history beginning with the letter you chose. If none appear, try a different letter. For example – typing 'www.g' into the address bar might open the drop-down box, with suggestions such as 'www.gasboard.co.uk' and 'www.google.com' because they match with what you have typed so far. If a website appears in this manner, it means that the web address has been visited at some point. Try using every letter of the alphabet, one after another, and see what sites pop up in the window. You find some interesting results! Searches Whilst you are using this method to see the history of visited websites, you might even be able to find what the user has been searching for on the internet. If you find a web address for a searching site in the history (almost certainly 'Google', but there are others) you might see lots of web addresses all starting with 'www.google.com/' followed by lots of nonsense and gobbledegook. For example... http://www.google.co.uk/search?q=casino&rls=com.microsoft:*:IE-SearchBox&ie=UTF8&oe=UTF-8&sourceid=ie7; ... does that look familiar? Most of that is an instruction to the Google website on how to go about searching, but can you see the word 'casino' in the middle of it all? Bingo – that's the search term. If the user visits Google and searches for 'casino', this is the address that will be generated. Have a look through all those technical Google addresses in the history, and try to pick out the search terms. They will be in the same part as the word 'casino' in the above example. Identifying which search terms have been entered in this way can be very damning for the user, because it indicates a deliberate act to try and find something on the internet.
Temporary Internet Files
By now you should be into the swing of interrogating IE. Remember earlier, when I said that when a webpage is viewed, IE makes a copy of the page and stores it? The Temporary Internet Files area is where it is kept. As with all things computerised, it's not entirely straightforward! A webpage will in fact be made up of a number of individual files. Every little image that appears – even including the logo at the top, and the things that look like buttons for users to click on – will be stored as a seperate 'image' file. This means that viewing a single webpage will generate lots of files in the 'Temporary Internet Files' area. You won't be able to just hit a 'playback' button to see what pages are in there, but as with the cookies you can get a feel for the type of sites that have been visited. Here's how:
–
Open IE – however you usually do this, to access the internet.
–
At the top of the screen, there is a 'Tools' menu. It may be in the menu bar near to the topcentre of the screen, or it may be over in the top-right corner, depending on which version of IE you have. Click 'Tools' once.
–
This will open a drop-down menu, and at the bottom of this menu is 'Internet Options'. Select this.
–
You should now have a small window on the screen, entitled 'Internet Options'. Around halfway down this window is a section named 'Browsing history', within which there are two buttons: 'Delete...' and 'Settings'. Click on 'Settings'.
–
Another small window should open, entitled 'Temporary Internet Files and History Settings'. Within this window there are several buttons – one is named 'View files'. Click this.
If you recall, this is the same method you used to find the cookies. The Temporary Internet Files are stored with the cookies, they are just further down the list. You should be looking at a window with a list of files in it. The top ones will mostly be cookies (remember how to spot them? The clue is in the filename!) but further down are the temporary files. There are probably hundreds, and the names of them will be virtually meaningless. Fear not. You need to make sure you are viewing the files in the correct manner, so before you go any further follow these instructions:
Windows Vista: Click the 'Views' button that is near to the top-left of the window. Select 'Details' in the list that appears. Windows XP: Click the 'View' menu, that should be located in the menu bar at the top of the window. Select 'Details' in the list that appears. You will now have a list of the temporary internet files, which is divided into several columns. Each row relates to one individual file, with each column displaying different information about that file. Still with me? Good. The first column will be headed 'Name' – obviously, this is the name of each file. This will tell you very little, as they will have names like '078f5' or 'button2.gif' for example. The second column is headed 'Internet address' – this is a more interesting one, because it tells you the website that generated each individual file. Like cookies, there will be some rogue ones that have snuck in from adverts and the like – however, a dozen or so files originating at 'www.thecasino.com' strongly suggests that the actual website has been visited using IE. Finally, look across the columns until you find one headed 'Last accessed'. Found it? Okay – now this column will display the exact date and time that an individual file was used by IE. So if you find all those image files that came from www.thecasino.com and you want to know when the site was visited, read along to the 'Last accessed' column and you will find out. This can be vital for finding out exactly who the culprit is! Many of the files can be opened to see what they are, by double-clicking the filename. Doing so generates a system message on your screen, that “Running a system command on this item might be unsafe. Do you wish to continue?”. The choice is yours. In 15 years of internet use I have never seen a problem arising from clicking 'Yes' here, but that's not to say it won't ever cause a crash. If you decide to go for it, the computer should open an IE window and show you exactly what the file is. Don't be surprised to find that most of them are tiny logo or button images, though! Passwords and Form Data
Before we move on from IE, I must mention 'passwords' and 'form data'. I need to put a very brief disclaimer-type thing here, too: this section of SPY might lead to you having an opportunity to log into a website by using the saved login details of the user you are investigating. Be aware that in doing so, you will be almost certainly be breaking the law – you might have full authority to look wherever you like on your computer, but logging into a website is essentially entering someone else's computer. It is not my intention that you do this, and in fact I ask that you do not. SPY will provide you with plenty of ways to investigate your internet use without getting into trouble. Okay, that's the serious stuff out of the way! As you probably know, many websites require users to register, and then login each time they visit. Ebay is one example of this type of site – you register an 'account' with a 'username', and then each time you visit the site will ask for your 'username' and 'password' before allowing you access to the member's part of the site. Sound familiar? Because IE is such a helpful old thing, it can be set to remember things like usernames and passwords, to save users having to type them in each time they visit a website. You can use IE to get a peek at some of this information. Here's how:
–
Open IE
–
Use a search engine (such as Google) to find a number of sites of the type you are interested in checking – try searching for gambling or dating, for example.
–
From the search result, click on each of the sites in turn. The top ten results will be the most popular and widely used examples.
–
When you get to the front page of each site, look for a way to log in. Some will have a button that is actually called 'Log in' or Sign in', and some will actually have two boxes already there to type in a username and a password. If these boxes aren't there, try clicking the 'Log in' button, and it will probably take you to some boxes like this.
–
Look if there is anything in the 'username' box already. If it has been filled in already – bingo! That means that IE has some 'form data' stored, and you are looking at the registered username of whoever has used your computer to log into that site.
I must stress here that you now have all the information you should be getting. You might see that the 'password' box is also filled in automatically, allowing you to log into the site. Please
don't. The fact is, you have enough information to show that somebody has been logging into the site from your computer. If you need to try and narrow down the culprit, why not try looking back at the Temporary Internet Files again, to see if there are any time/date details for files originating from that site?
That's the end of Chapter 3: Interrogating the Web Browser. I hope it has been useful – however, there is a lot more to your computer than just IE. It is a very simple task to delete all of the data that I have shown you how to access. If somebody IS up to no good, they might think that by deleting this stuff they cannot be caught out... Whether or not you have come across anything unusual so far, I recommend that you read on and try out the rest of the techniques in SPY.
4 – Forensically Examining Your Hard Drive
Introduction I'll try to explain this part of SPY in a way that anyone can understand. There are a couple of pages of boring 'how-to' kinda stuff. Please stick with it, I promise that the detective work will begin again after that! I will start by answering the question “What is a hard drive?”. The hard drive is a piece of equipment inside your computer on which everything is stored. Also referred to as the 'hard disk' or the 'HDD', it contains absolutely everything that is on your computer. Your pictures, your music, your emails, your homework, all the programs, even Windows itself – they are all on the hard drive. Everything on the hard drive is stored in the form of files. A file can be an image, a song, a video, a program, a document – there are countless different types of files. All files are stored in folders. A folder can also contain other folders, which them selves might contain files. This might sound as though it is getting complicated – just remember: all data is in the form of files, and all files are stored in folders. Imagine the hard drive as being one big folder. Within it there will be a number of other folders, each of which will also contain folders... a bit like Russian dolls, if you like. Imagine a file – a photograph of you, for example. The file is called 'photo_of_me'. It might be stored in a folder called 'Me'. The 'Me' folder might be stored a folder called 'Pictures', and the 'Pictures' folder might be stored in a folder called 'Media'. The 'Media' folder might be stored in the main hard drive, usually called 'C:'. If I were to type a line of text to indicate where you find the picture, I would put... C:\Media\Pictures\Me\photo_of_me ... and this is the standard way for file locations to be written.
In order to follow the guides in this chapter, you'll need to be able to'navigate' around the folders on your hard drive. On your desktop there might be an icon called 'Computer' or 'My Computer'. If it isn't on the desktop, it might be in the Start menu. Find it and double-click it. What you should have on the screen is an explorer window – the same as when you went to look at cookies, remember? Now the layout of explorer windows differs from on computer to the next, but the principles are all the same. Somewhere in that window will be an icon that has the label 'C:' with it. There may be other text in the label, or in some rare cases it might be a different letter – but this is the icon for your main hard drive. Just imagine that it is one big folder. In an explorer window, you can go 'in' to a folder by double-clicking it, and you can come 'out' of the folder by either clicking the 'back' button at the top left of the screen, or clicking the 'level up' icon around the top middle. This looks like a curly green arrow. Try double-clicking the 'C:' icon. It should take you 'in' to the 'C:' folder, where there will be a number of other folders. The icon for a folder is a yellow rectangular document file. Any other icons indicate a file and not a folder. Now try double-clicking one of these folders, to go 'in' to it. Done? Now try coming back 'out', with the 'back' button or the 'level up' button. You should now be looking again at the list of folders within 'C:'. Practise going into and out of different folders until you get your head around the way they are structured. You might find empty folders, you might find folders that just contain one or two files, or you might find folders that contain a string of other folders as you go further and further in. You can't break the computer by going in and out of folders, so keep playing.
Okay, you should now have a basic idea of how to navigate the file system of your hard drive. If you're new to computers that probably sounds rather nerdy... before you read this book would you have expected to be 'navigating file systems' after a few pages?! Well that's exactly what you've been doing. So now that you're a whizz, let's start the examination! Deleted Files Let's begin by having a look at what items have been deleted by the user. In order to prevent accidental loss of data, Windows operates a 'Recycle Bin' system. This means that whenever a file is deleted, it is not actually wiped from the hard drive but moved into a special folder called the Recycle Bin. Only after it has been subsequently deleted from the Recycle Bin does the file actually disappear from view. (Even this does not render the file lost forever, though – see the section on File Deletion Software below for more information.) So, want to know what's in the Recycle Bin? Here's how:
–
Look on the desktop for the Recycle Bin icon. It looks cunningly like a waste paper bin... double-click to open it.
–
If you cannot see the icon, it may have been moved or hidden. Open the 'My Computer' icon, as described in the introduction to this chapter. This window should have a column of folders and files over to the left-hand side. Scroll down this column until you find the Recycle Bin, and open it.
–
Once you have opened the Recycle Bin, you will be presented with a window showing you the contents. It may well be empty, but if not you'll want to change the view. - Windows Vista: Click the 'Views' button that is near to the top-left of the window.
Select 'Details' in the list that appears. - Windows XP: Click the 'View' menu, that should be located in the menu bar at the top of the window. Select 'Details' in the list that appears. What you now have is a view of all the files that have been deleted, but not yet removed from the Recycle Bin. The first column will tell you the name of the file, the second column will tell
you the location from where it was deleted – remember how to interpret this location, in term of which folders it was in? There should also be a column to tell you the date and time that the file was deleted. See anything interesting? Here's how to take a closer look:
–
Take a written note of the original location – the list of folders in which it came from.
–
Double-click the filename
–
You should see a small grey window pop up, containing some information about that file. There is a button marked 'Restore'. Click this.
–
The file will vanish from the Recycle Bin, and be placed back in its original location. Because you noted this location before restoring it, you can now navigate to the file using the methods you have learnt. When you find the file, you can double-click it to open it, and see exactly what it is. Remember – if you do this, you should delete the file again afterwards. If you leave it where you put it, the user may realise that it has been restored!
As mentioned above, there is a lot more to deleted files than just the Recycle Bin. I will explain in more detail later in this chapter. Common Files If you like, you can navigate around your hard drive all day long, looking in folder after folder to see what you can find. However, you will realise that there are thousands and thousands of files, most of which will have no interest for you whatsoever. Instead, I will show you how to use Windows to search through the entire hard drive and show you particular types of files. For this section, you need to understand that there are many different types of files – for example, there are picture files, music files, video files, text files – the list goes on. In terms of what you are actually searching for on your hard drive, you're likely to be interested in just a few of these.
A file tells the computer what type of file it is by using three letters at the end of its name, after a fullstop. For example, the picture file we talked about called 'photo_of_me' – remember? - will actually be called something like 'photo_of_me.jpg' where the '.jpg' is a code to tell the computer what kind of file it is. It might be worth re-reading that paragraph until you understand, or you might get lost! Okay – what you are going to do next is use these codes to search through all of the files on your hard drive. Here's how: Windows Vista: –
Open My Computer
–
In the top-right hand corner of the window, you will see a box with the word 'Search' in grey letters in it. Click in this box, and type '*.jpg' (without the inverted commas). You should see the contents of the main window change, and what you are left with after a few seconds is a list of every 'jpg' type file on the hard drive. A 'jpg' is a type of file associated with pictures – this might be a good search to try if you suspect somebody has been downloading pictures of a sort that they shouldn't!
–
Try changing the 'View' of the files (View button or View menu) to 'Thumbnails' or 'Large Icons'. This will allow you to see what every picture is actually of, so you can scroll through quickly to identify any rogue images.
Windows XP: –
Click 'Start'
–
Select 'Search'
–
In the window that appears, click on the words 'All files and folders'
–
You should be presented with some text boxes to type searches in. In the tope box, labelled 'All or part of the filename', type '*.jpg' (without the inverted commas), and click 'Search'. You should see the contents of the main window change, and what you are left with after a few seconds is a list of every 'jpg' type file on the hard drive. A 'jpg' is a type of file
associated with pictures – this might be a good search to try if you suspect somebody has been downloading pictures of a sort that they shouldn't!
–
Try changing the 'View' of the files (View button or View menu) to 'Thumbnails' or 'Large Icons'. This will allow you to see what every picture is actually of, so you can scroll through quickly to identify any rogue images.
Okay, you have just successfully interrogated the hard drive to find all of the jpg files that are on it. There are lots of different types of files to look for, however – try substituting the characters 'jpg' in the above instructions with some the codes below, to find the relevant type of file: bmp = picture files gif = picture files mp3 = sound / music files ogg = sound / music files wav = sound / music files mov = movie files mp4 = movie files mpg = movie files doc = text documents txt = text documents exe = program files (casino and poker games need one of these) There are many, many more file types, but these are some common ones that might ring alarm bells for you. Just a note on finding files on a hard drive – there are programs available that will literally 'lock away' files, keeping them hidden until a certain action is taken and a password entered. Try clicking 'Start' and looking at the names of any programs that might feature in that menu. Look out for ones with names like 'File Vault', 'Data Safe', 'Folder Locker' etc – such programs are likely to be designed to hide and secure files. Without hacking and stealing passwords, you won't be able to bypass these – but the very fact that these programs exist might be cause for concern, and reason to confront the user.
Is Anything Really Deleted? To help you fully understand this section of SPY, I'll have to explain a little bit more about what happens when a file is deleted. Imagine your hard drive as a room full of little boxes. When the hard drive is blank, all of the boxes are empty. As files are written to the hard drive, they are placed in these little boxes – and whenever a file is placed in a box, a label is stuck to the lid to tell you what is inside. The label also tells the computer that the box is in use, and so if it needs somewhere to put another file then it must go and find another box. When you look at the contents of the hard drive using Windows, you aren't actually looking in all the boxes – you are just looking at all the labels, to see how much of your hard drive has stuff on. Still with me? Now, when a file is deleted, you'd be forgiven for thinking that the file is removed from the box and thrown away. Wrong! All that happens when you use Windows to delete a file is that the label is removed from the box. (Even when the file is emptied from the Recycle Bin so that there is no visible trace of it.) The file itself stay in the box, with no label attached. It will stay there until the computer comes along with a new file, and decides to re-use that box – only then will the old file be thrown away. What's more, if there is enough room for the new file to fit in the box even on top of the old file, then the old file will still remain in there! The computer doesn't know it's there because the label makes no mention of it, and you don't know it's there because when you scan all the labels you get a negative result. Now you should understand why people say that it's impossible to delete things from computers! It isn't actually impossible at all, but if the user only uses the Windows delete command to get rid of the files then the chances are that they aren't getting rid of anything. When you think that there are millions of boxes on your hard drive, many of them empty, there is a good chance that even when you tear the label off a box by pressing 'delete' that the contents of that box will remain intact for a long, long time. What does this mean for you? Well, it means you have to know about two types of program
that are available – File Deletion Software, and File Recovery Software. File Deletion Software: Does what it says on the tin. These programs are available on the internet to download. Some are free, some are not, some work better than others. Basically, what a good file deletion program will do is instead of just tearing the label off those boxes, it will actually open each one, throw away what was inside, and then fill the box right to the top with rubbish. This of course means that whatever was in the box when you delete it is well and truly gone. Most file deletion programs also include a function to 'wipe free hard drive space'. That's right, I bet you've worked it out already – that program will search through all those unlabelled boxes, empty them, and fill them with rubbish. This will eradicate leftover bits of files that may have been lingering in those unlabelled boxes for years. The only interest you should have in file deletion software is to see if the computer has any installed. If it does, you might want to know why. If it is a work's computer that stores important, valuable or sensitive data then the presence of file deletion software is to be expected. If, however, this is your teenage son's laptop that he uses for homework then he might have a question or two to answer! So, find out if there are any of these programs installed. Here's how:
–
Open My Computer
–
Navigate to a folder containing files, any old file will do.
–
Right-click any file, to bring up a small grey menu box.
That menu will include a number of selections, such as 'Open', 'Open with', 'Rename' and so on. It will also have a 'Delete'. Look carefully to see if there is any unusual 'Delete' selection, such as 'Delete with Megawipe' or 'Erase with Nukefile' or some such thing. Most file deletion programs build an option like this into those little menus, to allow a user the option to delete a file with that program quickly and easily. If you see an option like this, you've found some file deletion software. File Recovery Software: I'm pretty sure you're ahead of me on this one... again, file recovery
programs are available to download online. Most of them are not free, although lots will offer some sort of trial period. What these guys do is search through all of the boxes without labels, just to see what's inside. They'll tell you the details of what they found, and then if you ask them to they will go and stick a label back on the boxes you were interested in, so that your computer can go inside and retrieve the file for you. Most of the programs I have tried allow you to search the deleted boxes for free, and they will tell you what's in there – but then they will want you to pay for a license to actually recover the files for you. They work in a similar way to Window's search tool that you used earlier (remember searching for '*.jpg'?) but aswell as listing the files that Windows finds on your hard drive, they list the ones that have been left lying around in those unlabelled boxes. If you're a confident user, try a Google search for 'free file recovery program', and experiment with a couple of those that are available. If you don't want to pay for their use, you could still take advantage of the free part of the program that will at least tell you what has been deleted.
And so we come to the end of Chapter 4: Forensically Examining Your Hard Drive. Everything that is on your computer is stored in the hard drive, and with the information you now have you should technically be able to find everything. As you will have seen, however, the file system on a normal Windows machine can be an absolute labyrinth of folders, subfolders and shortcuts. Take the time to explore a little, you won't break anything by simply looking at it!
Chapter 5 – Filesharing
Introduction Filesharing is very aptly named. People have files on their hard drives, and they want to share them with other users. Everybody connects to the same filesharing network, and looks around to see what files other people have to share. If a user sees one they want, they download a copy of it. Simple. There are, of course, problems! Firstly, most files that people want to share have some copyright attached. The latest U2 album, a new Hollywood movie – it's illegal to copy them, it's illegal to share them. As with most things on the internet though, illegality doesn't stop anyone! Secondly, because of the anonymous nature of filesharing, it is the method of choice for people who want to distribute illegal material – and sadly, it doesn't stop at pirated music. Paedophiles use filesharing as a means of obtaining and distributing child pornography, and because the whole domain isn't policed in any way then this stuff is very easy to stumble across. If your teenage son uses a filesharing program to search the network for a movie, he is very likely to be confronted with a list of search results that include the worst kind of material imaginable. Even if he ignores the horrific files that are available and just downloads a file that claims to be a Hollywood blockbuster, there is nothing to say that it won't be pornography in disguise. Remember, the pirated blockbuster is illegal in the first place so nobody is going to complain to Watchdog that their rip-off version of Toy Story happened to be an hour-long video of child abuse, are they? Even if the download doesn't include porn, there's a very good chance it will contain viruses – and lots of them. I recently cleaned up a friend's computer that kept freezing up. I discovered that his teenage son had been using a filesharing program to get pirated music. There was a little bit of porn, but most astonishing was a virus I discovered. It had taken control of the network connection, had downloaded 3,500 (yes, that's three thousand five hundred) DVD films into his hard drive, and was acting as a hub for thousands of users all over the world to download the films. If anyone ever looks at the activity, it will appear to
them that my friend has been distributing pirated movies on a massive scale, 24 hours a day. All because his son – who didn't even realise he was taking a risk – wanted to get some Blink 182 tracks for free! These are the dangers of filesharing – be aware of them. Filesharing – also known as 'P2P' or 'peer to peer' networking – does have some legitimate uses. Having said that, the people who have those legitimate uses for it are invariably experienced and knowledgable computer professionals. It is your call, but I urge you not to allow your kids or your employees to use this software!
Finding filesharing software Okay, the first thing to do is to find out if the computer even has a filesharing program on it. There's no simple way to search for such a program, but with your skills at navigating the hard drive (remember Chapter 4?) we'll suss it out in no time. There are lots of different programs that allow access to P2P networks. Some that I can think of right now include 'Limewire', 'Frostwire', and 'Bearshare'. It's a little clumsy, but here is the most straightforward way to find them on your PC:
–
Conduct a Google search for 'P2P fileshar program client'
–
Scroll through the results, and make notes of any words you see that seem to be the name of a program. I have just done this now and come across 'WinMX', 'SoulSeek', and 'Shareaza' aswell as the three I have already named.
–
Open My Computer
–
Search the hard drive for each of the words you have noted. (If you can't remember how to search, refer back to the 'Common Files' section of Chapter 4.)
If your search results include any folders with the same name as one of those filesharing programs, then you can be pretty sure that the program is installed on your computer. Make a note of the location of these folders – they will probably be in the 'Program Files' folder on
your C:\ hard drive. Locating Shared Files Okay, so it's bad news – you've found a P2P program on the computer. Don't panic just yet – remember, there are some legitimate uses for the software. Let's have a look at what files are being shared by this program, and then we will find out if there is any danger.
–
Open My Computer
–
Navigate to the filesharing program's folder – the one you should have noted above.
–
Within that folder, look for another folder called 'Shared', 'Saved', 'Stored', 'Incomplete' etc. If you see any of these, open them and see what is inside.
These folders are where the P2P program will save its downloads by default. It can be setup to save them elsewhere, and if you want to go digging around then feel free – but 99% of the time the files will be here. You can also try:
–
In the Start' menu, find and open 'My Documents'.
–
Within the My Documents folder, there may be a folder which includes the name of the P2P program.
–
Explore within this folder if present, as some P2P prgram store their downloads here instead.
If you find any downloaded files in any of these folders that appear to be music, movies, or computer programs then you should worry a little. Files that are downloaded from P2P are often virus laden, and inexperienced users will not be able to see the danger signs. My advice is to confront the person using the software to see what they know about what they are downloading – and perhaps get them to shell out for a good antivirus software!
Chapter 6 – What Next?
Right, you've done your detective work and you've found evidence of computer misuse... what should you do next? Well obviously that depends on what you've found, the circumstances, the culprits etc. I hope that you haven't come across anything too disturbing. Firstly, remember that what you have found is evidence that the computer has been involved in internet misuse, and maybe some evidence of exactly when it was involved – you'll have to do some digging of your own to find out who was responsible. Don't assume anything! I would suggest that before taking any drastic action (sacking staff, divorcing your husband, having the kids arrested, etc) you take the computer to a local computer expert and have your suspicions confirmed. SPY is a good guide, but there is a chance you have misinterpreted what you have found. And if you want to stop anybody else using these SPY techniques on your computer in the future – maybe after you sell it, or throw it away – there is a very simple procedure that will stop them in their tracks. It is a security measure that even SPY cannot get around, and guarantees your privacy. Here's how:
–
Fit a 6mm heavy-duty drill bit to a Black & Decker hammer drill
–
Drill 12 holes directly through the hard drive
–
Throw the remains onto a blazing fire
–
Bury the ashes.
Copyright & Disclaimer Information
Okay, here's the boring bit that you probably won't even read: SPY is a work by Mark Laing. The copyright for SPY belongs to Mark Laing. By purchasing SPY you have the right to keep the one copy with which you have been supplied. You have the right to make a physical printout of the book for your own use. You do not have the right to copy the book. You do not have the right to resell the book. You do not have the right to distribute the book. You do not have the right to make the book, or any part of the book, available for public viewing – this includes the internet. The methods and instructions in SPY are based on the author's own knowledge and experience. The author accepts no responsibility for damage caused by the use of these techniques. Your own country will have laws governing the use and access of data and computers. It is your responsibility to abide by these laws. The author accepts no responsibility for any breach of law that arises from the following of SPY techniques.