PC Forensics

Welcome to the Website of

Ferry van Eeuwen





Computer Forensics

Although this subject has nothing to do with malicious attacks from the bad, bad outside world on our computer(s) it might be of interest also to you as even a stand alone machine can be looked upon as a source of  security risks in itself. Security risks in the sense that Windows uses a large portion of the computer's hard disk as a 'scratch pad' for all kind of (sensitive) data. A scratch pad of often enormous size. Sensitive data could be credit card and telephone/fax numbers, data base entries, certain word processing documents and files, internet browsing activities and other material which could be marked as 'for your eyes only'. Another source for prying eyes could be the file slack in most files which still may contain remnants of old data. Also the way in which files are deleted on hard disks gives outsiders nice opportunities to read data in the same 'deleted' files. If you have ever unerased files you probably have noted that the first character is replaced by a question mark, indicating that the file's name has been removed from the FAT. Replacing the question mark by the original character the FAT will show the file as nothing has happened. As the question mark 'frees' the file's data it could be that all data or parts of it has been used by newly entered data, programs etc. The conclusion is that a really vast amount of old and not so old data is embedded somewhere on your hard disk, ready to be explored by the knowing. So adding all things up it might be worthwhile to have a closer looks at things.


Windows Swap Files

Microsoft Windows-based computer operating systems utilize a special file as a 'scratch pad' to write data when additional random access memory is needed. In Windows, Windows 95 and Windows 98, these are called Windows Swap Files. In Windows NT and Windows 2000 and Windows XP they are called Windows Page Files but they have essentially the same characteristics as Windows Swap Files. Swap files are potentially huge and most computer users are unaware of their existence. The size of these files can range from 20 million bytes to over 200 million bytes and the potential exists for these huge files to contain remnants of word processing, E-Mail messages, Internet browsing activity, database entries and almost any other work that may have occurred during past Windows work sessions. My present swap file named Win386.swp for instance is over 180 million bytes in size! The file resides in my Windows root directory. Have a look for yourself. This situation may create a significant security problem because the potential exists for data to be transparently stored within the Windows Swap File without the knowledge of the computer user. This can occur even if the work product was stored on a computer network server. The result is a significant computer security weakness that can be of benefit to the computer forensics specialist. Windows Swap Files can actually provide the computer forensics specialist with investigative leads that might not otherwise be discovered.

Windows Swap Files are relied upon by Windows, Windows 95, and Windows 98 to create "virtual memory"; i.e., using a portion of the hard disk drive for memory operations. The storage area is important to the computer forensics specialist for the same reason that file slack and unallocated space are important, i.e., large volumes of data exist for which the computer user likely has no knowledge. Windows Swap Files can be temporary or permanent, depending on the version of Windows involved and settings selected by the computer user. Permanent swap files are of more interest to a computer forensics specialist because they normally store larger amounts of information for much longer periods of time.

Windows Swap Files may contain data from which it is easy to identify credit card numbers, phone numbers, passwords and fragments of English language grammar stored in Windows Swap Files and other ambient data storage areas.

The permanent swap file in Windows 3.1 and some later versions is called 386SPART.PAR and it typically has a system attribute which makes it invisible to standard DOS or Windows programs. The file usually can be found in the root directory of the drive designated in the Virtual Memory dialog box. Another place to look is in the Windows subdirectory or the Windows\System subdirectory.

The permanent swap file in Windows 95 and Windows 98 is called WIN386.SWP. It is also usually located in the root directory of the drive designated in the Virtual Memory dialog box. A permanent swap file will not be found on most computers running Windows 95 or Windows 98. In Windows 95 and Windows 98, the default is usually set for the swap file to be dynamic and it shrinks and expands as necessary. When a dynamic swap file is involved, its file size is reduced to zero and the file's content is released to unallocated space. Thus, the contents of the dynamic swap file must be analysed along with the other data stored in this space. This requires the use of specialized computer forensics software tools  to capture the data stored in the unallocated space which is normally associated with previously 'deleted' files. 

Permanent swap files can be viewed like any other file with software utilities like Norton Commander and/or DiskEdit. The problem is that swap files can be very large - 10 to 200MB - and they contain mostly binary information which is not readable. Looking for leads in the swap file by viewing it with normal utilities can be tedious and most likely unfruitful because the volume of data involved. Therefore, more productive specialized tools are used nowadays in order to unravel the contents of the swap files. Such tools can save significant amounts of time in identifying  all sorts of leads from the contents of the Windows Swap File. Also, strings of text stored in the Windows Swap File can be located more easily.


File Slack Defined

Files are created in varying lengths depending on their contents. DOS, Windows and Windows NT-based computers store files in fixed length blocks of data called clusters. Rarely do file sizes exactly match the size of one or multiple clusters perfectly. The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file slack". Cluster sizes vary in length depending on the operating system involved and, in the case of Windows 95, the size of the logical partition involved. Larger cluster sizes mean more file slack and also the waste of storage space when Windows 95 systems are involved. However, this computer security weakness creates benefits for the computer forensics investigator because file slack is a significant source of evidence and leads.

File slack potentially contains randomly selected bytes of data from computer memory. This happens because DOS/Windows normally writes in 512 byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer. RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past.

RAM slack pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster assigned to the file, then a different type of slack is created. It is called drive slack and it is stored in the remaining sectors which might be needed by the operating system to derive the size needed to create the last cluster assigned to the file. Unlike RAM slack, which comes from memory, drive slack is padded with what was stored on the storage device before. Such data could contain remnants of previously deleted files or data from the format pattern associated with disk storage space that has yet to be used by the computer. Let's say that a file is created by writing the word "Hello" to a file. Assuming that this is the only data written in the file and assuming a two sector cluster size for the file, the data stored to disk and written in file slack could be represented as following:


RAM Slack is indicated by "+"

Drive Slack is indicated by "-"

File Slack is created at the time a file is saved to disk. When a file is deleted under DOS, Windows, Windows 95, Windows 98 and Windows NT, the data associated with RAM slack and drive slack remains in the cluster that was previously assigned to the end of the 'deleted' file. The clusters which made up the 'deleted' file are released by the operating system and they remain on the disk in the form of unallocated storage space until the space is overwritten with data from a new file.

On large hard disk drives, file slack can involve as much as 700 megabytes of data! Fragments of prior E-Mail messages and word processing documents can be found in file slack. From a computer forensic standpoint, file slack is very important as both a source of computer evidence and security risks.


Unallocated File Space

When files are 'deleted' in DOS, Windows, Windows 95 and Windows 98, the data associated with the file is not actually eliminated. It is simply reassigned to unallocated storage space where it may eventually be overwritten by the creation of new files over time. Such data can provide the computer forensics investigator with valuable leads and evidence. However, the same data can create a significant security risk when sensitive data has been erased using DOS, Windows, Windows 95 and Windows 98 file deletion procedures and commands.

Unallocated file space as outlined, potentially contains intact files, remnants of files and subdirectories and temporary files which were transparently created and deleted by computer applications and also the operating system. All of such files and data fragments can be sources of computer evidence and also security leakage of sensitive data and information. 

Forensic software is used to capture all of the unallocated file space on DOS, Windows, Windows 95 and Windows 98 based computer systems. Such programs can be used to identify leads and evidence. Filters can be tuned to certain specific needs such as locating credit card numbers, telephone numbers, e-mail addresses and so on. 


Text Search

Text Search Software is  widely used by classified government agencies and corporations that support these agencies. The software is also used by hundreds of law enforcement agencies throughout the world in computer crime investigations. Text Search  Software is used to quickly search hard disk drives, zip disks and floppy diskettes for key words or specific patterns of text, often run in a pure DOS environment for maximum speed.  It can search for words or strings of text in data stored in files, slack and unallocated file space.  It will usually operate at either a logical or physical level at the option of the user. Text Search Software is also used by private companies for security risk assessments.