The University of South Australia School of Computer & Information Science Mawson Lakes

Forensic Analysis for Unix-Based Operating Systems Research Component Individual Software Engineering Honours Project

Written by James Maybank Email: mayjm002@students.unisa.edu.au Student ID: 100004788 Supervisor: Jill Slay Due date: Late October 2005

Abstract As the use of Unix-based operating systems grow, the need for forensic investigators to broaden their knowledge and understanding of the type of users and the processes they use, greatens. Increasingly, users are discovering more ways to hide, manipulate, and remove incriminating data from their system without being traceable by forensic experts. The aim of this paper is to expose potentially vulnerabilities to provide direction for future research. It outlines technology available and the ways in which users are presently implementing them.

Introduction
Forensic Computing is a developing science that focuses on the recovery, and analysis of electronic data from computers in the hope of determining who, what, where, when, and how a certain event transpired. Whilst analysing very technical methods used to hide and delete data, considerations must be made to keep investigations forensically sound for the courts (McKemmish 1999). Is was suggested by Mazano 2001, that forensic experts should be able to investigate like a detective, have the legal knowledge of a lawyer and the computer skills of a hacker. Due to the youthfulness of computer forensics it is easy for anyone to title themselves as a computer forensics expert simply by being able to operate forensic tools without having any knowledge of how other processes work (Meyers 2004). Types of users found using some of the techniques mention throughout this paper include Paedophiles (making contact, sharing illegal pictures), Terrorists (planning attacks), Criminals (espionage, and money laundering), illegal black market trade (mainly drug dealers), and employees (obtaining access to classified or illegal information, sending inappropriate emails). Even though all these different groups vary from extremely serious to not so important, all forensic computing techniques mentioned throughout this paper may potentially help investigators do their job when dealing with a Unix-based operating system. Computer users use Unix rather than Windows and Macintosh for a number of different reasons. Unix in general pride themselves on providing open source software for users, which is free and code is open for comment by experts across the world. It also offers more control over functionality. Disadvantages include software compatibility with more popular Windows

operating systems and the system being declared as less user friendly then other operating systems, resulting in mostly advanced users. This is unfortunate for forensic analysis of a Unix machine as they will generally involve more technical understanding on the investigators side, along with the expectation that harder data hiding, manipulating and deleting techniques will be involved, potentially increasing the length of the investigation dramatically. This paper covers a number of areas more specifically related to forensic computing and Unix-based operating systems. These mainly include: Sequence of events leading up to and when taking control of a system, hiding, and removing incriminating evidence from Unix systems. All these sections go into greater detail and cover some of the finer aspects related to the techniques used.

Sequence of Events
Approaching a Suspicious Computers
General procedures used to seize computers. Analyse the surroundings, notes next to or on the computer, programs currently running etc to help with the analysis for example determining passwords. Remove the power source and all network connections simultaneously, to avoid triggers for programs to delete, hide or manipulate data etc. Depends on the situation, the computer is usually taken back to the lab for forensic analysis, or the following process is performed at the site (if the system is being used for business purposes). Image the hard drive(s), so the original can be kept in perfect/unmodified condition. Multiple copies might be required depending on the type of analysis. Mount, and then analyse the hard drive. Software such as EnCase, Forensic toolkit, Autopsy Sleuth Kit, The Corners Toolkit are all mentioned constantly by renowned investigators. These programs are commonly used because most investigators dont know how to code their own software, and they are the most respected forensic tools available. There are many flaws with each of them, as they are not able to catch 100% of criminals. If the suspect understands what they are looking for, it is easy to work around them and avoid being caught. (Casey, E 2002a) Procedures generally dont vary among operating systems, but it is interesting to note that Unix operating systems pride themselves on not crashing as often as other operating systems.

Unfortunately, Application and Kernel processes are less prepared in the event of a system crash, unlike Windows and Macintosh, resulting in higher risks of file corruption, data loss (buffered memory and having to regularly synching the hard disk) (Allen 2001). And with the majority of forensic investigators vouching the removal of the computers power supply being the best method to stop operations, opposed to performing a proper shutdown (Casey 2002a). Proper shutdowns are not carried out because of shutdown routines. If the system is ON, and forensic investigators want to take the computer away for analysis, switching off the computer from the power-point will prevent any attempts to remove secret or incriminating evidence from the hard disk. These shutdown routines are usually set off by procedures prior or during the shutdown process, known only to the user. Boot-ups can be just as detrimental. Mounting the hard disk to another system should avoid triggering off these routines, minimising the risk or losing important data (Allen 2001). Internet Analysing internet communications is a major component of a forensic analysis. Web browsers, electronic mail, peer-to-peer file transfer programs, and chatting programs are all commonly used by computer users. After examining programs of this nature, it is possible to determine what the computer is involved in, and what interests each of the users have. File Transfer (Peer-to-Peer) software is commonly used by all operating systems, connected to the internet. Emule, Limewire and Shareaza are some of the more common Peer-to-Peer software available for Unix Systems. They provides free access to files on hard drives all over the world who give permission for the software to publicise files open for the general public to download, such as open source software, music, pictures, illegal items, amongst many other things. Logs are kept on items downloaded and searched, and harder to remove as the software usually doesnt aid in any removal. Web Browsers are used to access the World Wide Web, or more famously known as the Internet. There so many different Web Browsers offered for free on the Internet for Unix operating systems, some of the most popular include Mozilla Firefox, Netscape, Opera. Internet options, files (files downloaded), cookies (personal details), keywords (search engine words), URLs visited etc, can tell potentially tell you more about person then anything else on a computer. But unfortunately web browser evidence is extremely easy to remove, through options available on most web browsers. Chatting programs such as Gaim, X-Chat, Kopete, AMSN (msn messenger clone), Licq, Psi are commonly used by Unix users, and are often useful for determining friends, and understanding who the user is through chat logs. These logs are once again easy to remove, but hard to delete contacts which offer leads for other searches to find information. Email accounts are usually run on an external server leaving the user with the option to either view it through a web browser, or running email software provided by the operating system. Of the

two, the software version will certainly leave more evidence in the form of emails and logs, as oppose to evidence created by web browsers which was discussed previously. It has been made very apparent to anti-forensic enthusiast that internet software is an obvious weakness. To confront the problem internet software scrub tools have been developed for free, once again showing how much more work needs to be done in the forensic world (Turner 2004). Command Line History Unix operating systems generally are command driven even though a user desktop is available. Usually, the last 500 (varies) commands entered are retrievable via logs files, and certainly show recent happenings on the computer, providing leads to other suspect programs, logs etc (Liu 2005).

Manipulating evidence
As mentioned earlier, logs, and MACtimes are obvious targets for alteration. They are reasonably easy to access (configuration directories), easy to understand (e.g. text files), and a well-known target for forensic investigators.

Logs
Logs are records created by either the operating system or its application keeping track of certain events occurring on the computer. Anything from system and application logs to chat logs can be found all over the file system, and are useful for a variety of reasons including establishing user activities. Unfortunately, if a user wants to hide past events, logs are traditionally the primary target for changing data. This is a well know fact among the courts and legal system, resulting in a common belief that log file integrity is doubtful. It is believed however, that deleted log files are not given any consideration by the average user, making it a targeted item by investigators (Farmer 2005). To strengthen the courts scepticism, time and date stamps are used by log files, though relevance in time are rarely accurate due to clock drift, and how easy it is alter the clock (Ceresini 2001).

MACtimes
An inode is a single data structure used by Unix to maintain MACtimes (Modified, Accessed, and Changed times) for a single file. These attributes are valuable items when formulating the whereabouts and actions of users. They are structured in the following form: - Last Modification time the last time an entry was made; - Last Access time the last time a directory was accessed or searched;

- Last Status Change change of owner, access permission, and its time attribute (ctime) is set to the deletion date (Farmer 2005 & Mitra 1998). Everything in Unix is a file, so every computer process in theory should leave evidence of its occurrence. One file system commonly used is the Journal File System (JFS), which is renowned to work well in conjunction with MACtimes. A JFS works by firstly recording a process to a journal on the hard disk, followed by implementing it. Even though this creates extra work, it provides useful information for recovery in the event of a system crash. In the event of a Forensic investigation, viewing the file history in the form of a journal would certainly assist in finding incriminating evidence (Farmer 2005 & Esckstein 2005). When coming across a suspicious file, MACtimes can be used as a search mechanism instead of key words. Finding files used at similar time to a suspicious event, may give more clues or hints to what really happened. Timestomp is one of a number of popular MACtime modifiers; however it is still only capable of modifying a number of different file systems. There are a number of useful options like -z for setting MACtimes, or even -b which blanks them out, which all forensic toolkits like EnCase, Forensic Toolkit, and Autopsy Sleuth Kit can not provide via solutions to combat. Modifying MACtimes can either hide evidence, or create a fake lead for investigators (Metasploit 2005).

Data Hiding
Data hiding is becoming increasingly technical and branching out into all directions as the science of computer forensics matures. When any evidence of data hiding is found on a computer, it generally implies that it contains something worth searching for, or that someone is trying to plant phoney evidence into an investigation (Chucakin, A 2002). There are a number of data hiding techniques found in Unix-based operating systems.

File Names and Extensions

The average computer user would be capable of using this method of data hiding. This process involves either renaming the file or its extension, to hide the true nature of the file. An example of this may be a text file (Extortion.txt) changed to an image file under a less suspicious file name (Guitar_amp.gif). When looking for evidence, a picture of a guitar amp will not show up as a file that needs to be investigated further. One method used to find these is to compare the file type against the file header. Inconsistencies usually indicate some form of corruption, justifying a level of suspicion upon the file. More advanced users are usually mindful of any file headers, making sure all appropriate adjustments are made to cover their tracks. It is worth noting that a full stop at the start of a file .Extortion.txt will hide it from view of a more common ls (List). A full list ls al (List all) will expose simple attempts to hide these files (Grundy 2001).

Deleted Data
File systems are set up to avoid fragmentation, increasing the average life of a deleted file. When a file is removed, it no longer becomes visible and permission is given to the file system to overwrite that section of the hard disk. This leaves no guarantee as to how long the deleted file might survive, making it only a moderately reliable way to hide data (Farmer 2005). If more deleted copies of a file are made, theoretically it should increases the probability of successfully recovering the file. Large files have a shorter life expectancy due to the file covering more memory blocks on the hard disk, making it more likely to be partially or fully written over (Chuvakin, A 2002).

Slack Space
Unix-based Operating Systems hardly ever utilise all disk space made available to them. One example of this is referred to as Slack Space and is often taken advantage of by users attempting to hide data. If data is written to memory and is not an exact multiple of the block size, it will use as many blocks as it requires leaving a wasted space of memory in the final block.

The example below shows a text file covering 4 blocks of memory (i.e. 1,024 bytes, but this varies between file systems, 1 to 4kb). The final block has 400 bytes, with 624 bytes of slack space available. If the Extortion.txt file is wiped from the system, any data within the slack space will remain and so will the deleted file.
Extortion.txt (3,600 bytes)

Steganography

A single block of memory

Slack Space

When a secret communication of some description is hidden within another communication, hiding all evidence of its existence, it is called Steganography. This is becoming increasingly popular with the new internet age of computer user. Images (Bitmap, gif, png, jpeg or jpg and many more), Audio files (wav, mp3, wma), Compressed files, Software and other message related files are constantly being transferred over the internet mainly through web sites, electronic email, and peer-to-peer software, making them the most likely media to perform Steganography. Types of hidden messages can differ depending on the type of user, varying between Terrorist groups, Criminals (e.g. paedophiles, and murderers), and Organised Crime (e.g. illegal Black Market trade). There are also many other legal groups such as commercial business and research aiming to conceal valuable information (e.g. avoiding possible sabotage, theft or simple unauthorised access); and personal use such as saving work, or pornography. Here are a number of commonly used Steganography tools available on the Internet: - Blindside is a command line program for Unix that hides information inside Bitmap files (*.bmp). - Gzip-steg is a patch for GNU zip (*.gzip) that hides information within a compressed file. It is only available for Unix-based operating systems. - Mp3stego Hides information in MP3 files during the compression process, and works under both Unix and Windows based operating systems. Unfortunately, steganography detection is still in its youth, with only a small number of useful detection tools available on the internet, such as Stegdetect, Xsteg, Stego Watch, and Gargoyle to name a few. They are nearly all automated tools used to search for steganographic processes used for a specific transport media (Westphal 2005). Westphal, K 2005, Steganography Revealed, Security Focus, viewed 25 October 2005,

Encryption
Encryption is a technique used to make the content of a message or file indecipherable, so that if it is intercepted by a third party it will be impossible to read. With regards to forensics, it is usually used to conceal evidence, which can potentially take hundreds of years to crack. It is for this reason, methods of brute force have been declared useless by many forensic experts across the world. Fortunately, there are practical alternatives to retrieving encrypted data. Finding information related to an encrypted file is a good place to begin. Most users do not consider all the possible file processes that transpire during the life of a file. Examples include: copying, moving, printing, emailing files etc. All of these actions leave traces on logs and produce segments or whole copies of deleted files, which may provide evidence of its encrypted data. Find Protected by AKS Labs is one of a number of applications capable of finding all encrypted files on a selected hard disk. There are also encryption programs that cover all proof of a files existence directly after encrypting the file. No matter how much trouble is taken to remove evidence of a files existence, the computer processes mentioned above will always create uncertainty for the user. Other more common procedures used involve obtaining passwords by finding other frequently used passwords on the system, for example, email or internet accounts; or guessing, based on information already known about the user. It is predicted that as recovery of encrypted data improves, stronger methods of encryption will be implemented. (Casey, E 2002b & Belgers 1993)

Hidden Devices
Unix allows the manipulation of files and directories in the file system. It can change the way the file system appears to the user by using the mount, and unmount commands. Example 1: This example mounts a phoney file system in place of the original. 1. 2. 3. 4. 5. Make a directory named temp. Mount the file system at the temp directory.
mkdir /temp

Create the appropriate files and directories to mirror a file system.

mount /temp /

The files above the temp directory are not visible, and cannot be written or read. Access can be regained back if the file system is un-mounted.

Detection of this method is not difficult. If the file system is supposedly 10 GB in size, and 2 GB has been used, and only 4 GB is available, it shows that files could potentially be hidden under the file system (Rogers 2004 & Grundy 2001). Example 2: Although this example isnt as clever, it can still trick the untrained eye. Any device, whether it be a hard drive (either single or partitioned), USB device, floppy Disks, CD-ROM/DVDs etc, can all potentially be hidden by simply un-mounting (umount) the device. This is, however, easy to find within the /dev/ directory, which is formulated at

boot-up by scanning for internal and external devices connected to the computer (Farmer 2005). To restore a device, simply mount (mount) it back to the file system (Grundy 2001).

Deleted files
With most Unix-based Operating Systems, the remove file command rm </bin/rm> has never had an undo function, like the Recycle Bin concept used by both Windows and Macintosh. This is unfortunate; though, due to the clever design of file systems in general, retrieval of removed data has always been a difficult, but not impossible option for users. When the rm command is used, the operating system simply disregards the sequence and the links to the memory related to the removed file(s), without permanently removing it until the system requires the memory block again. With this solution comes another problem regarding the actual difficulty involved with completely removing a file and all proof of its existence (Gutmann 2001). It is possible to entirely remove a file from a hard disk rendering the file completely irretrievable. This process is known as Wiping (Chuyakin, A 2002).

Overlooked Deleted Files

There are many instances where a system creates temporary copies of files for its own use. This can often leave evidence of its existence on the hard drive. Deleted files of this nature are considered more truthful because most users are unaware of there existence, leaving file integrity intact, such as MACtimes, and data content. When a file is deleted, the only MACtime attribute modified is the last status change time attribute (ctime), which is set to the time of deletion (Farmer 149). Because the rm command is used, the data will remain on the hard drive until the allocated memory space is used again. Examples of such system processes are: Example 1: Spooling - To print a file, a copy must first be saved to a temporary location within the hard drive, then it shall print. Once the print is complete, the file will then be deleted. Example 2: Quick Formatting - Quick formatting a disk simply clears the file table, without altering any memory within the disk. When accessed by the user, it will seem new and empty without being aware that memory retrieval is achievable. Example 3: System crashes, power failures, and running out of disk space - When copying to any form of hard disk, it is not uncommon to occasionally run into some problems (e.g. System crashes, or simply running out available hard disk space) When this occurs, the copy process is instantly cancelled, leaving all transferred data to that point on the hard disk, without a pointer so the user cannot view any files transferred and potentially causing integrity problems. Example 4: Installing an Operating system over another - Farmer & Venema 2005, analysed a machine that started off as a Windows PC, then became a Solaris Firewall, followed by a Linux Operating System. Even though it was obvious that each Operating System had been

deleted and a new installed, there were still deleted Solaris Firewall configuration files present many years after.

File Recovery
To recover a file back to a system, the whole file must be found first. Tools such as Autopsy Sleuth Kit, Forensic Toolkit, Encase, and The Coroners Toolkit are the primarily used forensic toolkits for recovering deleted files. As The Coroners Toolkit (TCT) is specifically developed for Unix-based operating systems it is most effective for the task of file recovery. It runs a number of forensic tools, two of these being unrm and Lazarus which are both capable of recovering deleted files from a hard disk. When TCT recovers a deleted file, it displays all the MACtimes without altering them in any way. Skilled computer users are able to modify MACtimes and hide their tracks within the file system. It has been stated by Farmer & Venema 2005, that old magnetic patterns of 0s and 1s can possibly survive being written over multiple times, opening the possibility for the retrieval of data which had previously been considered totally removed from the hard disk.

Wiping files
As defined earlier, wiping a file completely removes a file from the hard drive. This is slightly more difficult, but certainly achievable via command line. The following example shows how wiping can be achieved, and is considered standard practice for experienced Unix users. It uses a dummy device zero </dev/zero>, which copies 00000000 over the specified file. This is not applied to any slack space related to the file. The dummy device null </dev/null> can be used in the same scenario too, but only to block the file destination. The command ' simply refers to a bit-by-bit copy of a target. Another command used to dd remove files is: ' file.txt /dev/null'but doesnt guarantee a complete result like the dd mv , example below. sync makes the file system flush all buffers from the disk, ensuring system integrity when executing a command.
1. 2. 3. 4. dd if=/dev/zero of=/home/bigfile sync rm /home/bigfile sync

Peter Gutmann (2001) suggests wiping the file location a number of times to further complicate magnetic recovery, if it were implemented. But it is also interesting to note that some hard disks (mainly flash drives) has an internal mapping mechanism. This forces memory blocks not to be reused immediately, instead writing over them evenly to ensure some blocks do not wear out too soon.

Conclusion
As Unix is becoming more widely used making a much greater concern for forensic investigators. Unix operating systems come in many different branches including Linux and BSD mainly to name a few. As there are so many different variations of the operating systems and they are so non-user friendly it is becoming a more popular tool for people to use who are wanting to hide data from investigators, either being police or system administrators analysing user activities on their networks.
Although it has been stated that more then 99% of users that have committed a crime with their computer in some way, they do not have the knowledge and capability to completely hide or wipe incriminating evidence from their computer. However, the average Unix user is much more computer literate then Windows users. This has occurred for many reasons including: Windows is more commonly used and is a user friendly operating system. It would be safe to assume that any user using Unix has a much better chance of being able to implement some of the more complex data hiding and deleting file techniques previously discussed.

Fortunately, for forensic analysts, most offenders do not even consider the risk, leaving all incriminating evidence untouched. Another method suggested by several hacking websites is to destroy all hard disks used by the system. Although this will convince investigators that you have something to hide, it is probably the best method for destroying your data if you have no computer skills. Removing or hiding data with the methods discussed earlier would only be attempted by an advanced user, but would be a waste of time for an average user who has only a minimal or no computer skill level.

An opportunity to improve forensic techniques is to find a method of collecting Random Access Memory (RAM) data, and closing the system down without risking the chance of file corruption. Another area of debate is whether to make forensic tools open or closed source. The concept of slack space is so well researched by the investigator, it is nearly impossible to find software to insert data into hard drive space, as it is nearly guaranteed that it will be found. Although they say forensic computing is still young and has a lot more maturing to do, it is beginning to drive users into corners and making it more and more impossible to use a computer as a device to hide incriminating evidence.

References
AKS Labs <date made>, Find Protected, viewed 25 October 2005, <http://www.findprotected.com/>. Allen, G 2001, Booting and shutting down, Computer Science 302, Unix System Administrator, Washington State University, viewed 28 October 2005, <http://www.eecs.wsu.edu/~/cs302/notes/booting.html>.

AusCERT 2005, 2005 Australian Computer Crime and Security Survey, Belgers, W 1993, UNIX Password Security, viewed 10 August 2005, < http://www.cs.vu.nl/~crispo/teaching/atcs/Password/belgers93unix.pdf >. Bui, S, Enyeart, M & Luong, J 2003, Issues in Computer Forensics, Santa Clara Universoty Computer Engineering, USA, viewed 19 September 2005, < http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic%20Investigation .pdf > Carrier, B 2005, File System Forensic Analysis, Addison-Wesley, USA. Casey, E 2002a, Handbook of Computer Crime Investigation Forensic Tools and Technology, Academic Press: A Division of Harcourt, Harcourt, London. Casey, E 2002b, Practical Approaches to Recovering Encrypted Digital Evidence, International Journal of Digital Evidence, viewed 21 October 2005, <http://www.ijde.org/docs/02_fall_art4.pdf>. Ceresini, T 2001, Maintaining the Forensic Viability of Logfiles, SANS Institute 2000 2002, viewed 13 August 2005, < http://www.giac.org/practical/gsec/Tom_Ceresini_GSEC.pdf >. Cuff, A 2004, Anti-Forensic Tools, Computer Network Defence, Wiltshire, UK, viewed 28 October 2005, <http://www.networkintrusion.co.uk/foranti.htm>.

Esckstein, K & Jahnke, M 2005, Data Hiding in Journal File Systems, 2005 Digital Forensic Research Workshop, New Orleans, USA. Farmer, D & Venema, W 2005, Forensic Discovery, 1st Edition, Addison-Wesley Professional Computing Series, New Jersey, USA. Grundy, B 2001, The Law Enforcement Introduction to Linux A Beginners guide, Computer Crime Dicision, NASA Office, USA, viewed 2 September 2005, <http://ohiohtcia.org/linuxintro-1.8.1.pdf>. Kateed, B & Altimus, T 2005, Computer Forenics, Slides, viewed 28 October 2005, <http://www.sis.pitt.edu/~jjoshi/TELCOM2813/Spring2005/FinaleKateebAltimus.ppt >, USA. Landman, J 2002, Forensic Computing: An Introduction to the Principles and the Practical applications, viewed 30 September 2005, The University of Western Sydney, Australia, < http://www.cit.uws.edu.au/compsci/computerforensics/Online%20Materials/FC.pdf > Liu, V & Foster, J 2005, Catch me, if you can, Metasploit, viewed 28 October 2005, < http://www.metasploit.com/projects/antiforensics/BH2005Catch_Me_If_You_Can.ppt > Kessler, G 2004, An Overview of Steganography for the Computer Forensics Examiner, Computer & Digital Forensics Program, Champlain College, Burlington, Vermont, viewed 20 October 2005, <http://www.garykessler.net/library/fsc_stego.html>.

Kruse, I, Warren, G & Heiser, J 2002, Computer Forensics: Incident Response Essential Chapter 9: Introduction to Unix for Forensic Examiners, 1st Edition, AddisonWesley, Boston, USA. Manzano, Y & Yasinsac, A 2001, Policies to enhance Computer and Network Forensics, Florida State University, Florida, USA. Matloff, N 1998, File Systems in Unix, University of California at Davis, USA.

McKemmish, R 1999, ' What is Forensic Computing'Australian Institute of Criminology, , Canberra, Australia. Metasploit 2005, Anti-Forensic Software, viewed 28 October 2005, < http://www.metasploit.com/projects/antiforensics/>. Meyers, M & Rogers, M 2004, Computer Forensics: The Need for Standardization and Certification, International Journal of Digital Evidence, Volume 3, Issue 2, <www.ijde.org>. Mitra, R 1998, Unix Security, viewed 18 September 2005, <http://www.spy.net/~jeeb/unix.html> Nutt, G 2004, Operating Systems, 3rd Edition, Addison-Wesley, USA. Peron, C & Legary, M 2002, Digital Anti-Forensics: Emerging Trends in data transformation techniques, Seccuris Labs, <http://www.seccuris.com/documents/papers/SeccurisAntiforensics.pdf>. Rogers, M 2004, Computer Forensics: Basics Lecture 8: Advanced Media Analysis, California State University, viewed 23 October 2005, <http://gaia.ecs.csus.edu/~ghansahi/classes/notes/296p/notes/lec8_AdvMedia%20An alysis.ppt>. Turner, P & Broucek, V 2004, Computer Incident Investigation: e-forensic Insights on Evidence Acquisition, EICAR 2004 Conference CD-rom: Best Paper Proceedings, Denmark. Turner, P & Broucek, V 2003, Intrusion Detection: Forensic Computing Insights arising from a Case Study, EICAR 2003 Conference CD-rom: Best Paper Proceedings, Denmark. Weil, M 2002, Dynamic Time & Date Stamp Analysis, International Journal of Digital Evidence, USA.