1998-09-12 - Investigating the Suspect Computer

Header Data

From: John Young <jya@pipeline.com>
To: cypherpunks@cyberpass.net
Message Hash: 0bd5e64d4b109f4e54de41ca0aef15938822c57ef7e9062eb4b894c1638add18
Message ID: <199809121910.PAA03207@camel14.mindspring.com>
Reply To: N/A
UTC Datetime: 1998-09-12 06:10:00 UTC
Raw Date: Sat, 12 Sep 1998 14:10:00 +0800

Raw message

From: John Young <jya@pipeline.com>
Date: Sat, 12 Sep 1998 14:10:00 +0800
To: cypherpunks@cyberpass.net
Subject: Investigating the Suspect Computer
Message-ID: <199809121910.PAA03207@camel14.mindspring.com>
MIME-Version: 1.0
Content-Type: text/plain



Is there a PKZip-encryption cracker online for the 
following program which claims to offer a link to a 
couple of dozen shareware password crackers of
popular programs?  The exe-file is easily downloaded. 
There's a copy for testing for privacy protection:

   http://jya.com/pci-pack.exe (20K)


Investigating the Suspect Computer
PC Data Recovery for the Criminal Investigator
Law Enforcement Use Only

   http//www.forensicdynamics.com/pccrime.htm

WHAT EXACTLY, DOES THE SOFTWARE DO ? 

The software is designed to almost completely automate
the formidable task of extracting forensic data from
today's modern personal computers with large or multiple
hard drives. The program automatically examines startup
files for "booby traps", and searches the entire machine
for "bomb" programs which, if triggered, could destroy
valuable evidence on the machine. PC-Investigator runs
exclusively from diskette, at the DOS level, and does
NOT perform any write operations to the hard drive. This
insures that fragile data, or files that may be evidence
which have been deleted, or are resident in "slack
space", are not inadvertently overwritten. 

A unique feature of the software is the ability to construct
custom-tailored reports. The catalog function extracts
and organizes all the files on the hard drive, and sorts
them into order by type, date and time, according to
directory. During this process, all the readable (text) files
are extracted into a separate list, and are organized by
type in the report. Also available is an extracted report
listing of graphic (picture) files, and files that are 
typically used on the Internet, along with an extracted list 

of word processor files, backup files, ASCII text, and files 
that are recovered by CHKDSK or SCANDISK, which are
commonly overlooked as a source of forensic evidence. 

PC-Investigator has unique features that duplicate the
manual functions normally performed during such
forensic investigations. The most valuable feature is the
ability to search all the files on the disk for the presence
of up to 600 words or phrases called HotWords, that you
supply in an editable file. This function is the equivalent
of the manual process of "Find Files and Folders" / "Files
Containing" under Windows 95 , which typically takes
30 seconds to 3 minutes to do manually for each word or
phrase you are looking for. The function is performed
using words and phrases from the HotWord list,
hundreds of times per second.

A typical 2 Gigabyte hard drive may contain over 500
readable text files. A manual search for the occurrence of
a single word or phrase occurring in those files typically
takes 90 seconds. If you had to search for those 200
words manually, the time required would be  5 hours at
the keyboard. The HotWord search feature of PC-

Investigator performs this function on a 486/50 machine
in just under 45 minutes. If the number of files to be
searched is substantially higher, such as on today's large
hard drives (typically 2 to 4 Gigabytes, with 12 Gigabyte
drives available on top-end systems) the time required to
perform an exhaustive search would be proportionately
higher (500 to 1,000 man-hours). PC-Investigator
completely searches a 2 Gigabyte drive n a 486/120
machine in just under 24 hours. The faster the processor,

and hard disk controller, the faster the program will run to
completion. 

The best part is that each file containing any of the words
or phrases in your list is cataloged in the report, along
with the number of "hits" or HotWords found in the file.
After the program is started, and the desired options are
selected, the program will run un-attended, doing the
work that would normally not be done in such cases
because of the tremendous amount of time and effort
involved. Of course, files which do not contain "clear
text", or are DES or BLOWFISH / PGP encrypted will not
be flagged by the program. However, we have software
which addresses the problem of APPLICATION
encryption - that is - files which are encrypted by the
application which created them. For example, LOTUS
123, Quick Books, PFS Professional, and WordPerfect
are among the few programs which offer in-application
encryption of files. 

The program does NOT extract or examine the data from
"slack space". However, running the program is easy,
and can be done by almost anyone with a bit of computer
skills. The software is designed as a preliminary
investigative tool, to determine if a machine should be
examined by a professional. If this program indicates a
"HOT" machine, you can be certain that a more
extensive investigation is warranted. 

             -----

PCI-PACK.EXE 

Includes PC-Investigator software, manual and
Investigating The Suspect Computer 

THIS PACKAGE IS DISTRIBUTED TO LAW ENFORCEMENT AND 
PRIVATE INVESTIGATORS ONLY!!  THE ARCHIVE FILE IS [PKZip] 
ENCRYPTED, AND YOU WILL NEED A PASSWORD TO EXTRACT
THE ARCHIVE.  IF YOU ARE NOT WORKING IN LAW ENFORCEMENT, 
DON'T BOTHER TO DOWNLOAD THE FILE, WE WILL NOT DISTRIBUTE 
THE PASSWORD UNLESS WE CAN VERIFY YOUR CREDENTIALS. 







Thread