ASG Advanced Surveillance Group, Inc.
logo_b

Computer Forensic Definitions

Computer Definitions

INTERNET PROTOCOL ADDRESS (IP)

The Internet Protocol (IP) Address is a unique address issued to a computer by the Internet service provider for the period that the computer is connected to the Internet. No two computers can have the same address at the same time. The IP address is comprised of 4 groups of numbers or octets, and each octet number can be from 0-255. An example is 255.255.255.255. Again, this IP address is as unique as a house address. No two houses can have the same address. To paint a picture, I will explain how the process works. When your computer attempts to connect to the Internet, either manually by dial up, or automatically via cable or DSL, the computer actually starts to communicate with your Internet service provider (ISP). This is the company you purchase your monthly access from, such as AOL, Earthlink, Comcast Cable, etc. For the purpose of explanation, I will use Comcast Cable Communications (CCC) as the ISP for my example. When you attempt to go online, your computer will communicate with a “SERVER” computer at CCC. Your computer will ask for an IP address so that it can access the Internet. CCC verifies your computer’s right to have the access, and will then issue the IP address, thereby connecting you to the Internet. Once you turn your computer off, the IP address is relinquished. It is possible to get the same IP address on different occasions, however not very likely. In the case of ISPs that provide service via cable, such as CCC, it is possible to hold the same IP address indefinitely, depending on your type of account and connection. Each ISP either purchases or leases a range of IP addresses to issue to its customers based on rules and guidelines mandated by an organization called ICANN.

This IP address is attached to every email that is sent from a computer. When an email is sent, it passes through a minimum of 2 computers, and more usually, at least 4. Each of these computers tags the email with their IP address, allowing a qualified expert to trace the exact path of the email. In some instances, the expert can then utilize Internet Profiling techniques to further identify the sender. When this profiling does not work, or as a basis for more conclusive proof, a subpoena can be issued to the ISP compelling them to provide subscriber information for the computer connected to the IP address at the date and time specified.

DATA

A computer uses machine language at its lowest level. This is the zeros and ones in a computer. The zeros and ones are utilized in such a way that they represent recognizable characters. Each zero and each one is known as a BIT. In order to create a letter, number, or other recognizable character, it takes 8 bits. In other words, to create the letter A, the computer uses a combination of 8 zeros and ones. 8 BITS are equal to one BYTE. Therefore, I can state that a typed character that you see on the screen is 8 BITS or 1 BYTE. In the example of the word “DEFINITION”, it would be a total of 10 bytes in length. 1024 bytes equals 1 KILOBYTE. This is important to understanding how data occupies space, and monumental in understanding how data gets somewhere on a computer, stays there after deletion, or is wiped from there.

HARD DRIVE STRUCTURE

A hard drive cannot just be an unorganized open space containing bits and bytes. It must be structured in such a way that data can be found efficiently. To this end, a hard drive is divided up into small spaces that can then be referenced by the Operating System to more efficiently find data and bring it to the user. The smallest space created on a hard drive is called a SECTOR. A sector is always 512 bytes in size. Another way to say this is that there can be 512 letters or other characters in one sector, but no more.

To give an idea of how big this is, let us look at the following paragraph:

Here lived once upon a time a wicked prince whose heart and mind were set upon conquering all the countries of the world, and on frightening the people; he devastated their countries with fire and sword, and his soldiers trod down the crops in the fields and destroyed the peasants’ huts by fire, so that the flames licked the green leaves off the branches, and the fruit hung dried up on the singed black trees. Many a poor mother fled, her naked baby in her arms, behind the still smoking walls of her cottage.

The above paragraph contains exactly 512 characters and therefore, is 512 bytes or 1 sector in size. As a comparison, the subject hard drive contains 156,280,257 sectors.

The next division that exists on a hard drive is a CLUSTER. A cluster is a collection of SECTORS. The exact number of sectors in a cluster can vary depending on the size of the hard drive, the operating system used, and the user’s preference. A very common cluster size is 4 Kilobytes. In that case, the cluster would hold 8 sectors. In the case of the subject hard drive, the cluster size was 4 KB, meaning there were 8 sectors inside each cluster. As mentioned before Clusters are a collection of sectors. The smaller the cluster (less amount of sectors), the more efficient the use of hard drive space; the larger the cluster (more sectors), the easier it is to catalogue and retrieve data. Put another way, a Sector would be like a desk drawer, and a Cluster would be like the entire desk. Clusters are usually what we talk about when we talk about hard drive space, and so from this point on, I will be referring to clusters, and in the case of the subject hard drive, the cluster size is 4 KB.

Given the explanation above, let us look at the paragraph below.

Here lived once upon a time a wicked prince whose heart and mind were set upon conquering all the countries of the world, and on frightening the people; he devastated their countries with fire and sword, and his soldiers trod down the crops in the fields and destroyed the peasants’ huts by fire, so that the flames licked the green leaves off the branches, and the fruit hung dried up on the singed black trees. Many a poor mother fled, her naked baby in her arms, behind the still smoking walls of her cottage; but also there the soldiers followed her, and when they found her, she served as new nourishment to their diabolical enjoyments; demons could not possibly have done worse things than these soldiers!

This paragraph contains 711 characters, or bytes. In the case of the subject hard drive, the red at the left below would represent a proportional amount of the above text as it would occupy a cluster. The blue in our example below indicates SLACK SPACE which we will explain later in this report.

In the case of photographs, they take up much more space than a set of text. A relatively small picture as may be found on the Internet could be in the range of 5-40 KB. The photo below is actually 24 KB in its native form on the Internet.

In being 25 KB, in my example below, it would occupy the indicated space in the cluster shown in red.

SLACK SPACE

As stated before, the red indicates the above picture on a hard drive. You can see that it doesn’t cover the entire 7th cluster. When Windows stores a file, it fills as many clusters as needed, but except in the rare instance of a perfect fit, a portion of the final storage cluster will be left unfilled with new data, as indicated by the blue. The space between the end of the file and the end of the cluster is called SLACK SPACE or FILE SLACK as indicated in blue.

Using another explanation, suppose your office uses 500-page notebooks to write out all documents. It is your office policy that no two documents will share a notebook. One document, one notebook. If your document is only 10 pages long, you must dedicate an entire notebook to the task. Once in use, you can add another 490 pages, until the notebook won't hold another sheet. For the 501st page and beyond, you have to use a second notebook. The difference between the last word of the document and the end of the notebook is its slack space. Smaller notebooks would mean less slack, but you'd have to keep track of many more volumes.

It is important to understand that the slack space I am talking about is viewed by the computer as used space, even though it may be empty. In some cases, this can mean that even though a hard drive is deemed to be full, it actually has as much as 40% of empty space.

For the purposes of my explanations, I will refer to data in two ways. Resident Data, which is data that currently exists on the hard drive in its normal form, and Deleted Data, which is data that is deleted.

DATA DELETION

DELETED files and data refer to files and data that a user has deleted by normal means. In other words, has sent to the Recycle Bin on the user’s desktop. It further refers to any of the data that would then be emptied from the Recycle Bin. At this point, most people would believe the data is truly gone forever. In actual fact, it becomes relegated to a portion of the hard drive called UNALLOCATED SPACE. This space is the space of the hard drive that a user cannot see. If you have a 20 GB hard drive, but you have only stored 5 GB of data on it, the other 15 GB is called UNALLOCATED SPACE.

MASTER FILE TABLE

When deletion of a file occurs, the file doesn’t actually disappear. As I explained earlier, the clusters hold specific files. Given that hard drives have millions of clusters, the computer needs a way to find a specific one. The way it does this in the case of the subject drive is through the use of a MASTER FILE TABLE or MFT for short. This MFT is basically a table of contents that points to individual clusters. If a user creates the file in my example above, and calls it The Little Prince, it will be saved to a space covering one cluster. We will say for the sake of explanation that it saved the document to cluster number 3,000,000. An entry will now be made in the MFT so the next time I double click on the icon to open the document, the computer will be told by the MFT where to go find it. If I then delete the document or reformat the drive, it will still exist on cluster 3,000,000, but the entry in the MFT is what actually gets removed. Once the MFT has had the document reference removed, the computer no longer knows where to go and look for it. As well, the computer is told that it is perfectly OK to place a new document on cluster 3,000,000. BUT, until it actually does, the old data is still there. With my expertise and specialized software, I am able to access the Unallocated Space and find the document based on various parameters. I can also use that software and expertise to actually restore the once deleted file to useable status again.

Let us take this explanation one step further. Let us suggest that I had deleted the file mentioned above, or reformatted the entire drive. At some point, I then created a new document as below.

Mary had a little lamb, its fleece was white as snow. Everywhere that Mary went, the lamb was sure to go.

When I saved it, through the normal allocation of space by the computer, it got saved to cluster 3,000,000. It is actually only 105 characters, or bytes in size. However, based on the explanation outlined above, the entire cluster is set aside for the document. When this occurs, the first 105 bytes of the cluster have now been overwritten by the new data, but the rest of old data in the Slack Space is still present. As well, because the cluster now houses a new document of 105 bytes, the rest of the cluster will never be overwritten by anything else, meaning that the old data will always be there to find, at least until the new document is deleted. To give a further graphic representation of what I have just explained, I will show the cluster allocation again below.

As you can see, my new document (in green) has covered up some of the old document that used to exist there. From the above picture, the cluster indicated now cannot be written to by anything else. I can still then recover the old information that exists in what is now the new Slack Space. Below is a depiction of how the document would look in my forensic program. This will make things easier to understand. The only data placed below is the data that exists on the one cluster.

Mary had a little lamb, its fleece was white as snow. Everywhere that Mary went, the lamb was sure to go.es of the world, and on frightening the people; he devastated their countries with fire and sword, and his soldiers trod down the crops in the fields and destroyed the peasants’ huts by fire, so that the flames licked the green leaves off the branches, and the fruit hung dried up on the singed black trees. Many a poor mother fled, her naked baby in her arms, behind the still smoking walls of her cottage.

As you can see, even though I deleted a document and wrote another document on top of it, I can still see most of the old document.

The Windows system is designed to be blind to all information in the slack space. Searching is accomplished using a forensically sound copy of the drive and specialized examination software.

File slack is, by its very nature, fragmented, and the information identifying file type is often the first data to be obscured.

The search for plain-text information is typically the most fruitful avenue in file slack examination and an exercise often measured not in hours, but in days or weeks of review.

DATA ALLOCATION

In most cases, as a user uses a computer, the data they create, generate, download, or, in the case of the Internet, merely view gets stored on the hard drive, sometimes in more than one place. As an example, if you were to visit the webpage located at http://www.computerpi.com, you would be viewing the writer’s home page. Without doing ANYTHING else, a record has been created on your computer that you visited this page. This creation includes:

  1. Copy of the page automatically downloaded to your hard drive;
  2. Each individual picture or image on that page separately downloaded to your hard drive;
  3. The URL, or page name saved to a number of different locations on your hard drive;
  4. A reference to the page inside a file called index.dat;
  5. Dates and times of activity relative to this page.

ALL OF THIS INFORMATION IS RECOVERABLE if it has not yet been overwritten.

In the case of a document or file that you might create, for example, MyLetter.doc, not only is the original document saved to your computer when you create it, but every time you open it, make changes to it, and save it, a newer copy is basically created, although the computer only references the latest one. It is extremely common to search for a document forensically through a text string and come up with a number of various instances of it. Besides this, an entry is made in a number of different places, such as a folder called Recent Documents that shows the file was recently accessed.

RECOVERED FOLDERS

RECOVERED FOLDERS are folders that contain data that was recovered using a forensic data recovery program. In order for a file to be recovered by the program in the fashion used in this case, it must NOT be overwritten by any other data at all.

FILE WIPING

WIPING files and data is different from deleting them. A wiping program endeavours to remove any and all traces of a file from the computer in any of the areas that it may exist. In my examples above, I indicated that saving new data to an old cluster will overwrite only as much as it needs, leaving any old data still visible to the trained eye. A FILE WIPING PROGRAM will actually go to that cluster and over write all of the old data so as to destroy it. The file wiping program actually overwrites the file it is deleting with other data, such as zeros, or in many cases, whatever the user wants to over write with. A Wiping Program can contain numerous configuration options such as changing MetaData, changing or obfuscating folder and file names, and generating false names and amounts of files. There are certain places that a Wiping Program cannot access. Essentially, a file cannot be changed, deleted, etc by an outside program if it is open and in use. This includes file wiping programs. They wipe a great many files, but they can’t do anything to any files that are currently in use, such as the Registry files and other Windows operating system files that are opened upon boot up of the computer. To further explain file wiping, the below is an example of raw data from unallocated file space that has been undisturbed.

This is a chunk of deleted data that has been deleted normally, with no effort to actually wipe it:

ÿØÿà JFIF ÿÛ C #%$""!&+7/&)4)!" 0A149;>>>%.DIC<H7=>;ÿÛC ("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;; ÿÀ e ÷ " ÿÄ ÿĵ} !1A Qa"q 2?‘¡#B ±Á RÑð$3br‚ %&'() *456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…† ‡ˆŠ’“”•˜™š¢£ ¤¥¦§¨©ª²³´µ•¸¹ ºÂÃÄÅÆÇÈÉÊÒÓ ÔÕÖ×ØÙÚáâãäå æçèéêñòóôõö÷ øùúÿÄ ÿĵw!1AQaq "2? B‘¡ #3Rð brÑ $4á%ñ   &'()*56789: CDEFGHIJSTUVWXYZcdefghijstuvwxyz‚ƒ„…†‡ˆ‰Š’“”•˜™š¢ £¤¥¦§¨©ª²³´µ•¸¹ ºÂÃÄÅÆÇÈÉÊÒÓÔ ÕÖ×ØÙÚâãäåæçèé êòóôõö÷øùúÿÚ ?öj(¢€(¢ €(¢€ÅñW‰m¼¤}hžye•`?Ó6v®ã$ôõ8j¸ÏŠ Eö©áÛ9lÞåôýB •‚%$ˆ»?;•ÍœqÀ?Jµ¤x› P?Åð‹kðÛAÖî ‹=ÞL«Ñk T† OÌ ~^ A«øÎ{OZ ë Ù<<ï} ‘ $ÂL±òØ0 ÈÈ99(ùŽ}‘ÿ„‡âä:ö™›?* ×HòMâŒÄò cµ[¡8È탚Âñ\sÜ\jº£5ÅŸ‰ï Äz à“qn…Z0±€D?˜–cÎ p ÚõÚ̆úúçÄ7 ±Û "éÖ‘ –w$;ÎÛX*›UKw.

I know by looking at this, that it is the beginning of a picture that was deleted. If it had been wiped, the same space would look more like the following:

yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

In other words, a wipe utility works off the premise that you must overwrite every bit of information that was previously there in order to obliterate it. Wipe programs use patterns such as the above to ensure they cover everything. Patterns like this are visible. In the case of the subject hard drives, we observed no obvious instances of the above patterning.

METADATA

When files are created in Windows, a number of things occur ‘behind the scenes’ that the average user is generally unaware of. One of these ‘occurrences’ is the creation of what is known as METADATA. METADATA is data added to a file that can include information such as the author’s name, program used, and most importantly for our purpose, the date and time stamps of when a file was CREATED, MODIFIED, and ACCESSED.

  • CREATED meta refers to the date and time that the file was created on a system.
  • MODIFIED meta refers to the date and time that the file was modified in someway.
  • ACCESSED meta refers to the date and time that the file was opened.

HTML – HyperText Markup Language

HTML can best be describes as the programming language that creates web pages. It is programming that, when written, creates a set of sequential instructions that, when the computer reads them, displays a webpage on your screen. This does not happen all at once. The programming is read from top to bottom, and this can best be seen with a slow dial up Internet connection, when you can watch the page load from top to bottom. If the writer inserts some extra programming within the HTML, called JAVASCRIPT, he or she can cause an automatic action to occur. If the action is to open up a new window with an advertisement in it, this is what will happen once the HTML code is read to the point that the JAVASCRIPT starts.

POPUP

A POPUP is a page or window - usually small - that pops up either when a link or linked item is clicked, or by some automatic or other stimulus. POPUPS are (in many cases) JAVASCRIPT codes and there are many different varieties.

You can have a POPUP that will load when you first visit a page, or when you exit a page and ones that are timed (to popup in xx seconds after the page is loaded). As opposed to the usual POPUPS (that you see), there are also "POPUNDERS" that you won't see until you close the pages, because they open behind all the pages (and they can also be creating other POPUPS behind the scenes). A single HTML page can have numerous POPUP codes in it, so when visiting one page, you can suddenly find a dozen POPUPS on your screen, and even more when you exit the page. This is not yet counting any POPUP code that may be inserted in the new pages that have popped up.

POPUPS are really only HTML pages that are configured to open at a specific height and width, so the POPUPS themselves can have a JAVASCRIPT to create even more POPUPS. That's why you can find yourself visiting a site, and be utterly hammered with them. Those POPUPS can also have exit POPUPS, such that when you close them, another POPUP appears, then another, then another, and so on, until your browser may even eventually crash due to the data volume.

JAVASCRIPT

JAVASCRIPT is a programming language that can cause automated functions to occur, most usually as it is read through the loading of a web page. In the example of many web page pop ups, and especially in the cases of pornographic websites, as a webpage is loaded, it will start reading its code from top to bottom. When it reaches the JAVASCRIPT part of the programming, a pop up will occur. In many cases, there can be JAVASCRIPT programming in the new page that pops up. This will cause yet another pop up. With this method, you can see how entering one page can cause numerous other pages to load automatically. As previously indicated in this report, everything that is displayed on your computer screen is subsequently downloaded to your computer without your intervention or specific action. Numerous continuous popups appearing one after another in rapid, automatic fashion are called a POPUP ATTACK.

NORTON UTILITIES

NORTON UTILITIES is a suite of programs created by Symantec Corporation. The suite of programs is generally used for things such as Anti Virus protection, computer problem correction, disaster recovery, etc. The following is a list of the programs residing in the particular suite of software used by the subject.

  • CleanSweep - Used for the safe and clean installation and uninstallation of programs.
  • Norton Image - Used to make duplicate copies and backups of hard drives.
  • Disk Doctor - Monitors computer workings to warn about pending problems and fix them.
  • File Compare - Used to compare two files to determine changes between them.
  • Optimization Wizard - Used to make changes to your computer to optimize performance.
  • Registry Editor - Allows user to change parameters of registry. (Central Nervous System of Computer)
  • Registry Tracker - Allows user to track changes to registry calls.
  • System Checker - Checks system for problems and conflicts.
  • System Doctor - Gives user ability to change and repair problems.
  • Utilities - Program that manages all of the sub programs of the Norton Suite
  • WipeInfo - Used to permanently remove data.
  • Rescue Disk - Used to create boot disks to restore a computer that has stopped working.
  • Speed Disk - Used to optimize the disk through boot sequence, defragmentation, etc.

FILE EXTENSION

In relation to computer files, a FILE EXTENSION is an addition to the file name in the form ".xxx" where "xxx" represents a limited number of alphanumeric characters depending on the program that created them. The FILE EXTENSION allows a file's type or format to be described as part of its name so that users can quickly understand the type of file it is without having to open or try to use it. The FILE EXTENSION also helps an application program recognize whether a file is a type that it can work with. For example, picture.jpg would be a picture file, as indicated by the extension .jpg. Picture.txt would be a text document as indicated by the extension .txt. In other words, these extensions at the end of a filename refer to the type of file it is. This information is used by your operating system to launch an appropriate program when you click on the filename.

.JPG EXTENSION

The .JPG file extension stands for Joint Photographic Experts Group and can be expressed in an extension as both .JPG and .JPEG. It is a standardized image compression mechanism designed for compressing photographic images, often for use on the Web. JPG is "lossy," meaning that the decompressed image is not quite of the same quality as the original image. There are many viewing programs that will display .JPG images, including Internet Explorer. Put simply, a .JPG file will be a picture of something.

.BMP EXTENSION

The .BMP file extension stands for BitMap, and was designed by Microsoft. It is an inefficient way of displaying images on the Internet because it does not compress the images, thereby making them usually quite large. They will be used for small images on the Internet or are sometimes used to display THUMBNAILS. Put simply, a .BMP file will be a picture or created graphic image of something.

.GIF EXTENSION

The .GIF file extension stands for Graphic Interchange Format and is a common format for image files, especially suitable for images containing large areas of the same colour. .GIF format files of simple images are often smaller than the same file would be if stored in .JPG format, but GIF format does not store photographic images as well as .JPG. .GIF images are widely used as the format of choice for Internet icons and buttons. Put simply, a .GIF file will be a created graphic image of something.

.DLL EXTENSION

Short for Dynamic Link Library, a .DLL file is a file that contains executable functions or data that can be used by a Windows application. Typically, a DLL provides one or more particular functions and a program accesses the functions by creating either a static or dynamic link to the DLL. A static link remains constant during program execution while a dynamic link is created by the program as needed. DLLs can also contain just data. As one example, a .DLL can contain all of the possible selectable options for a drop down list in a program.

FILE HEADERS

A FILE HEADER is a unit of information that precedes a data object (the contents of any particular file). As regards resident files on the subject’s computer, a FILE HEADER is a region at the beginning of each file where information about that file is kept. The file header may contain the date the file was created, the date it was last updated, and the file's size. More importantly, it also dictates the type or format of the file. The first few characters of a FILE HEADER show the computer where to start reading the file from, and how to view it, among other things. The FILE HEADER can be accessed only by the operating system or by specialized programs such as forensic analysis software. Subsequently, for our purposes, a FILE FOOTER can be used to describe that last few characters of a file. This will indicate to the computer that this is the end of the file it is reading. Much like a capital letter at the beginning of a sentence tells you this is the beginning of the sentence, and much like a period tells you that you have reached the end of a sentence, so a FILE HEADER and FILE FOOTER indicate to the computer the beginning and end of a particular file. The FILE HEADER of a particular file is always the same. For example, in the case of a .JPG file, the first few characters of the FILE HEADER look like this: ÿØÿà..JFIF and the FILE HEADER for an .XLS file (Microsoft Excel Spreadsheet) looks like this: ÐÏ.ࡱ.á

In the case of a FILE FOOTER, these do not necessarily have to end with the same set of characters, although that is the norm. A .JPG FILE FOOTER looks like this: ÿÙ

COOKIES

A COOKIE is a piece of information sent by a Web server in the form of a text file to a user's browser. (A Web server is the computer that "hosts" a Web site, and responds to requests from a user's browser, like Internet Explorer.) COOKIES may include information such as login or registration identification, user preferences, online "shopping cart" information, or in most cases, merely the fact that the site was visited, etc. The browser saves the information, and sends it back to the Web server whenever the browser returns to the Web site. The Web server may use the cookie to customize the display it sends to the user, or it may keep track of the different pages within the site that the user accesses. Browsers may be configured to alert the user when a cookie is being sent, or to refuse to accept cookies. Some sites, however, cannot be accessed unless the browser accepts cookies. A user does NOT need to specifically visit a page to get a COOKIE from that website. A user can be visiting a site at www.magnets.com and if that webpage has a banner ad for a different website, that banner could place a COOKIE on your computer even if you have not clicked on the banner or visited the site that the banner points to. The maximum size for a COOKIE is 4 KB.

THUMBNAILS

A THUMBNAIL is an image you frequently find on Web pages. Usually photo or picture archives will present a THUMBNAIL version of their contents (makes the page load more quickly) and when a user clicks on the small image a larger version will appear. Sometimes these links will be to a new page containing the larger graphic and other times right to the image directly. In some cases, the THUMBNAIL can be very misleading in that it doesn’t actually take you to the picture you originally see. It can actually take you to an entirely different site. This is seen very frequently on pornographic websites.

TOPLISTS

A TOPLIST is a script driven site with a long list of links to other websites. The links change their order every few minutes based on which website is sending the most traffic (or users) to the site. The objective is to send enough traffic to the site to stay near the top of the list without being the person sending the most traffic. The sites listed closest to the top of the list will usually get the most traffic, as that is what the user sees first. Usually there will be a descriptive link or picture with two numbers next to it.

The last site the traffic came from may not have been what the user was looking for. It may have been a site full of blondes when the user was looking for a picture of what looked like their ex-girlfriend who was a brunette. The “better” TOPLISTS offer the user all the different subject flavors to make the best use of the new traffic they get. The idea of TOPLISTS is simple. If a website wants to succeed in the industry, it can't do it alone. It needs to create a network of sites that utilizes other websites needs to exchange links. Exchanging links with other sites is the most basic promotion strategy utilized by the Internet.

TOPLISTS are legendary for the POPUP attacks they can spawn. It is not uncommon for a TOPLIST to generate 10-20 or more webpages that will automatically open all at once on a user’s screen. It is also not uncommon for a TOPLIST to have in excess of 30 THUMBNAILS on it. If that TOPLIST generates a POPUP ATTACK of 10 pages on a user’s computer, and each page has 30 THUMBNAILS, that is a total of 300 pictures which, as explained before, are automatically downloaded to the user’s computer unknown to the user. Given that the user has no control over what pages appear in a POPUP ATTACK, it is easy to see how unsolicited pictures of all types could come to reside on a computer hard drive.

In a vast majority of cases on the Internet, especially pornography, these images and links don’t actually lead to what they suggest they are linking a user to.

TGP

TGP stands for Thumbnail Gallery Post. These are websites that are used by websites as a way to convey a large amount of images with a limited amount of space and bandwidth. TGPs allow a website to place a large number of small images on a page that can be expanded in a popup window. This conserves physical space on a page, as well as download time since the user can browse the thumbnails and select images to see in full size. In a vast majority of cases on the Internet, especially pornography, these sites lead to POPUP ATTACKS. Also in many cases, these images and links don’t actually lead to what they suggest they are linking a user to. They are very frequently linked to and from TOPLISTS, and are seen frequently as automatically generated POPUPS.

WINDOWS REGISTRY

The best way to describe the WINDOWS REGISTRY is to suggest that the computer is like a body. A body has many, many functions, including moving body parts, breathing, keeping the heart beating, etc. What keeps these happening? Well, in a nutshell, it is the Central Nervous System. The brain has the thought or instruction and the order is carried out based on a default set of values that have been programmed, such as hunger, movement, etc. The nerves issue the instruction and if everything goes well, the task gets completed.

In a computer, the WINDOWS REGISTRY is the Central Nervous System. It controls EVERYTHING. It is very susceptible to injury, just like the body. The difference is that if you cut your body, you usually know about it right away. In the computer, if you damage the WINDOWS REGISTRY, you may not become aware of it for days or weeks or months.

The WINDOWS REGISTRY is constantly issuing instructions to the computer virtually from the moment it is turned on. How do those programs open on startup such as the Anti Virus? The WINDOWS REGISTRY has told the computer to start them. When a user double clicks on an icon, how does the computer know what program to use to open the file? Again, the WINDOWS REGISTRY. There is virtually no part of a computer that is untouched by the Registry. In the case of many viruses, Trojan programs, and worms, the WINDOWS REGISTRY is automatically altered to carry out the malicious instructions.

As an example of what a WINDOWS REGISTRY entry looks like, I will display the key (or entry) that controls what page is displayed when a user opens their Internet browser such as Internet Explorer. First you navigate through a set of folders much the same as in Windows Explorer. When you reach the folder that contains the Internet Explorer settings, a list of keys are shown. The key that controls the default home page looks like this:

"Start Page"=http://www.xxxxxxxxxxx.com/ (where the xxxxxxxx is the name of the start page).

Back to Computer Forensics
This is a cookie-free website. No record of your visit will be left in your computer by us.

Advanced Surveillance Group is a full service licensed private detective agency. Our National Headquarters is located in Mt. Clemens, Michigan. We have assisted thousand of clients from the following locations including:

Arizona: Phoenix | Arkansas | California: Los Angeles, San Diego, San Francisco, San Jose, Hollywood| Colorado | Connecticut | Delaware | Washington DC | Florida: Daytona Beach, Jacksonville, Miami, Orlando, Tampa | Georgia | Idaho | Illinois: Chicago | Indiana: Indianapolis | Iowa | Kansas | Kentucky | Louisiana | Maine | Maryland | Massachusetts: Boston | Michigan: Detroit, Troy, Southfield | Minnesota | Missouri | Nebraska | Nevada | New Hampshire | New Jersey | New Mexico | New York: New York City | North Carolina | Ohio | Oklahoma | Oregon | Pennsylvania: Pittsburgh | Rhode Island | South Carolina | Tennessee | Texas: Austin, Dallas, Houston, San Antonio, Fort Worth | Utah | Vermont | Virginia | Washington | Wisconsin

This site is Copyrighted ©2008. Unauthorized use in part or in full is strictly prohibited and violations will be acted upon.
Developed by Pistonbroke