Exploring Computer Operating Systems to Investigate Cyber Crime: File Systems

 by Elizabeth Hall     
Every computer that we own from our smart phones to our laptops and video games has an operating system contained in it, which the user can easily interface with the computer without having to type in complex or tedious commands.  This is a far cry from the early days of personal computing which began with the Altair 8800.  It was a small box with a keyboard built in, and only had 256 bytes for memory capabilities (Evans, Martin & Poatsey, 2011).  Today we have phones that can fit in our pockets that are more powerful than this first model and everyone has access to these devices along with tablets, laptops, notebooks, and desktop computing.  The internet is carried in our pockets now and people are more in touch with each other over these devices than ever, doing our banking, shopping and e-mailing wherever we happen to be whether that is at home, in our cars, or even sitting at a restaurant eating lunch. 
Graph of Videos Operating System placement on ...
Graph of Videos Operating System placement on computer usage (Photo credit: Wikipedia)

With these advances in technology that give us more freedom comes more vulnerability to cybercrime, as criminals have as much access to these devices as the rest of us, and true to their nature, have found ways to use the internet and these devices to commit crimes or even find victims for themselves (Knetzger, & Muraski, 2008).  Each of these devices utilizes operating systems that allow the user to control the keyboards, mice, and software that we cannot seem to live without.  These operating systems such as Windows, Firefox, and Linux organize the files for easy access through the graphical user interface.  The addition of modems and graphical applications allows the user to do more than word processing and mathematical functions such as video games and with the addition of the internet, users can share data globally. 

Defining File Path
One of the most important features that allow the graphical user interface to be user friendly is the organization of the files on a computer into directories that contain folders and subfolders (Knetzger, & Muraski, 2008).  This allows for sharing, defining, or discovery of the exact location of a piece of information on the hard drive of a computer.  This is what is commonly known as the file path.  For example, if a user needs to retrieve a specific picture they can go to 
C:\Users\Owner\Pictures\ChoSh.jpg for a picture of the Virginia Tech Shooter should they have that specific picture. In this path, each backslash mark means a file name that a user must travel to find the picture of Cho.  The whole path is spelled out in this universal language, meaning that the Cho picture is located on the C drive, in the Users directory in a subfolder labeled Owner, which holds another subfolder named Pictures, which ultimately contains the Cho picture. 

Difference between File Header and Filename Extension
In the organization of the computer’s files, the main way that the Operating System groups files is by grouping files that are all alike such as video files, text files, image files, and those that utilize word processing or spreadsheet style files like Microsoft Excel and Word programs.  A file header and a filename extension are two different paths that an Operating System can use to find a file when the user uses the search interface to locate their data.  The file header is built into the coded structure of the file and in our Cho picture example would “contain the characters JFIF”, which means that the file is in the JPEG format and must use the “JPEG file interchange format” according to Knetzger, & Muraski (2008).  The filename extension in our Cho example is the three letters after the last period, “.jpg” to be exact.  A filename extension is an identifier of the type of file, which helps the computer group the data into subdirectories of the same type of files such as .jpg, .xls, or even .doc. 

The NeuronStudio graphical user interface (Win...
The NeuronStudio graphical user interface (Windows version). (Photo credit: Wikipedia)
Use in Cyber Crime Investigation
This computer organization has the advantage that the types of files and the software that utilizes the file systems are universal to all users of the software and hardware that utilize the particular operating system (Knetzger, & Muraski, 2008).  In today’s modern world of global sharing, this usually means the devices that utilize operating systems such as our desktop, laptop, tablet, notebook, and smart phone computers that we cannot live without these days.  Designers also make them as user friendly as possible often making the devices capable of sharing our information between devices so that we are more connected than ever before.  At the same time that these devices and all of the sharing is making our lives easier, our reliance on these devices is making law enforcement’s job easier. 

A forensic investigator that knows what type of filename extensions allows for the search function in the user interface to bring up all files of that file extension or file header type quickly (Knetzger, & Muraski, 2008).  This is no matter which file path they are located even if the owner thinks they have deleted them if the owner did not empty the recycle bin.  Computer Operating Systems store data for many different reasons, with and without user knowledge within the applications that they run.  This data is useful in cyber crime investigations, because the investigator can review the history of the operations such as the last twenty or so files that have been used, history of websites visited, data in the recycle bin, or even favorite websites (Knetzger, & Muraski, 2008). 

Missing operating system_  {error message}
Missing operating system_ {error message} (Photo credit: quapan)
Five Common Image and Video File Name Extensions
The grouping of file types by properties may include more than one type of file extension. For example, our Cho picture is an image file.  Another graphical file is a file containing video.  There are five common file name extensions that Operating Systems utilize with image and video files according to Knetzger, & Muraski (2008).  These are .avi, .mov, and .mpg for movie files and, .jpg or .bmp for images.  These file extensions are useful to investigators in conducting cyber crime investigations because of the implications of having a particular image or video have in tying a suspect to a particular crime. For example, a suspect accused of being a pedophile may have images of child pornography on their computers, or an art thief may have a picture of the art or plans to the museum or gallery that the art is displayed or a history including websites visited while researching their suspected target.  A trained investigator can retrieve these files from a device easily by using the file header or file name extension (Knetzger, & Muraski, 2008).  

Different File Properties for Data Files
Filename extensions are also important because the extension not only identifies what type of file, but also which program will open the file and allow modification of the data in the file (Utilize Windows, n.d.).  This is part of the file properties and attributes assigned to the specific file, such as whether the file is an executable file a batch file, or a command file.  There are also files that are there as other specific parts of programs like .dll, .ppt, .pdf, all of which denote which programs will open specific file extension types, or have attributes that make them hidden, read only, or archived.  This properties tab will also show the file’s creation date, last accessed date, and the last time that the file was modified (Utilize Windows, n.d.). 

Importance of Date Modified versus Date Accessed Information
The Operating System keeps track of dates and times on your computer, and for the investigator, this can be a very important tool notes Knetzger, & Muraski (2008).   The date accessed tells the investigator the last time a file was opened, and the date modified tells the investigator the last time any changes were made to the file.  This type of information contained in the operating system often goes unnoticed by criminals so many times is not adjusted or modified at all.  An investigator can access these files, but should never modify and files found on a suspect’s computer or device because it can affect the credibility of the evidence in a court case or change an important element of the evidence. 
In our modern, increasingly globally connected world, computers, laptops, smart phones, tablets and other devices make it incredibly easy for us to share information and do business over the internet.  While this has definite advantages to our educations, commerce systems, and businesses, the criminal element of society has access to all of these tools as well, and they have found many ways to utilize computers and devices to further their criminal enterprises. A trained investigator however, can also use
Altair 8800 Computer with 8 circuit boards ins...
Altair 8800 Computer with 8 circuit boards installed. The Altair floppy disk system below has a Pertec 8-inch drive. (Photo credit: Wikipedia)
 the tools that can be found by utilizing the Operating System to discern information on where a suspect has visited on the internet, the most recent files that were opened and or modified.  They could even view files that may prove intent or involvement by a person using computers to commit or aid in committing a crime such as finding child pornography on a suspected pedophile’s hard drive or smart phone, or bomb making instructions on a suspected terrorist’s device.

They track our shopping, listening, and viewing habits, we type in our daily events, and the devices can prove location through the device’s GPS tracking abilities.  In the modern day of information sharing, this is fast becoming one of the most important tools that law enforcement has at their disposal these days, particularly if the criminal is not computer savvy, because the evidence gained from one file can ensure that the investigator and the prosecutors’ office wins the case.  One of the issues arising from these advances in technology and investigation is our right to privacy as our devices now track our every move and the ease of use that the device applications afford law enforcement to use surveillance is astonishing.  It will be interesting to see how this ever-advancing technology works out for us in the end. 


Evans, A. Martin, K. & Poatsey, M.A., (2011).  Technology in Action (7th Ed.)  Upper Saddle River, NJ: Pearson/Prentice Hall.  ISBN 10: 0-13-509669-3
Knetzger, M. and Muraski, J. (2008) Investigating high-tech crime (1st Ed.).  Upper Saddle River, NJ: Pearson/Prentice Hall.  ISBN eBook:  0536085773  
Utilize Windows, (n.d.).  File Names, Extensions, Properties, and Security.  Retrieved From: http://www.utilizewindows.com/pc-fundamentals/storage/331-file-names-extensions-properties-and-security
Enhanced by Zemanta

This is


Post a Comment

All comments and feedback appreciated!

Criminology & Justice Headline Animator


Law Books




Serial Killers



Related Posts Plugin for WordPress, Blogger...