IInnvveessttiiggaattiinngg CCyybbeerr--CCrriimmee ((22001133))

bbyy

OOppeerraattiinngg SSyysstteemmss,,

FFiilleennaammeess aanndd EExxtteennssiioonnss

OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 2

EErriicc EE.. AAbbrreeggoo

This report examines and identifies some of the critical components of computer

operating systems and how those components may serve as evidence involved in a cyber

crimes investigation.

Today it is not unusual to see many in our global community utilizing many

technological advances and recent developments in communications, software,

hardware and cyber related security. Social networking for example, or personal and

business banking as well as work and entertainment capabilities have become the norm

through use of this technology.

Cell phones, laptops, the internet and other electronic devices are the current

staple of conducting electronic transactions, business and personal communications

including various file sharing capabilities involving electronic documents, images, music

and videos for example.

The internet and its related technology also has illustrated the benefits to our

global community, however, as technology advances, so too are the apparent negative

aspects of this technology, as those with criminal intentions would opt to convert these

beneficial attributes into something more insidious, such as identity theft, hacking and

child pornography.

As such, law enforcement and related technicians around the world work to

prevent, track and apprehend cyber-based criminals; meaning people that would use

computer electronics to commit crimes and of which those crimes can include use of

computer peripheral attachments such as printers that may be used to produce

counterfeit money for instance. All computer crimes do not necessarily take place on the

internet, but the computer itself.

For the cyber-based criminal there are cyber-based investigators, or law

enforcement personnel known better as computer forensic investigators. The “general

OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 3

tasks of these investigators involve identifying digital information or artifacts that can

be used as evidence when working with electronic or digital evidence” (Nelson, B.,

Phillips, A., & Steuart, C., 2010). Parts of those tasks include the “collection,

preservation, and documentation of such evidence”. Additionally, “analyzation,

identification, and organization of this form of evidence” is critical to an investigation.

Here, this paper explores various elements of computer based evidence such as

the differences between a file header and a file name extension, common file name

extensions used for images and videos, file paths and why they’re important to high-tech

crime investigators as well as discussing how operating systems keeps track of several

different file properties for each data file, including the importance of the Date Modified

versus Date Accessed information.

What is the difference between a file header and a file name extension? Which is more

useful to an investigator (more reliable)?

The terms, “file headers, or file names, and file-name extensions, or file

extensions, are two key components that make up the identity of a computer file”

(White, M. (2012). The file name serves as a way for “both to the user of the file and the

computer running it -being able to identify it. Particularly when a user or the computer

is searching for a given document, image, video or music file. For investigators, “there

are many possibilities for what the information contained in a file header or file name

extension can represent”.

Additionally, “a file header or file name is the string of text before the dot in a file

that describes the contents of the file and can be made up of numbers, letters and other

characters”. For instance, because this paper is in the form of an electronic document,

the file name of the document will be followed by (.doc), such as “Eric_Abrego-Unit 2–

Assignment.doc”.

The file header or file name is the portion that contains “Eric_Abrego-Unit 2–

Assignment” where the “.doc” represents the type of file it is; a [MS] Word formatted

OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 4

document, or in other words, the “.doc” is considered the file-name extension, while

further, “if a file header or file name is not locked, it can be renamed, since the purpose

of a file header is to help identify a file for the user”.

A computer forensics expert understands that the “file-name extension is the text

including and following the dot that indicates the file type; in this instance, “it identifies

the file as a document file; i.e. a type of text file while noting that “file-name extensions

are most commonly three characters long” i.e., .avi, .jpg, .pdf, etc. This data and

information as well, will prove reliable for the investigator.

The importance of understanding file-name extensions and their functions is

paramount to both the user and the computer and for this purpose, that it is “generally

not advisable to change file-name extensions, since the computer relies on knowing or

recognizing which program to use to open the file and which icon to use to display the

file” (White, M. (2012). In other words, “changing this part of the file can result in files

that can no longer be opened, however, and to the benefit of the investigator; “altered

file-name extensions can also be changed back to their original format”.

List five common file-name extensions used for images and videos.

Of the various file name extensions; there exists five common file-name

extensions that are used for images and videos. Of the file-name extensions

representative of images for instance, the “JPEG” or .jpg extension is the most

“common digital photo or graphics file format, and because JPEGs are compressed files,

thus making file sizes smaller; it makes this file type popular on the Internet”.

There is also the “Bitmap” format, with a file-name extension of .bmp that is

representative of “Bitmap graphics”, and though “common to paint programs”, photo

images can be converted to .bmp and are available in this format. The other would be

GIF format, with the file-name extension .gif. This “Graphics Interchange Format” or

file type “holds low-resolution graphics or an animation” that are commonly seen on

website pages, such as the spinning or glowing text or advertisements with objects that

OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 5

are moving on the web page, i.e., a spinning planet, barking dog or a person walking for

instance.

The video formats, or file-name extensions such as “AVI” (.avi), stands for “Audio

Video Interleaved (movie files)” and are commonly associated with video that is shot

with a cell phone’s video capability or lower quality digital cameras for instance.

Additionally, the “Movie” format or otherwise, file-name extension .mov is

typical to the “QuickTime or Apple movie file formats”, where the “MPEG” format is the

“common movie file format that features file compression” (Knetzger, M. and Muraski,

J. (2008); it also is the most commonly used on PC versus Mac computers as well as

being utilized on most websites that contain videos with a file-name extension .mpg,

and in which the file-name extension .mpg, we’ll learn is subsequently located within

what’s known as the larger file path.

What is a file path and why is it important to high-tech crime investigators?

A computer or operating system “file path” can be described as a guide that

serves in identifying -a start point and a path to reaching or locating an end point or

certain type of file- such as a saved homework document/file, i.e. “homework.doc” or a

saved image for the home work, such as a homework image/file, i.e. “homework.jpeg”

extension. As understood, these two types of file-name extensions are contained in what

is called a file path. More technically, “a file path is the exact description of where on the

disk drive a file exists” (Knetzger, M. and Muraski, J. (2008).

In a related example, we can assume that there is a file called ‘Investigating Cyber

Crimes.doc’ which is located on the C drive which is located within a folder called

‘CJ316: Homework’. An investigator or user will understand that “the Homework folder

is on the first level, or root, of the C drive” and as such, “the complete file path for this

file would be as follows: C:\ CJ316: Homework \ Investigating Cyber Crimes.doc”.

OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 6

The “backslash character (\) however, represents folder levels”; meaning that if

there was a “subfolder named “Unit 2 Assignment” in which the “Investigating Cyber

Crimes.doc” was located instead, and the subfolder “Unit 2 Assignment” was located in

the main folder named “Homework”; the complete file path would then be as follows;

C:\ CJ316: Homework \ Unit 2 Assignment \ Investigating Cyber Crimes.doc”.

For the high-tech crime investigator, “documenting the exact file path of an

evidence file or contraband file is very important” as it would be no different than

documenting evidence located in a physical crime scene location. For example, finding a

gun in the front room of a suspect’s house, and hidden under the right side of the couch

cushion. Like the example provided in the reading material, “it is not enough to say the

gun was in the front room”. In this instance, ‘a much better description is to say the gun

was located under the right side cushion of the couch that is located in the northeast

side of the front room on the 1st floor’…”that degree of specificity is every bit as

important with digital evidence files” (Knetzger, M. and Muraski, J. (2008).

Author’s, Knetzger, M. and Muraski, J. (2008) emphasize the importance of

understanding (computer) directory structures as “vital to any first responder, especially

when he or she must describe where a piece of evidence is found on a computer”, further

noting that in a cyber crimes investigation; “the first responder must be able to describe

the exact file path where the evidence resides on the suspect computer”.

Operating systems keep track of several different file properties for each data file. List

the different file properties and discuss the importance of the Date Modified versus Date

Accessed information.

As part of the learning experience and understanding the process of investigating

cyber crime, or the related “computer forensics”, we understand that because the “the

operating system saves file properties, such as the date and time files are modified,

created, or accessed”; this information or data contributes greatly in a cyber crimes

investigation. For the investigator, the “operating system (OS) file properties offers a

OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 7

means of tracking when files were created, modified or deleted…and generally have a file

last accessed date” (Knetzger, M. and Muraski, J. (2008).

It is also important to note that often the user name or origins can be identified

as well as the associated “key distinctions between accessed and modified” files, as the

term “accessed -merely means the file was opened or examined, but no changes were

made to it, or meaning that it was not modified” (Knetzger, M. and Muraski, J. (2008).

More importantly, “a forensic investigator should take every precaution to never make

changes to (modify) the crime scene, emphasizing that although “accessing the file is

necessary to see what it is; technology crime investigators must never modify a file”.

Among other computer based avenues regarding file properties and/or data files;

cyber crimes investigators understand that “ISPs [as well] may log the date, time,

account user information, and ANI (Automatic Number Identification), or [even the]

caller’s line identification at the time of connection” (NIJ (2007). Meaning that, “if [ISP]

logs are kept, they may be kept for a limited time depending on the established policy of

the ISP” as such, and “in the event that no general legal requirement exists for log

preservation or an ISP does not store logs that are necessary for the investigation,

preparing and submitting a preservation letter” is recommended (NIJ (2007).

CONCLUSION

In the battle to prevent cyber crimes, investigators must understand the critical

components of computer operating systems and how those components may serve as

evidence involved in a cyber crimes investigation. The ability to successfully “rebuild

evidence or repeat a situation to verify that the results can be reproduced reliably is just

as important as collecting computers and processing a criminal or incident scene”

(Nelson, B., Phillips, A., & Steuart, C., 2010). The key here is that, these sorts of

“investigations must be done systematically and for the purposes of minimizing

confusion, reducing the risk of losing evidence, and avoiding damaging the evidence”.

OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 8

REFERENCE

Knetzger, M. and Muraski, J. (2008). Investigating High-Tech Crime. Prentice Hall,

ISBN: 0131886835

Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to computer forensics and

investigations (4th ed.). Belmont, CA: Cengage Learning. ISBN: 9781435498839

NIJ (2007). Investigations Involving the Internet and Computer Networks. Retrieved

from https://www.ncjrs.gov/pdffiles1/nij/210798.pdf

White, M. (2012). Difference Between a File Header & a File Name Extension. Retrieved

from http://www.ehow.com/info_8481151_difference-header-file-name-

extension.html

Matrix Blue Free Hd Wallpaper (2013). Retrieved from

http://www.wallsave.com/wallpaper/1600x1200/matrix-blue-free-hd-

204485.html

OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 9

Eric Abrego © (2013) Abrego Group Legal Research