Don't get me wrong: CBS's CSI (the original) is one of my favorite TV shows. But whenever Sara Sidle starts moving a mouse on a suspect's computer, or when Nick Stokes starts typing away on a victim's keyboard looking for recent e-mail, or Archie back at the lab miraculously pulls up deleted files, I'm either laughing or throwing something at the TV. I realize that Americans have short attention spans and that these dodges are done to keep the narrative moving--after all, this is a TV show about science, how unusual is that?--but the world of computer forensics is interesting in its own right.

Please, don't touch that mouse!
A few years ago, there was much debate within the computer security community about whether you should power off a computer known to be involved in a computer crime. Windows, for example, keeps a number of tasks and services running in active memory; by pulling the power, those signatures are instantly destroyed (thereby changing the computer's state). The same is true when moving the mouse while the computer is in screensaver mode: it changes the Windows environment slightly.

Actually, the world of computer forensics is interesting in its own right.

If the criminal is really savvy, there might be a logic bomb installed so that if someone tries to reboot the computer without performing a specific sequence, all the data will be erased. In one case, a forensics expert told me about a small explosive device found inside a computer case that would be triggered upon an improper reboot. Listen, if you feel you have to pull anything at a crime scene, pull the Internet or network connection plug. If the computer is broadcasting spam or viruses or is otherwise remotely controlled, there are times when you'll want that to end as soon as possible.

	Eighty percent of all cybercrime is caused by corporate insiders, not outside script kiddies.

Fortunately, the debate over keeping a suspect's computer on or off has subsided now that professionals can apply new forensic tools on live machines. Encase, from Guidance Software, allows investigators and system administrators to connect to the suspect's live machine and begin making a byte-by-byte copy of the working hard drive (that is, a copy of the entire drive, used and unused portions alike), including the active portions used by Windows. Previously, forensic software required investigators to reboot into DOS in order to image a drive correctly. Encase is used by the FBI, the U.S. Secret Service, and other government law enforcement agencies worldwide. An enterprise version of Encase is used by some larger corporations, since 80 percent of all cybercrime is caused by corporate insiders, not outside script kiddies.

Total data destruction
Last week, I talked about data destruction, and many readers wanted to know more. First, reformatting your hard drive will not erase the data. Reformatting replaces only the master index used to look up specific files; by reformatting, you are merely removing the current index and starting over. The data files themselves remain exactly where they were on the hard drive and will remain there until new data overwrites them. So reformatting (even if you do it several times) won't erase the data on your hard drive.

As for why you should overwrite the data with ones and zeroes several times, consider this: If I lay down a new file over an old one that puts a number one where a one was before, there's no change. Programs like Encase can sniff down through layers of changes and piece together overwritten files one or two generations before (after that, the signatures gets murky). By overwriting with ones and zeroes at least seven times (the current U.S. government standard), it's virtually impossible for anyone, even Archie back at the lab, to re-create evidence from your hard drive.

Back to CSI
A final myth from CSI is that your average field investigator is skilled in evidence collection, DNA processing, medical examination, and digital forensics. In truth, there's a digital forensics specialist on call who comes out to a crime scene and specifically photographs the computer as is, makes a byte-by-byte image of the drive, powers down the computer, then labels and bags everything so that the unit can be reconstructed later, if need be, back at the crime labs. Often reconstruction is unnecessary. Once a copy of the hard drive has been burned to disc, investigators use that copy (not the original) to complete the investigation. I realize CSI is only a TV show, but with all the forensic consultants on the show, I wish they'd get the computer segments right.

What's the most boneheaded computer security thing you've seen on TV recently? Talk back to me.