Janet Morales, Publisher, 660-263-1411
411 West Reed, Moberly, MO 65270

Larimer performs CSI work through computer forensics

Janet Morales - May 28, 2010

This specialized safe room has powerful filters and remains pressurized when in use to protect the computer parts and information being analyzed.

CSI and all its offshoots has become a very popular TV show. Crime scene investigations show dead bodies, murder weapons and all the field and lab work that goes into deducing the facts of a crime that may have been committed.

Dan Larimer is also a crime scene investigator but generally there is no blood in the work he does. Larimer is a certified digital forensics examiner in the area of computer forensics.

Larimer, who operates S&D Enterprises on W. Reed in Moberly, says that computer forensics is “the art of data recovery in such a manner so it can be presented in court as fact.”

Larimer uses one of his recent cases as an example. An employee at a business could have been fired because porn had been found on the company computer. But before taking action against the employee, the business owner contacted Larimer to have the computer analyzed. After a thorough analysis, Larimer found a virus in the software that was placing the material on the computer, thus clearing the employee and saving the employer from a wrongful dismissal lawsuit.

Larimer said that when there is a suggestion of wrongdoing on a computer,proper steps should be taken immediately.

“It is a crime scene,” said Larimer. “If you (business owner or business IT person) poke around on it you could destroy evidence. It is crucial to maintain evidence. The biggest problem we have is they don’t preserve evidence.”

Larimer said there are definite steps that must be taken if a wrongdoing or illegal activity is suspected to have been done on a computer. First he tries to find the “whole truth” about what has happened to have him called in. He takes notes of what’s running on the computer. Then he takes photographs and documents everything about the computer, including the serial and model numbers. Then he unplugs it.

“Don’t shut it down,” he said, “unplug it. Shutting it down could cause some data to be lost.”

Larimer opens the computer and photographs the inside of the computer. He pulls out the hard drive and documents the serial number and takes a picture of it. He boots it in DOS and checks the date and times of the machine.

“It’s important to get the times straight and to keep in mind time zones,” he said.

Then he makes an image of the drive, saves it to a file and makes an exact duplicate. From this he can analyze the information to see exactly what has been taking place on the computer and exactly when.

Larimer’s motto is “You can run but you cannot hide” and the precision of what can be located on a hard drive is why he is confident in this statement. He said anything put into the hard drive, even if it is not saved, goes into a temporary file and remains there until it is overwritten.

As an example, Larimer said if a girl were to type up a long Dear John letter, read over it, then decided to back up and send a short note instead, the original longer letter is taking up space on the hard drive even though it was erased.

Larimer performs forensics work and the detailed reports his findings generate are then used in court, or sometimes keep parties from going to court. His findings are evidence and must be shared with attorneys of both sides.

In a divorce case, Larimer was asked to check a computer to confirm an affair by one of the spouses. Larimer was able to show that there was online contact between the party and another person which made the attorney happy … until Larimer told him that there was evidence both spouses likely were cheating. This was evidence that had to be made available to both opposing attorneys.

Larimer has a special room in his shop where he works on hard drives. He wears specialized clothes and gloves in a sterile room that has two filters. The first filters the air to .5 a micron. The filter over the immediate work table filters it to .3 a micron.

“One solid particle the size of cigarette smoke can crash a hard drive,” said Larimer.

The room is pressurized so no dirt can come under the door or through cracks. Everything is sealed and locked up with a strict chain of custody maintained and documented.

In the digital age, Larimer says one must be careful what is placed on a computer, even through a personal digital camera or thumb drive. All information, images and their date and times are recorded on the computer. And should a virus or worm enter the computer, what was considered personal and private could be unleashed into the public domain of the Internet.

Larimer holds special certification to do computer forensics. He also works as a data retention and recovery specialist.

“It is interesting work to do,” said Larimer. “It’s amazing what you can learn about people.”

Disclaimer: Larimer emphasizes that he is not an attorney and nothing within should be considered legal advice.

.

All contents property of Moberly Mirror, LLC (660)263-1411. Reuse prohibited without permission.