In talking to our clients, our friends and the public at large, there seems to be a lot of confusion, misinformation, urban myths and lore surrounding the amount and kinds of data and material that is deposited on computer drives and that can be retrieved even though the user thinks that he has deleted it or covered it up. And by computer drives, we mean any electronic storage device including computers, flash drives, cell phones, DVRs, etc.
To attempt to get real live reliable answers to some of these questions, we turned to some local subject matter experts, Flashback Data. Flashback Data’s website is here. They were kind enough to lend us the expertise of Will Ambruzs, an attorney who is charge of the Forensics Division of Flashback Data.
ATLB: Will, please describe the services that Flashback Data can provide, particularly to an attorney involved in litigation.
FBD: Probably the best known aspect of forensics is the storytelling. A man dies mysteriously and the forensic examiners conduct two autopsies – one on the corpse, and one on the home computer. Toxicology confirms the man died of ethylene glycol poisoning (antifreeze). Forensic testing of the computer recovers 76 previously deleted Google searches made by his wife over the course of seven weeks for things like “symptoms of ethylene glycol poisoning,” “ethylene glycol toxicity” and “C2H6O2 ingestion and death.” That’s a compelling story.
Other times our involvement is less about developing evidence and more about logistics. For example, we’re commonly retained by attorneys to help identify all the places relevant information is likely to exist in a complex technical landscape, or to develop evidence collection strategies that minimize the impact on their client’s business.
Candidly, there’s quite an air gap between law and technology. At the end of the day, when it comes to electronic evidence, we’re the guys who fill it. Our case managers are attorneys and our forensic examiners are technologists with deep court room experience. We’re not vendors. We take pride in giving our clients access to the highest caliber forensics testing in the industry, and we’re presently the only private sector laboratory in the world accredited for digital forensics by the American Society of Crime Laboratory Directors under their International standard – same as FBI and DEA.
ATLB: That sounds like a lot more stuff than we can cover in one setting. Let’s discuss some general topics about what kind of data can be recovered and from which devices, and then, hopefully follow up with another session where we delve into some of the more complicated problems of forensic discovery and data retrieval.
FBD: OK
ATLB: I will give you some topics and you tell me how hard it is to recover this data:
• Internet history from a computer
Internet history is one of the most persistent types of data on the computer. It’s not uncommon for us to recover every URL visited on a computer from the time you first took it out of the box.
• Deleted videos from a DVR
It depends. If the DVR entries were manually deleted, the chance of recovery is high if the device can be forensically imaged before the data is overwritten. Many DVRs are set to overwrite data after a period of time, or when the device is near the limit of its full hard drive capacity. Overwritten data is unrecoverable. By anyone.
• Text messages from a cell phone
Candidly, it depends on the make and model of the phone and how the phone is used. That said, we are still seeing a strong trend of users adopting smartphones like the Blackberry or iPhone. One common thing folks do with smartphones is sync them with a computer. This creates backup files on the computer which, depending on when the backup was created, may contain data that is long gone from the phone. Alternatively, smartphones are essentially small computers, and often their data can be recovered in the same way we recover hard drives.
• Instant messages like gmail chat or AIM
These may be recovered from log files saved to the computer. Difficulty is a function of time. Bottom line is if the data you want gets overwritten with new data, it’s gone.
• Facebook messages or postings
One avenue of recovery is to extract these from internet history. Often this gives us multiple clues as to the content and recipients, and we can use the information to go looking for “shadows” of similar activity. Another thing we can do is attempt to recover the confirmation emails Facebook sends when new entries are made on a user’s wall or new messages are received.
• Twitter tweets on a cell phone or computer
This type of data generally fall into the same category as internet history and internet cache. The content itself will be recoverable for some time (until it is overwritten) and we can extract a fair amount of data simply by looking through the internet history.
• Standard files on a computer hard drive
In answering this, assume that the user has used the commonly available delete function available to the standard user.
FBD: Understanding the recovery of deleted files on a hard drive requires some understanding of how files are stored and referenced. A good analogy once provided to me is that of a school library. If we think of the hard drive as the library, then the files are analogous to the books on the library’s shelves. In a library, a book’s location is referenced in the card catalog. In a Windows environment, a file’s location on the hard drive is referenced in the Master File Table. When we delete a file, we’re not destroying the file’s data. Instead, what happens is the file’s location is marked in the Master File Table as being available to use for new data storage. That’s like pulling a card out of the card catalog and throwing it away – the reference to the book is gone, but the book is still sitting on the shelf (at least until someone takes it down and replaces it with a new book).
Having said all that, “recovering” the deleted file is like walking around the library from shelf to shelf and taking inventory of every book. At some point, we’d learn that there is a book sitting on a shelf in a space that’s supposed to be empty. And we’d find and recover the book.
In addition to above, there are multiple other ways to attempt to recover deleted files, such as through backup copies, temporary copies and/or copies embedded in another data file (e.g., a file attached to an email in an Outlook data file). These are all potential recovery routes.
Continue Reading...
After a ruling last month by the Library of Congress
South by Southwest Interactive is just around the corner, coming March 11-15, 2011, and now it's time for the selection process to begin. For those of you who aren't familiar with the process check .jpg)
The Low-Profit Limited Liability Company (L3C) is the newest entity to be recognized by at least eight states and will probably be available in 
in large changes for cell phone users. The Copyright ruling spoke to several issues on circumvention, but for our discussion today, we shall discuss jailbreaking. Jailbreaking is the process of bypassing cell phone software allowing the user to purchase cell phone applications other than ones required by the cell phone manufacturer (