Digital Crannies. Six Places Data Hides That Most People Don't Know Exist.

Posted on January 27, 2011 by Paul Stanfield

As we have stated before, from time to time, we like to improve the content of this blog by getting input from subject matter experts in relevant fields.

Today, we are glad to include information from our friend Will Ambruzs, an attorney and computer forensics expert at Austin based Flashback Data.  Will graced the pages of this blog before with this post.

We asked Will to give us some inside information about where attorneys or others should look when they are seeking information for investigative or discovery purposes.

Here is what Will said:

Digital Crannies.

Unlike paper, electronically stored information is everywhere. Unfortunately, it’s our experience that most attorneys don’t appreciate exactly how much of it is recoverable from computers. It’s literally a Chinese food menu. Sure, it’s not always important or cost-effective to review all of it, say, for litigation or each time a company fires a bad employee. However, most folks don’t know the menu well enough to even know the sorts of things they can order. The digital world is bigger than General Tso’s Chicken!
 

Here are 6 random things on the menu you may find interesting:
 

Email vs. Correspondence
Lawyers commonly want to look at email, but more often than not it turns out that looking at all communication would be more helpful. Because it turns out a bad employee at Company X also did a lot of text messaging at work. And online chatting. And instant messaging. And she also sent messages to clients and coworkers through LinkedIn and Facebook. And she frequently used her internet browser to send webmail through Yahoo! and Gmail. Unfortunately, preserving Outlook files and Exchange mailboxes doesn’t get this material.


Don’t Forget the Phone!
iPhones and Blackberrys have fast become like third kidneys when it comes to conducting business in the 21st century. However, folks tend to overlook them when thinking about electronic storage. The truth is phones can be excellent sources of data, not only because they’re designed to hoard data and sync with just about everything under the sun, but also because the privacy expectations of their users tends to be high.
For example, on a phone, our bad employee probably gets right to the point when communicating. Unlike computers, she’s not typing out heavily-syllabled, Shakespearean text messages with her thumbs. Consequently, remnants of communication are likely to be closer to the first cut of her thoughts, not the second or third.
There’s also a good chance she configured her phone to sync with email accounts at the company. There’s an even better chance she connected the phone each day to her work computer to charge the battery and keep her contacts and calendar synced. If so, there may be a treasure trove of backup files sitting quietly on her work computer. And since each file would represent a snapshot of the data on her phone at a particular time, things that were deleted from her phone many months ago may still exist in one of the backups.


Speaking of iPhone... Dynamic Text
Let’s face it, Apple’s business model is building gadgets that know you better than you know yourself. Apple’s gadgets learn about you, and to do this their gadgets have to store data.
One of the lesser known features of iPhone is its dynamic text database. Dynamic text is basically a repository iPhone uses to keep track of words and phrases you like to use when you type. That way the phone eventually learns to quit autocorrecting Alavert to slavery when, say, you keep texting others that you love Austin, but so do your allergies.
This can be a goldmine. Especially if text messages on the phone have been deleted and can’t be recovered. Reading entries in the dynamic text database that have been chronologically preserved is like listening to a conversation through a wall. It’s muffled, and some common words are omitted, but you get the gist and all the interesting parts are preserved:

wow.hate.Kevin.can.you.believe.arrogance.ugh.how.did.ever.become.Director.wait.until.he.finds.out.copied.all. company.passwords.hahahahaha.sounds.great.yessir.talked.to.James.he’s.leaving.company.with.us.said.downloaded. company’s.client.lists.from.database.no.difficult.yes.took.thumbdrive.with.him.said.will.email.everything.you.from.home. not.work.so.don’t.get.caught.haha.call.if.can.next.few.minutes.something.urgent.tell.you

Internet History
When folks think of a computer, they tend to think of it as a collection of things that live on the computer. For example, the most common data recovery request attorneys make involves: (i) collecting all email and user-created files from a computer, (ii) processing them against an exhibit of keywords, and (iii) producing the responsive material to be reviewed by fellow attorneys.
Candidly, this is probably enough heavy lifting from an “80/20 rule” perspective, especially when processing large data sets. However, it’s created a mindset that gives little regard to activity on a computer. And sometimes that activity is interesting.
For example, say John receives a preservation letter from opposing counsel. Here we see it sitting in John’s My Documents folder. There’s nothing else interesting in the folder. However, looking at John’s activity on the computer, right after he gets the letter we see him go to Google.com and type “how to securely delete data” into the search bar. Then we see 20 minutes of John clicking a bunch of URLs. Uh oh, next he’s on a website selling a product called “Evidence Eliminator v4.0.” And next we see him buying Evidence Eliminator and downloading it. Oh snap – here he is running it! And here’s him poking around later in My Documents to confirm the files are gone.
Wow! You suspected the keyword searches of John’s computer came back a quart low. And while all of this activity may or may not explain it, it’s certainly interesting!


Recent Documents
Speaking of file elimination, another good source of data can be the repositories used by software programs to keep track of recent documents. Microsoft Word has such a repository. So does Windows Media Player. These repositories won’t help you recover a wiped file, but they may help you substantiate that the file existed on the computer at some specific time in the past, or when files were accessed.
Forensic examiners frequently draw from this well in criminal prosecutions involving possession of child pornography. Defendant swears up and down he wasn’t aware of the illicit material. Or, if he was aware, that he looked at it once by accident several years ago and, upon realizing its nature, never looked at it again. Unfortunately, that’s not the same story Windows Media Player tells. It shows Defendant playing contraband files from multiple locations on a regular basis (e.g., from the hard drive, from a thumb drive, from his Blackberry via a USB cable, etc.).
 

Thumbs.db
Keeping with the deleted file theme, don’t forget about simple hidden artifacts like Thumbs.db. You ever open a folder in Windows and view the contents as thumbnail images? Thumbs.db is the hidden file used by Windows to store those ‘thumbnail’ images. Importantly, the data in the Thumbs.db file tends to stick around even after someone deletes the actual file. So, while a folder in which you’re interested no longer contains the data you want, you may be able to demonstrate that what’s in there now isn’t what was in there before. (And, if so, what’s missing.)
 

 

Tags: , , , , , , , , , , , ,

"Wait! I deleted that. You can't see that! "- Computer Privacy and Data Recovery in the Age of Computer Forensics

Posted on August 4, 2010 by Paul Stanfield

In talking to our clients, our friends and the public at large, there seems to be a lot of confusion, misinformation, urban myths and lore surrounding the amount and kinds of data and material that is deposited on computer drives and that can be retrieved even though the user thinks that he has deleted it or covered it up. And by computer drives, we mean any electronic storage device including computers, flash drives, cell phones, DVRs, etc.

To attempt to get real live reliable answers to some of these questions, we turned to some local subject matter experts, Flashback Data. Flashback Data’s website is here. They were kind enough to lend us the expertise of Will Ambruzs, an attorney who is charge of the Forensics Division of Flashback Data.

ATLB: Will, please describe the services that Flashback Data can provide, particularly to an attorney involved in litigation.

FBD: Probably the best known aspect of forensics is the storytelling. A man dies mysteriously and the forensic examiners conduct two autopsies – one on the corpse, and one on the home computer. Toxicology confirms the man died of ethylene glycol poisoning (antifreeze). Forensic testing of the computer recovers 76 previously deleted Google searches made by his wife over the course of seven weeks for things like “symptoms of ethylene glycol poisoning,” “ethylene glycol toxicity” and “C2H6O2 ingestion and death.” That’s a compelling story.

Other times our involvement is less about developing evidence and more about logistics. For example, we’re commonly retained by attorneys to help identify all the places relevant information is likely to exist in a complex technical landscape, or to develop evidence collection strategies that minimize the impact on their client’s business.

Candidly, there’s quite an air gap between law and technology. At the end of the day, when it comes to electronic evidence, we’re the guys who fill it. Our case managers are attorneys and our forensic examiners are technologists with deep court room experience. We’re not vendors. We take pride in giving our clients access to the highest caliber forensics testing in the industry, and we’re presently the only private sector laboratory in the world accredited for digital forensics by the American Society of Crime Laboratory Directors under their International standard – same as FBI and DEA.

ATLB: That sounds like a lot more stuff than we can cover in one setting. Let’s discuss some general topics about what kind of data can be recovered and from which devices, and then, hopefully follow up with another session where we delve into some of the more complicated problems of forensic discovery and data retrieval.

FBD: OK

ATLB: I will give you some topics and you tell me how hard it is to recover this data:
• Internet history from a computer
Internet history is one of the most persistent types of data on the computer. It’s not uncommon for us to recover every URL visited on a computer from the time you first took it out of the box.
• Deleted videos from a DVR
It depends. If the DVR entries were manually deleted, the chance of recovery is high if the device can be forensically imaged before the data is overwritten. Many DVRs are set to overwrite data after a period of time, or when the device is near the limit of its full hard drive capacity. Overwritten data is unrecoverable. By anyone.
• Text messages from a cell phone
Candidly, it depends on the make and model of the phone and how the phone is used. That said, we are still seeing a strong trend of users adopting smartphones like the Blackberry or iPhone. One common thing folks do with smartphones is sync them with a computer. This creates backup files on the computer which, depending on when the backup was created, may contain data that is long gone from the phone. Alternatively, smartphones are essentially small computers, and often their data can be recovered in the same way we recover hard drives.
• Instant messages like gmail chat or AIM
These may be recovered from log files saved to the computer. Difficulty is a function of time. Bottom line is if the data you want gets overwritten with new data, it’s gone.
• Facebook messages or postings
One avenue of recovery is to extract these from internet history. Often this gives us multiple clues as to the content and recipients, and we can use the information to go looking for “shadows” of similar activity. Another thing we can do is attempt to recover the confirmation emails Facebook sends when new entries are made on a user’s wall or new messages are received.
• Twitter tweets on a cell phone or computer
This type of data generally fall into the same category as internet history and internet cache. The content itself will be recoverable for some time (until it is overwritten) and we can extract a fair amount of data simply by looking through the internet history.

• Standard files on a computer hard drive
In answering this, assume that the user has used the commonly available delete function available to the standard user.

FBD: Understanding the recovery of deleted files on a hard drive requires some understanding of how files are stored and referenced. A good analogy once provided to me is that of a school library. If we think of the hard drive as the library, then the files are analogous to the books on the library’s shelves. In a library, a book’s location is referenced in the card catalog. In a Windows environment, a file’s location on the hard drive is referenced in the Master File Table. When we delete a file, we’re not destroying the file’s data. Instead, what happens is the file’s location is marked in the Master File Table as being available to use for new data storage. That’s like pulling a card out of the card catalog and throwing it away – the reference to the book is gone, but the book is still sitting on the shelf (at least until someone takes it down and replaces it with a new book).

Having said all that, “recovering” the deleted file is like walking around the library from shelf to shelf and taking inventory of every book. At some point, we’d learn that there is a book sitting on a shelf in a space that’s supposed to be empty. And we’d find and recover the book.

In addition to above, there are multiple other ways to attempt to recover deleted files, such as through backup copies, temporary copies and/or copies embedded in another data file (e.g., a file attached to an email in an Outlook data file). These are all potential recovery routes.

 

ATLB: Now, I have heard stories that a strong magnet can remove or corrupt all data on a computer hard drive. Is that true?

FDB: It was truer ten years ago than it is in 2010. Hard drive construction has become much more robust in the last decade. The sorts of magnets that a consumer or corporation will have on hand (including video degaussers) will not reliably destroy data. That’s not to say I’d let you run one over my hard drive….

ATLB: How about drilling a hole in a computer hard drive? Does that prevent anybody from retrieving data from it?

FDB: Physically damaging a drive certainly makes it more difficult. For the amateur, it will likely be impossible to recover any data. However, given enough knowledge and the right equipment, even a hard drive with a hole drilled through it might still give up a lot of secrets. The clean room engineers in our Data Recovery division make a living doing just this. In fact, we’ve recovered data successfully from hard drives that folks have intentionally set on fire, submerged in saltwater for several weeks, and repeatedly stabbed at the platters with a screwdriver.

At the end of the day, where there’s a will, there’s a way. Rolfing your hard drive with a hammer still works pretty well. But you can’t just bust up the outer case; you need to damage the internal platters. All of them. We’ve actually worked cases where folks tried to destroy their hard drives, except they only damaged some of the internal platters, and we were able to pull data off the undamaged platters just fine.

Understandably, the judges in those cases didn’t have a sense of humor about it.

ATLB: Is there a sure fire method of keeping someone from retrieving material from a hard drive short of actually physically destroying or melting the drive?

FDB: Overwriting all the data on the drive renders it unrecoverable. There are a host of applications designed to overwrite entire hard drives, many of them free. There is the possibility that some small measure of data resides in areas of the drive that are no longer accessible without specialized hardware. In that case, there is a command built into the drive’s hardware and firmware as part of the communications specification. Interested folks can Google “ATA Secure Erase” for more information.

ATLB: Are there some devices that are harder to retrieve data from than others? For example, is an iPhone more secure than a Blackberry? What about Macs vs. PCs?

FDB: A meaningful answer is probably a bit beyond the scope of this interview, although I will say it also depends on the type of data you want to retrieve. For example, the way Blackberry handles data makes deleting SMS messages from a Blackberry more secure than deleting them from, say, an iPhone. Perhaps we should punt the question and discuss in a separate post solely dedicated to this issue? I think we can provide some good insight.

ATLB: What’s the best way to secure data? Does encryption work and if so, what kind?

FDB: Same response as previous question. That’s a big question, and a meaningful answer is probably beyond the scope of this interview. If you’re interested let’s revisit this question in a dedicated article.

ATLB: Can you prove who was using a computer at a particular time and what they used it for at that time?

FDB: Generally, you can’t irrefutably prove who was or wasn’t behind the keyboard based on computer evidence alone (unless they were helpful enough to capture themselves on webcam). However, you can certainly make strong inferences based on the activity you see. Checking password protected email, looking up things that pertain to your interests to the exclusion of others, logging into secured accounts for which only you have the login information, etc. It’s all there.

A person’s computer activity also tends to fall into patterns over time, especially his or her web browsing. So, while you may not be able to state with 100% certainty that “Bob” was using the computer on a specific day at a specific time, it may be that usage of the computer at that time matches substantially with usage of the computer at previous times when Bob was known to have used it.

ATLB: What are your main suggestions for people who are concerned about their computer security and privacy?

FDB: As with physical security and privacy, determine what your objectives are and how far you’re willing to go to protect them. Most of us don’t live in an underground bunker with roving patrols of armed guards on the deck because we’ve made the decision that the threats which affect us don’t merit that amount of protection. In the same way, determine how much expense and vigilance you’re willing to accommodate to protect your data, and take the time to consult with someone who can tailor a security posture appropriate for you and your organization.

Unfortunately, out in the wild, people tend to be binary. I can’t tell you how many cases we see where folks go to great lengths to strongly encrypt their data, but then the same simple password unlocks 90% of their life. Alternatively, on the other side we see folks using multiple complex passwords for everything, but writing them all down in an unprotected Microsoft Word document and saving it someplace on their C: drive so they remember them. Both strategies are bad.

ATLB: Thanks, Will. Let’s do this again and discuss other issues, including the services that Flashback Data can provide to attorneys in litigation and in general practice and maybe discuss what you would do if you were going to try to hide any information of your own and how would you do it and how successful you would be.

FBD: Those discussions definitely merit a separate post or two.
 
Tags: , , , , , , , , , ,