In talking to our clients, our friends and the public at large, there seems to be a lot of confusion, misinformation, urban myths and lore surrounding the amount and kinds of data and material that is deposited on computer drives and that can be retrieved even though the user thinks that he has deleted it or covered it up. And by computer drives, we mean any electronic storage device including computers, flash drives, cell phones, DVRs, etc.
To attempt to get real live reliable answers to some of these questions, we turned to some local subject matter experts, Flashback Data. Flashback Data’s website is here. They were kind enough to lend us the expertise of Will Ambruzs, an attorney who is charge of the Forensics Division of Flashback Data.
ATLB: Will, please describe the services that Flashback Data can provide, particularly to an attorney involved in litigation.
FBD: Probably the best known aspect of forensics is the storytelling. A man dies mysteriously and the forensic examiners conduct two autopsies – one on the corpse, and one on the home computer. Toxicology confirms the man died of ethylene glycol poisoning (antifreeze). Forensic testing of the computer recovers 76 previously deleted Google searches made by his wife over the course of seven weeks for things like “symptoms of ethylene glycol poisoning,” “ethylene glycol toxicity” and “C2H6O2 ingestion and death.” That’s a compelling story.
Other times our involvement is less about developing evidence and more about logistics. For example, we’re commonly retained by attorneys to help identify all the places relevant information is likely to exist in a complex technical landscape, or to develop evidence collection strategies that minimize the impact on their client’s business.
Candidly, there’s quite an air gap between law and technology. At the end of the day, when it comes to electronic evidence, we’re the guys who fill it. Our case managers are attorneys and our forensic examiners are technologists with deep court room experience. We’re not vendors. We take pride in giving our clients access to the highest caliber forensics testing in the industry, and we’re presently the only private sector laboratory in the world accredited for digital forensics by the American Society of Crime Laboratory Directors under their International standard – same as FBI and DEA.
ATLB: That sounds like a lot more stuff than we can cover in one setting. Let’s discuss some general topics about what kind of data can be recovered and from which devices, and then, hopefully follow up with another session where we delve into some of the more complicated problems of forensic discovery and data retrieval.
ATLB: I will give you some topics and you tell me how hard it is to recover this data:
• Internet history from a computer
Internet history is one of the most persistent types of data on the computer. It’s not uncommon for us to recover every URL visited on a computer from the time you first took it out of the box.
• Deleted videos from a DVR
It depends. If the DVR entries were manually deleted, the chance of recovery is high if the device can be forensically imaged before the data is overwritten. Many DVRs are set to overwrite data after a period of time, or when the device is near the limit of its full hard drive capacity. Overwritten data is unrecoverable. By anyone.
• Text messages from a cell phone
Candidly, it depends on the make and model of the phone and how the phone is used. That said, we are still seeing a strong trend of users adopting smartphones like the Blackberry or iPhone. One common thing folks do with smartphones is sync them with a computer. This creates backup files on the computer which, depending on when the backup was created, may contain data that is long gone from the phone. Alternatively, smartphones are essentially small computers, and often their data can be recovered in the same way we recover hard drives.
• Instant messages like gmail chat or AIM
These may be recovered from log files saved to the computer. Difficulty is a function of time. Bottom line is if the data you want gets overwritten with new data, it’s gone.
• Facebook messages or postings
One avenue of recovery is to extract these from internet history. Often this gives us multiple clues as to the content and recipients, and we can use the information to go looking for “shadows” of similar activity. Another thing we can do is attempt to recover the confirmation emails Facebook sends when new entries are made on a user’s wall or new messages are received.
• Twitter tweets on a cell phone or computer
This type of data generally fall into the same category as internet history and internet cache. The content itself will be recoverable for some time (until it is overwritten) and we can extract a fair amount of data simply by looking through the internet history.
• Standard files on a computer hard drive
In answering this, assume that the user has used the commonly available delete function available to the standard user.
FBD: Understanding the recovery of deleted files on a hard drive requires some understanding of how files are stored and referenced. A good analogy once provided to me is that of a school library. If we think of the hard drive as the library, then the files are analogous to the books on the library’s shelves. In a library, a book’s location is referenced in the card catalog. In a Windows environment, a file’s location on the hard drive is referenced in the Master File Table. When we delete a file, we’re not destroying the file’s data. Instead, what happens is the file’s location is marked in the Master File Table as being available to use for new data storage. That’s like pulling a card out of the card catalog and throwing it away – the reference to the book is gone, but the book is still sitting on the shelf (at least until someone takes it down and replaces it with a new book).
Having said all that, “recovering” the deleted file is like walking around the library from shelf to shelf and taking inventory of every book. At some point, we’d learn that there is a book sitting on a shelf in a space that’s supposed to be empty. And we’d find and recover the book.
In addition to above, there are multiple other ways to attempt to recover deleted files, such as through backup copies, temporary copies and/or copies embedded in another data file (e.g., a file attached to an email in an Outlook data file). These are all potential recovery routes.
ATLB: Now, I have heard stories that a strong magnet can remove or corrupt all data on a computer hard drive. Is that true?
FDB: It was truer ten years ago than it is in 2010. Hard drive construction has become much more robust in the last decade. The sorts of magnets that a consumer or corporation will have on hand (including video degaussers) will not reliably destroy data. That’s not to say I’d let you run one over my hard drive….
ATLB: How about drilling a hole in a computer hard drive? Does that prevent anybody from retrieving data from it?
FDB: Physically damaging a drive certainly makes it more difficult. For the amateur, it will likely be impossible to recover any data. However, given enough knowledge and the right equipment, even a hard drive with a hole drilled through it might still give up a lot of secrets. The clean room engineers in our Data Recovery division make a living doing just this. In fact, we’ve recovered data successfully from hard drives that folks have intentionally set on fire, submerged in saltwater for several weeks, and repeatedly stabbed at the platters with a screwdriver.
At the end of the day, where there’s a will, there’s a way. Rolfing your hard drive with a hammer still works pretty well. But you can’t just bust up the outer case; you need to damage the internal platters. All of them. We’ve actually worked cases where folks tried to destroy their hard drives, except they only damaged some of the internal platters, and we were able to pull data off the undamaged platters just fine.
Understandably, the judges in those cases didn’t have a sense of humor about it.
ATLB: Is there a sure fire method of keeping someone from retrieving material from a hard drive short of actually physically destroying or melting the drive?
FDB: Overwriting all the data on the drive renders it unrecoverable. There are a host of applications designed to overwrite entire hard drives, many of them free. There is the possibility that some small measure of data resides in areas of the drive that are no longer accessible without specialized hardware. In that case, there is a command built into the drive’s hardware and firmware as part of the communications specification. Interested folks can Google “ATA Secure Erase” for more information.
ATLB: Are there some devices that are harder to retrieve data from than others? For example, is an iPhone more secure than a Blackberry? What about Macs vs. PCs?
FDB: A meaningful answer is probably a bit beyond the scope of this interview, although I will say it also depends on the type of data you want to retrieve. For example, the way Blackberry handles data makes deleting SMS messages from a Blackberry more secure than deleting them from, say, an iPhone. Perhaps we should punt the question and discuss in a separate post solely dedicated to this issue? I think we can provide some good insight.
ATLB: What’s the best way to secure data? Does encryption work and if so, what kind?
FDB: Same response as previous question. That’s a big question, and a meaningful answer is probably beyond the scope of this interview. If you’re interested let’s revisit this question in a dedicated article.
ATLB: Can you prove who was using a computer at a particular time and what they used it for at that time?
FDB: Generally, you can’t irrefutably prove who was or wasn’t behind the keyboard based on computer evidence alone (unless they were helpful enough to capture themselves on webcam). However, you can certainly make strong inferences based on the activity you see. Checking password protected email, looking up things that pertain to your interests to the exclusion of others, logging into secured accounts for which only you have the login information, etc. It’s all there.
A person’s computer activity also tends to fall into patterns over time, especially his or her web browsing. So, while you may not be able to state with 100% certainty that “Bob” was using the computer on a specific day at a specific time, it may be that usage of the computer at that time matches substantially with usage of the computer at previous times when Bob was known to have used it.
ATLB: What are your main suggestions for people who are concerned about their computer security and privacy?
FDB: As with physical security and privacy, determine what your objectives are and how far you’re willing to go to protect them. Most of us don’t live in an underground bunker with roving patrols of armed guards on the deck because we’ve made the decision that the threats which affect us don’t merit that amount of protection. In the same way, determine how much expense and vigilance you’re willing to accommodate to protect your data, and take the time to consult with someone who can tailor a security posture appropriate for you and your organization.
Unfortunately, out in the wild, people tend to be binary. I can’t tell you how many cases we see where folks go to great lengths to strongly encrypt their data, but then the same simple password unlocks 90% of their life. Alternatively, on the other side we see folks using multiple complex passwords for everything, but writing them all down in an unprotected Microsoft Word document and saving it someplace on their C: drive so they remember them. Both strategies are bad.
ATLB: Thanks, Will. Let’s do this again and discuss other issues, including the services that Flashback Data can provide to attorneys in litigation and in general practice and maybe discuss what you would do if you were going to try to hide any information of your own and how would you do it and how successful you would be.
FBD: Those discussions definitely merit a separate post or two.