DELETING MAY BE EASY, BUT YOUR HARD DRIVE STILL TELLS
MANILA, APRIL 11, 2006 (STAR) By Eric Taub - It was only a single digit in a 20-page Microsoft Word contract between two partners, but Scott Cooper earned his fee several years ago when he found it.
Cooper, a computer forensics expert, learned that the numeral "1" had been scrubbed in some later versions of this digital document. This gave his client, a partner in a software firm that had recently been sold, just a five percent rather than a 15 percent share in the company. If the change had gone undetected, the partner would have received $32 million rather than his rightful $96 million payout.
What the partner did not realize was that digital data rarely go away, even when erased. "It is extremely difficult to completely delete all evidence from a hard drive," said John Colbert, the chief executive of Guidance Software, which makes a widely used program that helps retrieve digital evidence.
Using various techniques, Cooper, the managing director of the Insync Consulting Group’s electronic discovery and forensics practice, based in Los Angeles, figured out when the document had been changed and by whom. His client got his money.
Digital storage of information has become ubiquitous. In 2003, the School of Information Management and Systems at the University of California, Berkeley, estimated that 92 percent of new information was being stored on some form of magnetic media. As a result, digital forensics – the acquisition and analysis of digital information – has become an important legal tool.
The presentation of these data must abide by the rules of evidence gathering. And as with physical evidence, like a dead body, the documents and the digital storage device must be carefully preserved to avoid any claims of tampering or contamination.
As a computer forensics expert, Cooper finds hidden digital information using various software tools, then reconstructs a timeline to explain how and when data were recorded and changed.
Essential evidence can be gleaned from any digital storage device. Numbers erased from a cellphone can indicate on its memory that one person knows another. Appointments stored on handheld devices can help establish a chronology. Even television shows recorded on a TiVo can confirm or destroy an alibi, revealing when a show was started or paused. All this evidence is theoretically recoverable.
With regard to the contract between the former software partners, Cooper determined how the document originally looked by examining the file’s metadata, hidden digital information that showed how and when the document was altered. It was clear that his client’s former partner surreptitiously altered the ownership percentage after the company became successful.
A 1993 New Yorker cartoon declared, "On the Internet, nobody knows you’re a dog." That was wrong. When it comes to digital data, anyone can find out who you are and what you are doing.
Dennis Rader, the "BTK" serial killer, who pleaded guilty last year to 10 murders in Kansas, was arrested after he sent a floppy disk to the police. Using Guidance Software’s EnCase Forensic program, the police retrieved deleted files that contained Rader’s name as the author. Other digital data indicated that the computer on which the disk was used was owned by Rader’s church, where he was president of the council.
EnCase Forensic software was also used to convict Scott Peterson of killing his wife, Laci. Using the program, investigators determined that around the time of the murder, Peterson had used his computer to visit websites that detailed tidal conditions in San Francisco Bay, where his wife’s body was found. "Even if he had deleted his Internet search history, the information would still have been there," Colbert, of Guidance Software, said.
As Cooper said: "George Orwell was right; Big Brother is watching. By writing e-mails and banking online, we’ve condoned it."
Although erasing computer files is easy, it has lulled people into a false sense of security. Digital data may be easily lost, but they are hardly forgotten.
As hard drives increase exponentially in storage capacity, retrieving incriminating data becomes easier. The bigger the drive, the less often that new data need to be written on top of old "deleted" files.
"Passwords, visual images, bank account information – it’s all there," said Mary Mack, technology counsel for Fios, a digital forensics firm in Portland, Oregon.
Unlike paper files, digital files usually exist in more than one place. So removing one copy may do little to prevent a file’s retrieval.
Microsoft Word documents create multiple temporary files as the user types. Documents created on a company computer might have copies stored on both the server and the local workstation. As e-mail wends its way from sender to receiver, copies are temporarily stored on multiple servers around the world.
Deleting a file from a computer is therefore a concept but not a reality, Cooper said. A file is not deleted; only its name is erased from a file database. Files can be made unrecoverable only if their data are overwritten with a series of ones and zeroes.
Various software programs can be used to overwrite data. One popular product, Evidence Eliminator, draws a red flag in legal circles.
"I’m still puzzled why someone would use a product of that name," said Michael Gold, a senior partner with the law firm Jeffer, Mangels, Butler & Marmaro in Century City, Calif., and chairman of the firm’s Discovery Technology Group.
The use of any overwriting software can be detected, tipping off investigators that the person under scrutiny has something to hide.
Like a villain in a horror movie, data keep on coming. According to Cooper, even a piece of a hard drive no bigger than a fingernail can yield information that can help an investigation move forward. — New York Times News Service
Chief News Editor: Sol Jose Vanzi
© Copyright, 2006
by PHILIPPINE HEADLINE NEWS ONLINE
All rights reserved
PHILIPPINE HEADLINE NEWS ONLINE [PHNO] WEBSITE