It was 4pm and all that could be heard in the office was
the gentle tapping of keys, some mumbled conversations on the
phone… and a frantically thrashing hard drive. The hard drive in
question was on an employee’s laptop, and it was thrashing because
the employee was trying to delete gigabytes of downloaded porn
before handing his laptop over to his boss.
Unfortunately for him, his boss was about to hand the laptop over
to a team managed by
Jarrod Haggerty. Haggerty, who came to the UK in 2004 after
working for years as a police officer in Victoria, Australia, is
now a director of PricewaterhouseCoopers’ Forensic Technology
Solutions operation.
Haggerty has made it his business to undelete deleted files, which
is precisely what his team did when it got the laptop. There,
languishing on the hard drive, was the porn: gone, but not
forgotten.
“A client might say that they want to make an operation covert, and
we say that we are quite happy to make it overt. Because if there
is anything on their machine that they think is incriminating, they
will often delete it in the two hours before we get there,”
Haggerty says.
All his team has to do is check the time stamp information that
shows what files the employee deleted and when. The evidence is
then handed to them on a platter.
And that is the problem with electronic information. Dragging
something to the wastepaper basket does not get rid of it at all.
Corporate embezzlers or illicit internet surfers trying to cover
their tracks will need either a lot of knowledge or a lot of luck
to be successful.
Information about that data, along with the data itself, will be
smeared all over the hard drive in temporary swap files and
registry entries. In many cases, the original file will still be
found intact.
When a user deletes a file, they want it to disappear as quickly
and conveniently as possible, so pressing delete or dragging it to
a wastepaper basket makes sense. But for the computer, which will
have scattered parts of the data all over the hard drive, it is
more efficient to delete just the information about that file,
rather than the file itself. The file stays there, but the
operating system – and the user – cannot see it.
If the user tries to format the drive, nothing will change, says
Simon Janes, a former head of the Computer Crime Unit and now
operations manager for computer forensics firm Ibas. “When you
format the drive, you are just drawing boxes showing where the new
data will go,” he says.
Popular file systems all use the same basic principles. Information
is stored on sectors on the hard drive, and probably scattered
around depending on how fragmented the files are. An index contains
information about all of the files, including the disc clusters
where they can be found.
The Fat file system, used mainly in Dos and versions of Windows
before 2000, indexes the files in a file-allocation table,
containing pointers to the clusters where parts of a file are
stored. The NTFS system, used from Windows 2000 onwards, uses the
Master File Table to do the same thing, although it stores metadata
about its files differently, using a binary tree.
One of the biggest problems for digital forensics experts is
overwritten data. Once a file system has deleted a file, it marks
the clusters where pieces of the file were stored as available,
meaning that when another file is created on the drive, you risk
overwriting the original file data in that cluster.
Unfortunately, modern computers have a habit of creating system
files behind the scenes as a result of even the most basic actions,
which means that even shutting down a computer can overwrite
deleted data. “If you find a machine that is on, the best practice
is to pull the plug on the machine so that you do not write to the
registry or anywhere else on shut down,” says Haggerty.
Once data has been overwritten with another magnetic signal, it
becomes much more difficult to retrieve. This has led to a market
for data-wiping tools, enabling users to truly delete their data by
overwriting deleted files. Different algorithms provide different
levels of file security. The Guttman algorithm, for example, serves
the truly paranoid, overwriting file data seven times.
The latest Windows operating system, Vista, does not have a secure
delete function that would truly delete a file by overwriting. Mac
users have an easier time of it; OS X includes a secure delete
function that you can select when emptying the recycle bin.
But even then, it is sometimes possible to scrape some data from
the hard drive, says Fred Smith, principal consultant at computer
forensics firm Detica Forensics. Some older disc heads can be
slightly adjusted to read data at the very edges of a magnetic
track. Moving them slightly may enable experts to pick up magnetic
data that an overwrite did not touch.
However, techniques such as these add greatly to the cost of
recovery. Moreover, new disc technologies designed to increase
density, such as perpendicular magnetic recording, will only make
it harder to recover such data.
“It is a game of cat and mouse,” says Smith. “It will not make it
easier. We always have new challenges in forensics, and that is
going to be one of them .”
The use of these tools can itself be a tell-tale sign. Haggerty
recalls an investigation where two parties were suspected of
withholding subpoenaed information. The court called in his team to
try to find out who was holding back. One of the systems they
checked had no tell-tale data on it at all. In fact, it was
suspiciously clean. But the one thing that was on there was
evidence of the tool that the company’s employee had installed on
the drive to scrub the data.
Data overwriting can also take significant amounts of time (hours
to destroy just a few gigabytes), so data overwrites may not be the
best option for companies wanting to wipe their data on a large
scale. With that in mind, how can a firm truly destroy its
files?
Large degaussers are one approach. These systems blast magnetic
discs with a powerful magnetic field and they are very effective.
But there is a drawback, warns Janes. “If you are doing a high
volume, the degausser is faster, but they are very expensive. It is
not something that a small business with 50-60 machines will do,”
he says. Unless a company is doing this on a large enough scale to
make it worthwhile, the cost involved may be prohibitive.
With the per-megabyte price of disc storage constantly dropping,
the other alternative is simply to trash the disc. Opening up the
drive and taking sandpaper to the surface is a quick and easy
method, as is taking a hammer to it.
However, Ralph Harvey would prefer to encrypt it. Harvey is the CTO
for Forensic & Compliance Systems, which sells an e-mail and
instant-message archiving appliance that uses encryption to protect
stored data.
“If you store data encrypted, which we do, then unless you have the
key, you essentially have anti-forensic storage,” he says. “It is
as though you have already bit pattern-wiped the disc.”
That is debatable, however, given that encryption keys can be lost
or stolen. The company also defaults to Data Encryption Standard
(DES), which has already been shown to have flaws. That is why it
was superseded with triple DES and then the Advanced Encryption
Standard (AES).
Nevertheless, Harvey points out that a Java-based system included
with the equipment allows customers to substitute DES with their
own encryption mechanism.
Even if an embezzler is technically savvy enough to wipe all of the
data from a PC, forensics experts still have other media to pick
through. These include USB sticks, which, like hard drives, do not
really remove data when it is deleted. It is all still there, on
the stick’s flash memory.
And now, thanks to the increasingly popularity of smartphones,
mobile phones can yield up a bumper crop of information. “We can
take an image of the Sim card, which may have local contacts stored
on it. The other is the phone, which could have hundreds of
megabytes of Ram,” says Haggerty.
Finally, like hard drives and USB sticks, any removable media used
by the phone will have latent information on it, ready to be
scrutinised.
Those choosing the file-wiping route might be surprised by the
amount of information that can be found in the average PC. For
example, you may have copied a file to a USB stick and then deleted
it from the drive. Then, for good measure, you may have gone back
in and overwritten that data, either by creating lots of new files,
defragmenting the PC, or using a specialist tool.
But what you may not know is that, depending on how you copied the
file, the PC’s Windows Registry is likely to have noted the
insertion of the USB stick and the copying of the file – complete
with its title and a time stamp.
Document metadata can also contain a lot of information. This is
less true today than it was in the past, with earlier versions of
Microsoft Office being particularly useful to data
detectives.
Some versions of Word, for example, used to create a global unique
identifier (GUID), which would be based partly on the message
authentication code address of the computer used to create the
file. This would give forensics experts a direct pointer to the
machine (and possibly the person) that created the document.
However, even though this GUID was stripped from the program in
later versions, documents continue to yield up useful secrets for
investigators. Experts say that they can still harvest substantial
information, especially if features such as Word’s change-tracking
and review features are switched on.
All this information in security means two things for IT
departments. First, the information on PCs and other devices gives
them a useful foundation for forensic analysis should the need
arise.
Bear in mind, however, that the extent to which forensic experts
can legally snoop around on hard drives depends heavily on the
rights that employees signed over in the contract of
employment.
Second, the ease with which deleted information can be retrieved
should make companies paranoid about any equipment leaving their
building. If you can snoop on corporate secrets then so can other
people – and that is a clear and viable business risk.
Forensic e-mail
helps meet compliance >>
Information security: A stronger staff >>
High-tech crime is put on trial >>
Security special report: The internal threat >>