White-collar crime and workplace fiascos is putting data forensics on the front lines of crime scenes. We take a look into how one IT specialist dig deep to find the buried treasure on suspicious hard drives.
Digital Journal — The “delete” key isn’t as final as you think. Much to the chagrin of rogue employees and white-collar criminals, forensic data specialists can comb through hard drives to find evidence for criminal investigations. Welcome to the CSI for computer enthusiasts.
Criminals are always far ahead of the curve compared to the establishment, declares Bill Margeson, president of CBL Data Recovery Technologies. “I’m always amazed at how white-collar criminals can be creative with how they cover their tracks,” he says. If anyone knows this high-tech world, it’s CBL: they’ve dealt with 1,000 data forensics cases in their 10 years of business.
What Margeson stresses is something everyone should know, even if their computing experiences are strictly altruistic: Dragging files to the recycle bin doesn’t delete the data, he says. The PC deletes just the info on that file, rather than the file itself. The OS and the user can’t see this behind-the-scenes process.
When law enforcement needs to find evidence on a suspect’s PC, that’s where data-recovery specialists come in. Margeson and his team will do a sector-by-sector duplication of all the data on the offending drive, and then will copy it to blank media. This is all done under the watchful eye of police and/or lawyers, long after the law firm has obtained an Anton Piller order to legally seize digital data.
“I’ve worked for 18 hours straight getting data off a PC,” Margeson remembers. “There’s no pee breaks, no cigarette breaks. This is evidence for the court, so we take this very seriously.”
This kind of work also inspires impressive booby traps from techie criminals. Margeson relates a case where police investigated a company selling counterfeit hair-care products. Margeson was assigned to search through the company’s PC files, but he needed a password to gain entry. The police got the password from the suspect and Margeson entered it, instantly finding the document he was looking for. He copied it off the desktop, which is when the trouble started: the password he entered triggered encryption technology developed by the criminal company so, as Margeson puts it, “the password was essentially killing the data.” In the end, the IT expert has to be one step ahead of the e-criminal, Margeson stresses.
The Data That Never Dies
“Until data is actually overwritten by new information or a signal, it can be recovered by programs that read disk sectors directly,” Margeson says. And when it comes to reformatting hard drives — a technique believed to give the PC a clean slate — Margeson cites a common analogy: “That just wipes out the table of contents, leaving undefined chapters, but those chapters are still intact.”
Also, overwriting a hard drive isn’t a simple task. The process is time-intensive, especially for impatient white-collar criminals. One gigabyte has 200 million sectors of data, which can take 15 minutes to overwrite. Modern PCs have more than 150GB of hard drive storage, so imagine how long it would take to get that process done.
One of the more interesting data-forensics secrets Margeson reveals relates to a fingerprint every computer identifies. Any command or keystroke is labelled with a “hash stroke” that acts like an invoice number. This layer of coding provides evidential trail used by lawyers to pinpoint exactly who did what on a certain PC.
Margeson says disgruntled employees who cover their tracks can still be traced:If someone breaks into someone else’s computer, changes the date, emails a malicious note to the boss, changes the date back again, and logs off, all those actions will be identified with hash strokes. If there are actions to delete or overwrite data, that will also leave a trail.
Strangely enough, CBL offers a Windows app to permanently delete all data, which means the good guys — and bad guys — who get a hold of this tool can circumvent the forensics experts at a company like CBL. The Data Shredder “provides a variety of destruction techniques of differing levels of security and convenience,” Margeson says, adding: The act of deleting data from computer hard drives is no guarantee the information will not be resurrected at a later date by unscrupulous people.
This issue of data destruction and resurrection has gained enough cachet in today’s world of accountants cooking books and child porn rings that police squads from every continent are hunting for the best data forensic specialists. Margeson points out how CBL recently worked closely with police in Singapore, and how they also teamed up with Swiss law enforcement to investigate “a banking case.” Since Margeson is under confidentiality agreements, he he can’t reveal any specifics.
What he can reveal, though, is the need for legal professionals to bone up on their high-tech education. “Lawyers don’t have a clue,” Margeon says, “and the courts used to be naïve, although they now gradually understand the digital dimension.”
As well they should. Data forensics will increasingly become a hot area of criminal investigation as more scammers turn to the Web for quick and dirty hacks. If law enforcement is going to reign in white-collar crime, and future e-terrorism, there should be more emphasis placed on what companies like CBL do, especially in terms of the evidence uncovered. The justice system must adapt to this new frontier of data excavation, even if it means teaching old dogs some new tricks.
After all, this burgeoning area of data detection is not only fascinating but also a powerful reminder of how information can live on long after the garbage bin has been emptied.
