FC: How hard drive detectives work

[Declan McCullagh <declan () well com>]

---

Subject: How hard drive detectives work
Date: Wed, 23 Jul 2003 09:14:01 -0400
From: "Paul McMasters" <Pmcmasters () freedomforum org>
To: "Declan McCullagh" <declan () well com>

Declan, this may be too elementary for your list, but I pass it along 
anyway, just in case.

-pkm

<http://199.244.139.109/dcwww?-show:client/journal/MTG/j2003/q3/m07/t22/pa/s005/002_001_001.dcs>http://199.244.139.109/dcwww?-show:client/journal/MTG/j2003/q3/m07/t22/pa/s005/002_001_001.dcs 


Publication=Montgomery_Journal; Date=22.07.2003; Section=LOCAL_PAGE; 
Page=5; Book=A;

Electronic evidence hard to hide from police
By ANDREA PRICER Journal staff writer
Deleting doesn't work, emptying the recycle bin doesn't work, sometimes 
even reformatting the computer doesn't work.
No matter what efforts are taken to hide electronic footprints, they can 
nearly always be found by police investigators and computer sleuths across 
the region. The "html hounds" are always hunting and learning new tricks.

Police departments across the region have been creating and beefing up 
computer forensic units since the late 1990s, tracking computer and other 
electronic evidence in crimes ranging from doctors practicing without a 
license to child pornography to murder.

"This isn't a job where you go to a couple of schools a year," said Loudoun 
County Investigator Robert Spitler. "It's almost a daily occurrence where 
you're reading new magazines."

Spitler said he even peruses sales catalogs to see what equipment, software 
and hardware now are available to the general public.

"You have to know as much as possible ... as much as you can cram your 
brain full of," Spitler said. "It's kinda like sugar and poison at the same 
time. You have to go [to classes] but you get a backlog."

Spitler said he constantly is working with software and hardware companies 
to keep up with the technology updates, the "work arounds" to hiding 
techniques and solutions to hacking activities.

Alexandria Sgt. Derek Gaunt said anytime training is offered, he "jumps on" 
the opportunity.
"It changes so much that if you're not constantly updating or changing 
[your education]," Gaunt said, "you're gonna be behind the eight ball 
before you know it."

The first rule for these detectives seems to be: Evidence lingers like the 
smell of day-old fish.
Spitler, who has been working on computer forensics for Loudoun County 
since 2000, said even when items are deleted, they aren't gone.

"Everything leaves a trace that I've seen so far," he said.
John Simek, with Sensei Enterprises Inc., agreed that even emptying the 
"recycle bin" or reformatting the hard drive won't always erase 
incriminating files.

Simek, who is vice president of the computer forensics firm begun in 1997, 
said deleted files go into unallocated space where they hang around waiting 
to be overwritten by new information.

Because files still exist in that netherworld, investigators start off by 
simply unplugging a computer without going through the powering off 
process, said Simek and Sensei President Sharon Nelson.

"Powering down will modify hundreds of file dates," Simek said.
Unplugging a machine can also circumvent some "time bombs" put on a 
computer to destroy files and images if someone other than the owner shuts 
off a machine, according to Nelson.

Then investigators make an image of the hard drive, a "bit-by-bit image 
where the original is not modified in any way," Simek said.

That image can be compared, through a mathematical algorithm, to the 
original to show they are identical, he said.
The chances of finding another hard drive or file with the same algorithm 
is "statistically improbable," Simek said.
"You could win the lotto three times before that would occur," he said. You 
could win the grand prize at Powerball 39 times before getting the same 
[algorithm]."

Investigators don't want copies because they contain changes to file dates 
and other information and "ghosts" do not pick up unallocated space where 
many critical pieces of evidence are found, Simek said.

That image cannot be altered in any way, Spitler said, meaning he can troll 
around on a hard drive hunting without changing or damaging the evidence.

[...]




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------