--- Subject: How hard drive detectives work Date: Wed, 23 Jul 2003 09:14:01 -0400 From: "Paul McMasters" <Pmcmastersat_private> To: "Declan McCullagh" <declanat_private> Declan, this may be too elementary for your list, but I pass it along anyway, just in case. -pkm <http://199.244.139.109/dcwww?-show:client/journal/MTG/j2003/q3/m07/t22/pa/s005/002_001_001.dcs>http://199.244.139.109/dcwww?-show:client/journal/MTG/j2003/q3/m07/t22/pa/s005/002_001_001.dcs Publication=Montgomery_Journal; Date=22.07.2003; Section=LOCAL_PAGE; Page=5; Book=A; Electronic evidence hard to hide from police By ANDREA PRICER Journal staff writer Deleting doesn't work, emptying the recycle bin doesn't work, sometimes even reformatting the computer doesn't work. No matter what efforts are taken to hide electronic footprints, they can nearly always be found by police investigators and computer sleuths across the region. The "html hounds" are always hunting and learning new tricks. Police departments across the region have been creating and beefing up computer forensic units since the late 1990s, tracking computer and other electronic evidence in crimes ranging from doctors practicing without a license to child pornography to murder. "This isn't a job where you go to a couple of schools a year," said Loudoun County Investigator Robert Spitler. "It's almost a daily occurrence where you're reading new magazines." Spitler said he even peruses sales catalogs to see what equipment, software and hardware now are available to the general public. "You have to know as much as possible ... as much as you can cram your brain full of," Spitler said. "It's kinda like sugar and poison at the same time. You have to go [to classes] but you get a backlog." Spitler said he constantly is working with software and hardware companies to keep up with the technology updates, the "work arounds" to hiding techniques and solutions to hacking activities. Alexandria Sgt. Derek Gaunt said anytime training is offered, he "jumps on" the opportunity. "It changes so much that if you're not constantly updating or changing [your education]," Gaunt said, "you're gonna be behind the eight ball before you know it." The first rule for these detectives seems to be: Evidence lingers like the smell of day-old fish. Spitler, who has been working on computer forensics for Loudoun County since 2000, said even when items are deleted, they aren't gone. "Everything leaves a trace that I've seen so far," he said. John Simek, with Sensei Enterprises Inc., agreed that even emptying the "recycle bin" or reformatting the hard drive won't always erase incriminating files. Simek, who is vice president of the computer forensics firm begun in 1997, said deleted files go into unallocated space where they hang around waiting to be overwritten by new information. Because files still exist in that netherworld, investigators start off by simply unplugging a computer without going through the powering off process, said Simek and Sensei President Sharon Nelson. "Powering down will modify hundreds of file dates," Simek said. Unplugging a machine can also circumvent some "time bombs" put on a computer to destroy files and images if someone other than the owner shuts off a machine, according to Nelson. Then investigators make an image of the hard drive, a "bit-by-bit image where the original is not modified in any way," Simek said. That image can be compared, through a mathematical algorithm, to the original to show they are identical, he said. The chances of finding another hard drive or file with the same algorithm is "statistically improbable," Simek said. "You could win the lotto three times before that would occur," he said. You could win the grand prize at Powerball 39 times before getting the same [algorithm]." Investigators don't want copies because they contain changes to file dates and other information and "ghosts" do not pick up unallocated space where many critical pieces of evidence are found, Simek said. That image cannot be altered in any way, Spitler said, meaning he can troll around on a hard drive hunting without changing or damaging the evidence. [...] ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. ------------------------------------------------------------------------- To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 03:22:41 PDT