One of the nice things
about writing genre fiction is that there are organizations that celebrate
practically each genre. As a mystery writer, I belong to Sisters in Crime, and
lucky for me, there is a chapter in Orange County with monthly meetings. We
have all kinds of guest speakers, from other authors to law enforcement experts
to ex-CIA operatives. As both a writer and a reader, I find everyone
fascinating.
He began by telling us how computers work. They are full of on/off switches called bits and eight bits make a byte and they are arranged in sectors and accessed by pointers in another sector, and so on. As a former software engineer, I kept thinking, “Yeah, yeah, I know, I know, get to the crime solving part.”
Stay with me, here.
Eventually, I saw the point to his explanations: he had to educate everyone in the room so that his crime-solving discussion would have context. People think they can delete files and no one can ever find them again, even though we see on crime shows that the computer-CSI guys can recover deleted files… but how?
It’s all about the pointers. When you delete a file, you are only deleting the pointer to that file. The file contents are still floating around in their sectors, unless and until they are overwritten by a new file. There is something you can do called wiping the disk, which sets all those on/off switches to off, but don’t get cocky—there are still some labs that can use magnetic technology to reset the switches to their last position.
In which case, it would suck to be you, if you were trying to hide something.
I kind of knew this, but the one thing I didn’t know was the way forensics techs recover data. You see, they don’t just fire up the suspect’s computer and dive in. That’s because every time you start up your computer, you are altering the contents. Hardware and peripheral checks are always performed by the operating system, which results in updating the time stamps.
Instead of hitting the Power button, the tech removes the suspect’s hard drive and attaches a device that uses an old-school, read-only DOS program to copy the data to another drive that is read-only. At that point, the data can be extracted and the original hard drive is bagged and tagged.
Just hearing that information made me want to run home and re-write a few scenes.
In addition, they have
to know how big the hard drive is because their warrant has to be that specific. Dan said if he took a 30G
hard drive to a location and the suspect had a 60G drive, he has to go back and
get another warrant, which gives the suspect time to try to wipe the drive.
Hell, he might even destroy the drive.
I don’t know of any way to recover data from a hard drive that’s gone a few rounds in the garbage disposal.
His parting advice? “Technology is advancing at mach speed. When anyone tells you that ‘they can’t get something specific from a computer,’ add the word now to the end of that sentence.”
Any questions, class?
Wow, Gayle. Thanks for the information. You're right--I need to add "now" to a few lines in my books in the future.
ReplyDeleteI write medical suspense, and one would think that, as a retired physician, that would be easy. Not so. That discipline is changing rapidly, just like technology, and what I wrote about a year ago might be out of date by the time the book is published. It's a problem.
Thanks for sharing.
Fascinating stuff! I just talked to a tech guy at the FBI and we didn't get into a conversation about recovering data because we focused on hackers and what they do—which was just as fascinating. Thanks for an informative post.
ReplyDeleteFabulous details, Gayle! Thanks for another fun post! I wish there was a Sisters in Crime group near me.
ReplyDeleteInteresting info, Gayle. Thanks for sharing.
ReplyDeleteOh man... all my horrifically written, discarded chapters could be recovered and read by someone? This is the stuff nightmares are made of.
ReplyDeleteFascinating post, Gayle, and proof that forensic technology is ever-changing and ever-improving.
Methinks my carefully crafted comment disappeared when I had to log into Google. Perhaps one of your forensics experts can find it.
ReplyDeleteTerry
Terry's Place
Thanks for the info. I enjoy your writing style. Perhaps some secrets are worth the possible "trashing" of a garbage disposal. Hum-m-m, I wonder if a hard drive would do any damage.
ReplyDeleteThe stuff in here is so fascinating. Yep, the geek in us is happy! :-)
ReplyDeleteAlthough a bit late, thanks for the shout out, Gayle.