He began by telling us how computers work. They are full of on/off switches called bits and eight bits make a byte and they are arranged in sectors and accessed by pointers in another sector, and so on. As a former software engineer, I kept thinking, “Yeah, yeah, I know, I know, get to the crime solving part.”
Stay with me, here.
Eventually, I saw the point to his explanations: he had to educate everyone in the room so that his crime-solving discussion would have context. People think they can delete files and no one can ever find them again, even though we see on crime shows that the computer-CSI guys can recover deleted files… but how?
It’s all about the pointers. When you delete a file, you are only deleting the pointer to that file. The file contents are still floating around in their sectors, unless and until they are overwritten by a new file. There is something you can do called wiping the disk, which sets all those on/off switches to off, but don’t get cocky—there are still some labs that can use magnetic technology to reset the switches to their last position.
In which case, it would suck to be you, if you were trying to hide something.
I kind of knew this, but the one thing I didn’t know was the way forensics techs recover data. You see, they don’t just fire up the suspect’s computer and dive in. That’s because every time you start up your computer, you are altering the contents. Hardware and peripheral checks are always performed by the operating system, which results in updating the time stamps.
Instead of hitting the Power button, the tech removes the suspect’s hard drive and attaches a device that uses an old-school, read-only DOS program to copy the data to another drive that is read-only. At that point, the data can be extracted and the original hard drive is bagged and tagged.
Just hearing that information made me want to run home and re-write a few scenes.
I don’t know of any way to recover data from a hard drive that’s gone a few rounds in the garbage disposal.
His parting advice? “Technology is advancing at mach speed. When anyone tells you that ‘they can’t get something specific from a computer,’ add the word now to the end of that sentence.”
Any questions, class?