Thursday, February 28, 2013

This is for all us geeks

By Gayle Carline

One of the nice things about writing genre fiction is that there are organizations that celebrate practically each genre. As a mystery writer, I belong to Sisters in Crime, and lucky for me, there is a chapter in Orange County with monthly meetings. We have all kinds of guest speakers, from other authors to law enforcement experts to ex-CIA operatives. As both a writer and a reader, I find everyone fascinating.
 
This month, we had Daniel McKerren, a man who spent thirty years as a police officer and now works as a freelance investigator with insurance companies, law enforcement, etc, specifically as a computer forensics and data recovery specialist. It was an interesting talk, although it started out, well, I’d call it wonky. You might call it boring.
 
He began by telling us how computers work. They are full of on/off switches called bits and eight bits make a byte and they are arranged in sectors and accessed by pointers in another sector, and so on. As a former software engineer, I kept thinking, “Yeah, yeah, I know, I know, get to the crime solving part.”
 
Stay with me, here.
 
Eventually, I saw the point to his explanations: he had to educate everyone in the room so that his crime-solving discussion would have context. People think they can delete files and no one can ever find them again, even though we see on crime shows that the computer-CSI guys can recover deleted files… but how?
 
It’s all about the pointers. When you delete a file, you are only deleting the pointer to that file. The file contents are still floating around in their sectors, unless and until they are overwritten by a new file. There is something you can do called wiping the disk, which sets all those on/off switches to off, but don’t get cocky—there are still some labs that can use magnetic technology to reset the switches to their last position.
 
In which case, it would suck to be you, if you were trying to hide something.
 
I kind of knew this, but the one thing I didn’t know was the way forensics techs recover data. You see, they don’t just fire up the suspect’s computer and dive in. That’s because every time you start up your computer, you are altering the contents. Hardware and peripheral checks are always performed by the operating system, which results in updating the time stamps.
 
Instead of hitting the Power button, the tech removes the suspect’s hard drive and attaches a device that uses an old-school, read-only DOS program to copy the data to another drive that is read-only. At that point, the data can be extracted and the original hard drive is bagged and tagged.
 
Just hearing that information made me want to run home and re-write a few scenes.

In addition, they have to know how big the hard drive is because their warrant has to be that specific. Dan said if he took a 30G hard drive to a location and the suspect had a 60G drive, he has to go back and get another warrant, which gives the suspect time to try to wipe the drive. Hell, he might even destroy the drive.
 
I don’t know of any way to recover data from a hard drive that’s gone a few rounds in the garbage disposal.
 
I was reminded of Saturday’s post by J.H. Bográn, and how technology can be a stumbling block for thriller/mystery writers. Dan’s talk inspired me to find ways to use technology to my hero’s advantage.

His parting advice? “Technology is advancing at mach speed. When anyone tells you that ‘they can’t get something specific from a computer,’ add the word now to the end of that sentence.”

Any questions, class?

8 comments:

  1. Wow, Gayle. Thanks for the information. You're right--I need to add "now" to a few lines in my books in the future.
    I write medical suspense, and one would think that, as a retired physician, that would be easy. Not so. That discipline is changing rapidly, just like technology, and what I wrote about a year ago might be out of date by the time the book is published. It's a problem.
    Thanks for sharing.

    ReplyDelete
  2. Fascinating stuff! I just talked to a tech guy at the FBI and we didn't get into a conversation about recovering data because we focused on hackers and what they do—which was just as fascinating. Thanks for an informative post.

    ReplyDelete
  3. Fabulous details, Gayle! Thanks for another fun post! I wish there was a Sisters in Crime group near me.

    ReplyDelete
  4. Interesting info, Gayle. Thanks for sharing.

    ReplyDelete
  5. Oh man... all my horrifically written, discarded chapters could be recovered and read by someone? This is the stuff nightmares are made of.

    Fascinating post, Gayle, and proof that forensic technology is ever-changing and ever-improving.

    ReplyDelete
  6. Methinks my carefully crafted comment disappeared when I had to log into Google. Perhaps one of your forensics experts can find it.


    Terry
    Terry's Place

    ReplyDelete
  7. Thanks for the info. I enjoy your writing style. Perhaps some secrets are worth the possible "trashing" of a garbage disposal. Hum-m-m, I wonder if a hard drive would do any damage.

    ReplyDelete
  8. The stuff in here is so fascinating. Yep, the geek in us is happy! :-)

    Although a bit late, thanks for the shout out, Gayle.

    ReplyDelete

Note: Only a member of this blog may post a comment.