One of the nice things about writing genre fiction is that there are organizations that celebrate practically each genre. As a mystery writer, I belong to Sisters in Crime, and lucky for me, there is a chapter in Orange County with monthly meetings. We have all kinds of guest speakers, from other authors to law enforcement experts to ex-CIA operatives. As both a writer and a reader, I find everyone fascinating.
He began by telling us how computers work. They are full of on/off switches called bits and eight bits make a byte and they are arranged in sectors and accessed by pointers in another sector, and so on. As a former software engineer, I kept thinking, “Yeah, yeah, I know, I know, get to the crime solving part.”
Stay with me, here.
Eventually, I saw the point to his explanations: he had to educate everyone in the room so that his crime-solving discussion would have context. People think they can delete files and no one can ever find them again, even though we see on crime shows that the computer-CSI guys can recover deleted files… but how?
It’s all about the pointers. When you delete a file, you are only deleting the pointer to that file. The file contents are still floating around in their sectors, unless and until they are overwritten by a new file. There is something you can do called wiping the disk, which sets all those on/off switches to off, but don’t get cocky—there are still some labs that can use magnetic technology to reset the switches to their last position.
In which case, it would suck to be you, if you were trying to hide something.
I kind of knew this, but the one thing I didn’t know was the way forensics techs recover data. You see, they don’t just fire up the suspect’s computer and dive in. That’s because every time you start up your computer, you are altering the contents. Hardware and peripheral checks are always performed by the operating system, which results in updating the time stamps.
Instead of hitting the Power button, the tech removes the suspect’s hard drive and attaches a device that uses an old-school, read-only DOS program to copy the data to another drive that is read-only. At that point, the data can be extracted and the original hard drive is bagged and tagged.
Just hearing that information made me want to run home and re-write a few scenes.
In addition, they have to know how big the hard drive is because their warrant has to be that specific. Dan said if he took a 30G hard drive to a location and the suspect had a 60G drive, he has to go back and get another warrant, which gives the suspect time to try to wipe the drive. Hell, he might even destroy the drive.
I don’t know of any way to recover data from a hard drive that’s gone a few rounds in the garbage disposal.
His parting advice? “Technology is advancing at mach speed. When anyone tells you that ‘they can’t get something specific from a computer,’ add the word now to the end of that sentence.”
Any questions, class?