Monday, August 29, 2011

Another example of data being hard to destroy (and stupid people shouldn't even try)...

Network World - The collar bomber's explosive tech gaffe

"The man who claimed to have attached a bomb collar to an Australian high school student two weeks ago thought it would be a good idea to leave a ransom note on a USB stick looped around her neck. What he probably didn't realize is that he also left his name, hidden deep in the device's memory.
The next 10 hours were a gruelling ordeal for the girl before a Sydney police bomb squad was able to determined that the threat was a hoax. But a closer look at the USB drive turned up a couple of files that the criminal thought he'd deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document's author, including his name: "Paul P."
Police collected footage from surveillance cameras in a library where a computer was used to access the Gmail account. The footage, along with the USB drive and circumstantial evidence, such as purchases made around the time of the incident, link Peters to the crime, prosecutors say.
Even if the collar bomber had known his name was on the USB drive, it would have been very hard to remove it, according to Frank McClain, an independent computer forensics expert.
As computer geeks and investigators know, when users delete a file from a computer the file isn't deleted immediately from the hard drive. Instead, the computer takes note that the area of the disk where the file is stored is now available to be written over. So investigators can often recover at least snippets of data from files that are supposed to have been deleted.
The collar bomber's first mistake was thinking he could delete something completely from his USB stick. But he also erred by not altering the metadata in his Word document. When Word saves a document, it automatically saves data, such as the user's login name, as part of the file. Office 2007 users can see this metadata by hitting the Office button, then "Prepare" and "Properties."
Again, like I've said over and over... You can't destroy data. Electronic data, once it's been saved, it's nearly impossible to really destroy. Once it's left your possession/control, it really is forever. Think about that the next time you tweet, send that email or post that pic.
In this case, I'm glad it worked out the way it did. Go computer forensics!  :)

1 comment:

Anonymous said...

And to complicate matters even more, 'overwriting' data on a flash-drive does not actualy overwrite it, due to the wear-leveling algoritms (probably harder to recover without forensic tools, but still stored)...