"The man who claimed to have attached a bomb collar to an Australian high school student two weeks ago thought it would be a good idea to leave a ransom note on a USB stick looped around her neck. What he probably didn't realize is that he also left his name, hidden deep in the device's memory.Again, like I've said over and over... You can't destroy data. Electronic data, once it's been saved, it's nearly impossible to really destroy. Once it's left your possession/control, it really is forever. Think about that the next time you tweet, send that email or post that pic.
The next 10 hours were a gruelling ordeal for the girl before a Sydney police bomb squad was able to determined that the threat was a hoax. But a closer look at the USB drive turned up a couple of files that the criminal thought he'd deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document's author, including his name: "Paul P."
Police collected footage from surveillance cameras in a library where a computer was used to access the Gmail account. The footage, along with the USB drive and circumstantial evidence, such as purchases made around the time of the incident, link Peters to the crime, prosecutors say.
Even if the collar bomber had known his name was on the USB drive, it would have been very hard to remove it, according to Frank McClain, an independent computer forensics expert.
As computer geeks and investigators know, when users delete a file from a computer the file isn't deleted immediately from the hard drive. Instead, the computer takes note that the area of the disk where the file is stored is now available to be written over. So investigators can often recover at least snippets of data from files that are supposed to have been deleted.
The collar bomber's first mistake was thinking he could delete something completely from his USB stick. But he also erred by not altering the metadata in his Word document. When Word saves a document, it automatically saves data, such as the user's login name, as part of the file. Office 2007 users can see this metadata by hitting the Office button, then "Prepare" and "Properties."
In this case, I'm glad it worked out the way it did. Go computer forensics! :)