In today’s digital world, many may assume deleting data from a computer is comparable to burning papers in the old days—what’s gone is gone. But is it?
There are many scenarios where individuals would like data to be truly gone, potentially to hide a trail of criminal behavior, yet others hope it’s recoverable to piece together a trail of evidence. Consider the following scenario:
An employee resigns and joins a competitor working on a similar product. The company suspects the employee shared proprietary information with her new company before resigning; however, the employee returned her laptop “wiped” of user data. In this state, what can the company possibly learn about how the computer was used?
At the core of the question is whether digital evidence can be effectively and completely deleted or obfuscated. Although many may still assume that merely “deleting data” means the data is gone, it is becoming more common for people to understand that deleting data doesn’t necessarily mean it’s truly gone, and that there are tools available to “securely delete” or “wipe” data that goes beyond simple deletion.
Further muddying the waters is that people use the term “wipe” to mean very different things, from simple deletion, to reformatting a drive, to securely overwriting data numerous times such that it is truly not recoverable. As digital forensic examiners, we have learned to always dig a little deeper when a computer is reported to have been “wiped.” There are often relevant answers or information our analysis can provide, even if only confirming when and how the wiping occurred. In many cases, however, we can recover deleted data and evidence of additional activity that helps to reveal the truth.
In its simplest form, digital forensics is the collection, preservation, examination, and analysis of data stored on digital media. A digital forensic examiner uses forensic methodologies that are reliable, repeatable, and as minimally invasive to the data as possible – so that all actions and processes can stand up in a court of law.
Every action a user takes on a computer can leave a digital footprint. Digital forensic experts use tools and techniques to uncover these traces by looking at the data at its physical, or disk, level. Forensic analysis can pinpoint the time a user connected to a coffee shop’s WiFi, uncover chat history between two colleagues, identify external storage devices attached in the past, and other actions. Forensics tells the story of how a user interacted with their device – especially when that user took steps to hide their tracks or delete data.
In other words, in the digital world, what’s gone is often not truly gone.
Let’s look at two examples we encountered of how digital forensics told the story and uncovered malicious acts.
In our earlier scenario, digital forensics ultimately uncovered the theft of intellectual property and destruction of data. A forensic expert recovered fragments of previously deleted files and other essential forensic artifacts from the ex-employee’s laptop. Among the key findings, the forensic expert identified evidence that code reviews, rollout plans, and other proprietary information were accessed from thumb drives while the laptop was connected to the network of a competitor (and the ex-employee’s new employer) days after she resigned.
Most damaging was that digital forensics uncovered the considerable lengths to which she went to mass-delete files and cover her tracks. Just days prior to returning her laptop to her former employer, the ex-employee installed a remote access tool and received an incoming connection from an IP address that resolved to the remote location of an outsourced technician of the company who was suspected of being a co-conspirator. Seconds after the successful incoming connection, mass deletions occurred on the laptop.
Without the use of digital forensics, the company would have never known of the illicit acts done by their ex-employee (and outsourced technician).
In another matter, a company suspected that a recently departed employee stole intellectual property right before he left but had no way to prove it. An initial review of the user’s Mac laptop found that most files and folders had been deleted. However, digital forensics proved that this ex-employee connected his work laptop to his personal iCloud account, synchronized several folders containing proprietary data, and then deleted those same folders from the laptop just days before resigning.
Experts analyzed forensic artifacts and system logs that captured historical records of those folders, the approximate time of the iCloud synchronization, and subsequent deletions from the laptop. Forensic evidence revealed that the data was backed up to a personal time capsule around the same time. These findings supported the company counsel’s legal basis to request an examination of this ex-employee’s personal devices.
As these scenarios illustrate, just because data appears to be gone doesn’t mean that it really is. Digital forensics was used to recreate the story of how each of these individuals stole information from their employer and then took steps to destroy data and cover their tracks, not realizing a forensic expert had the ability to retrace those footprints and uncover the truth.