Pete Warren explains how a forensic specialist can retrieve data from your hard drive – even if you think you’ve deleted everything – that reveals a great deal about you
The first time that I really became aware of computer forensics was around eight years ago when I arranged for some hard drives I had bought from a boot fair to be examined by Professor Neil Barrett, an expert in the field. The results were memorable. When Barrett rang me to say that he had found account details for a Paul McCartney – on a hard drive discarded by a merchant bank – I was prepared for the inevitable teasing.
“Sure, Neil, I suppose there must be quite a few Paul McCartneys.” “Yes, I suppose there are,” he replied. “Not too many called ‘Sir’, though.”
Spy in the machine
Your hard drive is watching you: it’s the spy in the machine. It records all you do online – where you go, what you look at, what you read and write. And that data can live on even if you think you’ve wiped it away. Like a traitor, your hard drive could reveal far more about you than you ever wanted it to.
The machine I use to inspect hard drives is a purpose-built computer with a reasonably powerful processor and a hard drive of its own with 1 terabyte of storage. It cost £2,000 and it’s the equivalent of a custom car, with quick-release sliding panels and drive cases for easy loading of the hard drives I am asked to look at. Most importantly, it has computer forensic software – which cost another £2,000. Mine was supplied by Access Data, a company which believes that computer forensics will be one of new growth areas of computing.
Since we found the drive with McCartney’s details on it, I have worked with BT, Sims Lifecycle Services and Glamorgan University (where I’m doing an MSc) to alert people to the risks of disposing of drives with valuable data on them – such as company records, personal emails, the complete personal lives of families – and even enough on people’s sexual interests for them to be blackmailed (Dead disks yield live information).
I pick drives to examine – acquired at car boot sales or dumps – randomly. The first task is to connect a write-blocker, which prevents any data being written to the drive. This ensures that the investigator cannot be accused of putting anything on a disk that could be a crime scene. That’s not melodramatic. In each of the past four years we have conducted our survey, we have found drives containing paedophile information, which have been turned over to the police and have resulted in prosecutions.
The next task is to image the drive – simply, copying it on to your own drive so you can start to go through it. Another task is to make an MD5 hash of the original drive, a unique number generated from its bits and bytes. This is to verify that the image is the same as the original: the two should have the same MD5 hash.
The Access Data software ignores the operating system, instead talking directly to the drive’s file allocation system and master boot records. It sorts everything into groups – by type, category and extension. Email is extracted and lumped together, as are graphics. You can search for specific data such as a date or name.
“It’s like The Sims,” says Dr Andrew Jones, head of computer security at BT Exact. “Instead of going through the front door, you take the roof off and you look down on the drive from above.”
Then it’s a laborious process going through each file. It’s a boring and painstaking process – until you start to unearth the gems. I start with the graphics files and documents, but the real pros go to the slack space – where all of the odds and ends of files end up, a dustbin of half-files and bits of data that people think they have deleted. These can help you get an idea of what the computer has been used for and where other data – the stuff people want to hide – might be.
Most people think the delete key gets rid of those files, but it doesn’t – it simply tells the computer that that space is available to be written over again. The file often is still all there, waiting to compromise its former owner.
If the drive is not encrypted, the software opens up the computer easily. I can order everything by date and time; I can see the email that provoked a web search, the item that was then bought. It feels like being able to see inside the mind of the former owner of the drive. And don’t think that you can erase your tracks by deleting the browser history: even if you wiped the cache: a hexadecimal editor can help the investigator decode the traces left behind even after you’ve deleted it.
You start to recognise other people who are using the computer. On one drive I quickly identified the owner from her email. But there was someone else searching the web for clothes for Barbie dolls. I soon identified the most likely person making those web searches – there were pictures of a small girl on the drive. A closer look told me her name. Other details followed: soon I knew her age and what school she goes to.
Inside her mind
By this time I knew her mother’s name too, and what her interests are, what her fascinations are and what goes on in the secret recesses of her head. All this was revealed to me by her web searches – and her visits to websites of a sexual nature. She has been deceitful: I can see lies in the emails that she has sent, because she has been trying to sell something to a lot of people at the same time and told each that she was only dealing with them.
People are using computers without realising that their computers are constantly taking snapshots of their lives. The information could compromise them financially as well as personally: on drives we found two years ago were the social security numbers of most of the employees of the UK branch of a multinational company. We could have stolen each person’s financial identities.
Some tribes in Africa do not like people taking their photos because they think that the camera takes a part of their being. A computer does much the same. When you work in computer forensics, and when you hold a hard drive in your hands, you hold someone’s life in your hands.
How to secure your disk
1 Use encryption. Vista Ultimate has BitLocker; Mac OSX has FileVault. There is also TrueCrypt, which is free and cross-platform.
2 Use secure erase programs such as blancco; for a list, see howtowipeyourdrive.com.
3 When you’ve finished with your computer, securely wipe it and then reinstall the operating system from scratch. Or remove the hard drive and smash it with a hammer.
Published The Guardian, 14th of August, 2008 appeared under the headline – ‘Computer security: Snapshots of our secret lives’