SOME of the best sources of forensic data are mobile phones, computer hard drives and digital devices such as memory sticks and digital cameras.
Despite many highprofile Crown Court and Magistrates’ Court trials, criminals still leave data trails that can be followed and used in evidence to convict the guilty. In this article I shall look at some of the main options open to the forensic data recovery specialist.
I first heard of the possibility of undeleting text messages (SMS) some years ago. It made me think, and I made enquiries of other technical engineers working in IT and providing expert services.
It quickly became apparent that those who had worked out how to do this were keeping the secret close to their chests, so I set out to work out how to do it. In those days SIM card readers were few and far between so I designed my own. This worked well, and I was able to look at the raw data on the SIM card.
Data was clearly present in areas where text messages had existed and had been deleted.
Free for further storage
The method of deletion is similar to a hard drive in a PC. The data is not actually removed but the memory is marked as free for further storage, so in time the data gets overwritten by newer data. The problem was to decipher the data that I could see.
Eventually, after many false starts, we established the coding, and by reversing it what had looked like hieroglyphics suddenly turned into a recognisable text message. Several years later, the most popular use of this skill is in divorce cases, as the text message seems to be the medium of choice in illicit affairs.
Coupled with lastnumber- dialled/address book analysis and cell site tracking, the undeletion of data on a mobile phone provides additional evidence in the establishment of ‘attribution’ – the proving of who has actually used a mobile. Criminals frequently buy a pay-as-you-go mobile for the purposes of a crime and then discard it afterwards. Undeleting a text message to ‘Mum’, for example, makes the job of attribution much simpler than analysing the call data records for hundreds of calls.
Data recovery
Whether data is being recovered from a hard drive because it has been accidentally lost or because it is suspected of revealing clues in a crime scene, the one overriding factor that is critical in all cases is to preserve the evidence. A phone or computer should never be switched on, even to do some basic checks.
The sooner the memory device (disk, SIM card, etc) is sealed in an evidence bag the better.
The process of forensic data recovery has been made easier in recent years by the development of forensic software that is capable of retrieving everything off a memory device. With hard drives, this means not only capturing blocks of data but looking in between the data at the slack space (the gaps between pieces of data). This is a rich area for the retrieval of incriminating data. A part of a URL might be left in the disk slack and could be sufficient to establish the website and prove that it was visited.
The biggest challenge these days with forensic data analysis is the size of hard drives, which results in data capture taking inordinate amounts of time. Once data is secured, the establishment of meaningful search terms is an acquired skill necessary to avoid ‘hits’ of hundreds of thousands on a large disk.
As disk drives increase in size, so does the cost of analysing them as the work can extend to hundreds of hours.
Presentation of the data in a meaningful format is as important as acquiring it. Juries can be relied on to be non-technical.
Finally, when you want to dispose of a hard drive or laptop, do not just throw it away. The hard drive should be ‘wiped’ with easily available software or formatted as a minimum and then drilled through to destroy the platters.