In a sign that computer evidence will figure prominently in the Enron investigation, Andersen last week hired Texas-based computer forensics company ASR Data Acquisition and Analysis, to recover deleted or overwritten digital data. The obligation to preserve documents that might figure into an investigation or trial is well-known among businesses and in government. But the extension of that legal principle to include digital data was, until just a few years ago, a hazier matter. Many lawyers argued, with some success, that their clients didn't understand that they were violating the rules of discovery when they wrote over a file. Three years ago, that argument went out the window. "The disingenuous reaction became useless as soon as Bill Gates became the poster child for bad email," said Feldman, referring to the then-Microsoft chief executive's testimony after lawyers in the government's antitrust case read recovered emails from company executives on a nationally televised videotape. "There was sort of a turning point where any last gasping chance that people thought they had to say they didn't know about this issue was over." Like other digital files, email is easy to search using keywords -- for instance, "Enron" or "Netscape." But more than other digital files, email has a tendency to leave copies of itself in places the average sender wouldn't think to look when attempting to make it go away. In the process of composing an email, copies may exist in the "out" box of the email program, on the client's hard drive and on a corporate back-up tape. That's before the email is even sent. Once delivered, the email can exist on any number of servers between sender and recipient, not to mention the myriad destinations where it might be forwarded once it reaches its destination. Then there are synchronisations between desktop computers, laptops and PDAs (personal digital assistants) where more copies may reside. "If you have a hard time grasping this, think of rabbits," Feldman said. "Think about their incredible reproductive nature, and think about trying to get them all back. That's the challenge for people trying to get rid of email, and that's where we prevail." Search and destroy
Computer forensic investigators approaching situations such as the Enron and Andersen case start by collecting potential sources of digital files. Corporate back-up tapes must be transferred to a hard drive, where massive amounts of information can be searched and sorted. Then investigators turn to individuals' computers. For each person under investigation, there may be two or three computers targeted -- for example, a desktop at work, a laptop and a home computer. Instead of booting up the targeted computer, forensics experts typically make an evidentiary copy of the hard drive to capture everything on the computer -- deleted files and all. That copy lets investigators avoid accusations of tampering with evidence. "If, in addition to examining files directly on the computer, I open it up to read it, I have changed the meta-data for that file," Feldman said. "That changes the last access date and time, and if I do anything more I may have also modified that file. So, it becomes very difficult to weed out or parse through that which was there prior to the review. If you have to testify it, you wind up dancing through a sea of razor blades and you start to look like an idiot." Once the investigators have their copy, they bring it back to the lab where they use special software tools to dig through the data. One popular software suite is called En Case. Produced by Guidance Software, a computer forensics hardware and software company in California, the tool examines the hard drive, identifies and locates deleted files, and allows for text searching and other analysis tricks. The software can also tell investigators if a deleted file has been written over partially, leaving some data that can be recovered. Still, people who are serious about making information disappear don't settle for writing on top of a file just once. Typical government procedure is to write over it four times, said Anthony Pellicano, an investigator at Forensic Audio Lab in Los Angeles who examined the 18.5 minutes of erased tape from the Nixon White House, among other crucial pieces of evidence in high-profile cases. Another computer forensics expert said the Department of Defense policy is to write over files seven times. "If I drag a file to the trash and empty the trash, that just means that there was a pointer and now it says don't point to that anymore," Pellicano said. "But if something is erased and something is written on top of it, then you can forget about it -- you'll never get it back." Computer forensics specialists draw a distinction between merely writing over information and deliberately wiping a file. A deleted file may be written over partially and without the computer user's knowledge. But someone who sets out to wipe a file does so with the aid of software such as Norton Utilities Wipe Info, repeatedly, from beginning to end. That distinction is more than a forensic one. Investigators, lawyers and congressional representatives are particularly interested in finding out whether someone deliberately wiped information after it was reasonable to think a court might want to see it. "We look for system activity to see if someone was using a file-shredding program -- which in itself isn't illegal or unethical, unless you're under subpoena or the threat of subpoena," said Computer Forensics' Feldman. Learning from pack rats
Christopher Wolf, an attorney at Proskauer Rose who deals with issues of "spoliation," or the destruction of documents, said clients should keep items they know may be needed in an investigation or case. Parties involved in a case can later ask a judge to withhold documents as evidence, but destroying them once an investigation has begun can lead to real trouble. For one thing, it can result in charges of obstruction of justice. Or in a civil case, a judge can allow the jury to question a document-destroying party's intentions. For example, judges in certain cases will tell jurors they should assume missing documents are harmful simply because they were destroyed -- even if they never see the contents. Wolf says digital documents have been fertile ground for evidence in many cases. "People say things in emails and attach documents to email they might not have done in the hard-copy world," he noted. But the success of efforts to recover data from Andersen and Enron computers depends on several factors, not least of which are the savvy and persistence of those who might have tried to destroy data. "It's almost kind of like a game of leapfrog," said Andrew Rosen, chief executive of ASR. "As the technology used to recover the data gets better, the technology used to destroy data gets better." Rosen, who likens his quest to digital archaeology, said the challenge comes not so much from retrieving deleted information, but from piecing it together and developing a time line that tells the story of what actually happened. "Simply getting the data back is one of the easiest questions, but figuring out the who, what, where and why often involves a significant bit of analysis," he said.
Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.
