Covering Your Digital Tracks: Often Attempted, Rarely Unnoticed

When the media reports on high profile law enforcement investigations and digital data becomes the focal point, it gets my attention because that’s what we do at Capsicum Group, computer forensics investigations. This past week was no exception, as news broke about New England Patriots tight end Aaron Hernandez who was reportedly in a car with a man named Odin Lloyd hours before Lloyd was found murdered less than a mile from Hernandez’ house.  It has been reported that the hard drive in Hernandez’s home security system was damaged and his phone was in pieces when presented to the police.

Digital data is sensitive in the sense that steps can be taken to “get rid of it”.  The reporting from the Hernandez case is illustrative of physically damaging the media to prevent recovery of data.  While most would think that physically damaging a device containing electronically stored information would be sufficient to prevent recovery, we at Capsicum have first-hand experience recovering data from media that has been through physical harm. We’ve recovered a hard drive that was purposely thrown into a fire, as well as, hard drives that were submerged in salt water. So the moral here is…just because you think the media is damaged, does not necessarily mean all is lost with regard to retrieving some or all of the data contained on the device. Overwriting the media at least three times makes recovery efforts virtually impossible and the Department of Defense requires that a drive be overwritten SEVEN times to be considered unrecoverable.

Many of our cases involving the destruction or spoliation of electronic data are attempted through the use of a wipe utility. These software programs can be extremely effective in permanently deleting targeted files. We often find these incidents occurring in criminal, employment and intellectual property matters. While the actual files many no longer exist or be recoverable, there are footprints left behind that call out the use of a “wipe” utility. An experienced forensic examiner can quickly recognize from the directory, the naming conventions of certain files indicating that data was affected by wiping software. Further evidence can be found in the Registry showing when the program was last run and how many times it ran, as well as how many files were actually “wiped”.  Internet History, if not the target of the wipe, often shows the searching for “good” wipe software, and the eventual download of same. So, while the data itself may not be recoverable the inference as to why these steps were taken will often run to the adverse position of the one destroying the data.

With the popularity of social media comes the additional challenge of those who take steps to “shutdown” their Facebook and Twitter accounts in the hopes that any incriminating evidence will be inaccessible.  The success of recovery in this instance is dependent on a number of variables such as the timing of events and cooperation of those involved which includes the individual who shut down their page, the social media site, and the proper legal authority.  For example, when someone shuts down their Facebook page, the account is either deactivated or deleted. In both instances the page can be brought back by the owner. If the owner took down his Facebook page, via deactivation, he can bring it back up anytime. If he did it through deletion, it is only recoverable for up to two weeks after deleting it. If the Facebook page is deactivated, a person's name will still appear on Friends' lists and messages posted will still be on Friends’ message boards. If the Facebook account is deleted, then the information is gone even from Friends' message boards.

So while many may think that they can take steps to cover up their tracks by physically destroying media, using software to wipe out data or decommissioning social media accounts, the reality is that all is not lost from an investigative perspective.  In many cases of data destruction, although the entire puzzle may not be pieced back together, the parts that are still evident could be all that is needed to incriminate or exonerate the individual involved.