Between a Rock and a Hard Drive
Forensics attempts to find motive behind the Sandy Hook homicides.
The means by which data can be forensically retrieved from badly damaged hard drives is being put to extreme tests in the high-profile Sandy Hook Elementary School shooting case in Newtown, CT.
The shooter, Adam Lanza, removed the hard drive from his computer, then smashed it before driving to the school, where he murdered 20 first-grade children and six staff members before killing himself. Investigators hope to learn what may have motivated the madness from data hidden on his damaged drive and other electronic equipment.
The Newtown police turned the investigation of this incident over to the Connecticut State Police, which is handling the processing of the computer evidence seized. CSP, in turn, availed themselves of offers of assistance from the FBI and other federal agencies. Attempts to retrieve data from the smashed hard drive, however, have frustrated investigators.
“We're using both in-house experts as well as several federal partners to examine the evidence seized, including but not limited to the computer components,” said CSP public information officer Paul Vance. In late February, Vance said drive manufacturers were being consulted to see if they might have better luck.
One new forensic challenge is solid state drives, which are not mechanical. There are no platters to reconstruct. Some SSDs even have a self destruct function that can make data recovery impossible using today's techniques.
Still, there is a good chance you can get data even after the drive has been wiped, said Cal Waits of the Software Engineering Institute at Carnegie Mellon University. Waits said each SSD storage chip is individual, so if you damage only a few of the chips, others may still be in good shape and specialists can perform a procedure called a chip-off.
“You bypass the damaged chips and read the undamaged ones if the controllers are still in place,” Waits says.
Road to Recovery
Manufacturers and other experts believe there could be data in the debris. Depending.
Disk drives have precision glass platters with a thin film of magnetic coating applied to the glass.
Robb Moore, CEO of ioSafe, a hard drive manufacturer, said, “If the actual glass platters are damaged, individual digital bits—the ones and zeros—may be recoverable but it might not be meaningful as data is typically randomly scattered around the entire disk surface.”
Russell Chozick, co-founder and vice president of Flashback Data, a data recovery and computer forensics firm, said in general it’s not possible to recover data if there is significant physical damage to the platters, but just because the outside of a drive is damaged doesn’t always mean the media itself is damaged.
“We’ve seen drives repeatedly struck with a hammer but the internals were in perfect condition,” Chozick said. However, he said, damage to portions of drives called system areas render a drive permanently unrecoverable—even if the rest of the drive is in perfect condition.
Jason Bergerson, manager of computer forensics at Kroll Ontrack, a data storage technology company, said retrieval success depends on the locations and extent of the damage. If the platters themselves are smashed or scratched recovery can be more difficult than environmental damage, such as heat, water, or smoke.
“If platter one is smashed, platters two and three may be in good condition and data easily recovered,” Bergerson said.
Recovering 100% of data from the Lanza hard drive may of course be impossible, but computer forensics operates on the belief that destroying 100% of data is likewise impossible.
“If I can piece some of a platter together, I can get data from it,” said professor Jibey Asthappan, of the Lee College of Criminal Justice and Forensic Sciences, University of New Haven.
Ultimately, the question becomes one of resources.
Waits said recovering data from shattered drives is possible but it would be exceedingly expensive and time-consuming, beyond the resources of most local police agencies.
Waits said what’s needed is a mechanism that can either move the platter fragments over a read-head or move the head-over the fragments. Then, software could possibly stitch the data fragments together in some meaningful way.
“If you’re talking about unlimited federal resources, you can do a lot more from a technical than a practical perspective,” Waits said.
Plenty of other information on Lanza is likely available without hard drive evidence. For one, there may be useful forensic data on game consoles. It’s been reported that Lanza was devoted to a particular shooting game.
Xbox, for instance, provides download lists and keeps track of game success. For suspects using a PC/Mac–based game, online gaming distribution/management companies are the first stop. Logs from sites like Steam contain a wealth of user data. Also, games like Diablo 3 require all users to have an internet connection to play because a key is passed to prevent piracy.
"Gaming logs can provide valuable investigative data," Asthappan said.
Third party servers in cyberspace are another place to look. All surfers leave tracks on cyberspace logs. It’s important, however, to begin cyber investigations as soon a possible, since log data can have a short shelf life.
Experts advise to first examine the logs on the suspect’s home cable modem. These will typically contain MAC (Media Access Control) addresses of all devices connected to the modem, the IP (Internet Protocol) addresses assigned to each device, as well as the modem’s IP address. These logs can provide specific dates and times those devices were connected to the Internet.
“With that information, police can seek a court order and invoke Title 18 USC, Section 2703(f), requiring the service provider to maintain all suspect records for 90 days and to provide all logged information pertaining to the suspect modem’s IP address in the indicated date range,” said Paul Henry, senior instructor at the SANS Institute, a cybersecurity and training organization.
Service provider records will include every Web site the suspect visited in the requested date range, including chat rooms and social media. Social media can be mother lodes of information. Facebook, for instance, logs all comments written to a suspect's page, any pages the suspect visited, all comments left on Facebook pages, and any chat conversations.
Also, Twitter, Foursquare, and Facebook not only share information that the user provides directly, but they can be used to track a user's location. Tracking is also possible using photos on devices like smart phones. iPhone photographs are notorious for providing latitudinal, longitudinal, and timing data.
Service provider records may contain other visited sites of interest, such as file-sharing sites like DropBox.
“DropBox can be of investigative value, because suspects sometimes store information on DropBox they don't want found on their personal computers,” Henry says.
E-mails can be obtained from Web–based e-mail servers or from the computer itself if applications such as Outlook are used.
Third party servers, such as proxy servers, can be helpful in tracking a suspect that does not want to be tracked, but some investigations can prove more challenging. Owner policy and proxy servers located in other countries can impede investigations, Asthappan said.
"Although evidence from third party servers can be helpful, it cannot be relied upon to create a strong case," Asthappan said.
One big issue in the U.S. is lack of legislation regarding service provider and Web site log retention, which are generally controlled by company internal policy.
"This is why it’s important to get the preservation order in place immediately, so potential evidence is not lost due to the normal business practices of the service provider," Henry said.
Douglas Page writes about forensic science and medicine from Pine Mountain, California. firstname.lastname@example.org