Hiding Sensitive Data Can Be Tough in a Digital Age
"Not only can computer forensic techniques recover documents, but they can
inform investigators when and how they were deleted," he said. "It is often possible
to determine if a deletion is an innocent act pursuant to a corporate policy or if
there is an ulterior motive." Even more remarkable, technical means exist to
retrieve data that has been erased."
January 14, 2002
The New York Times
By JOHN MARKOFF
SAN FRANCISCO, Jan. 13 - The
modern task of successfully
destroying electronic documents has
become daunting enough to give Oliver
North nightmares.
Mr. North is the Marine officer who
became notorious during the
Reagan-era Iran-contra scandal after it
was discovered he had tried to delete
thousands of e-mail messages, only to discover that they had been retained on
backup tapes and made available to Congressional investigators.
The issue of the destruction and possible retrieval of electronic data burst into the
news last week after Arthur Andersen & Company, the auditors for the Enron
Corporation, said that the accounting firm had destroyed a
"significant but undetermined" number of documents relating to Enron and its
finances.
The embarrassing acknowledgment set off new demands from Congress that
Andersen produce a wide range of documents, including e-mail and other
computer files for investigators.
Today, Mr. North's efforts would be vastly more complicated because of changing
computer technologies and the emergence of the Internet, which has ensured that
there will be multiple copies of almost any electronic document.
"Today documents aren't just stored. They're sent," said Mark Rasch, a former
federal prosecutor who is vice president for cyberlaw at Predictive Systems
(news/quote), a network security consulting firm based in Herndon, Va. Even
though many companies have general procedural rules that require the periodic
deletion of e- mail, he noted, messages can usually be recovered.
"The sender and the recipient may have the message on their machine, in addition
to the server where it was stored," he said. "Unless there is a tool used to remove it
using military-grade technology, it can be recovered."
Most computer-literate office workers now realize that
simply deleting an e-mail message or moving a document
onto the trash icon on their computer's desktop screen
does not eliminate the data.
That is because modern computers organize information
by using file-system directories that point to physical
areas on a disk drive where the data resides. "Deleting"
the information usually only breaks the link between the
directory and the data so that the original storage space
can be reused in the future.
To eliminate important data, some companies and
individuals use software tools that try to "wipe" files from
storage disks by writing random strings of 1's and 0's over
the space where the files were stored. Others will use
programs that "defragment" disks by moving information
around on the surface of the disk so that data can be
retrieved more efficiently, which can also write over old
data. Or they can reformat the drives entirely.
What most computer users do not realize, however, is that
the world of computer forensics has made huge strides in
recent years, and it is now remarkably difficult to hide
data from a determined investigator.
"Computer forensics is going to play an important role in recovering documents in
the Enron case," said John Patzakis, president and general counsel of Guidance
software, a company in Pasadena, Calif., that makes hardware and software used
by law enforcement authorities as well as the Big Five accounting firms.
Every action taken by a computer user leaves a telltale trail, he said, so the act of
deleting documents can itself be revealing.
"Not only can computer forensic techniques recover documents, but they can
inform investigators when and how they were deleted," he said. "It is often possible
to determine if a deletion is an innocent act pursuant to a corporate policy or if
there is an ulterior motive." Even more remarkable, technical means exist to
retrieve data that has been erased.
It is possible to take a disk apart and use an electron microscope to read
information from the individual magnetic spots on the surface of a disk that may
have been intentionally erased, Mr. Patzakis said.
Originally a tool of the intelligence world, this technique - which is costly - has
been used successfully in big legal cases.
nytimes.com |
