Following the deleter
DELETE isn’t enough anymore. Consider the case of Robert M. Johnson, the former Newsday publisher who, prosecutors allege, used a software program called Evidence Eliminator to rid his computers of child porn. As anyone who watches shows like “CSI” can attest, pressing “delete” makes files invisible, perhaps, but it doesn’t make them gone.
Making files gone has become a booming industry unto itself. Sales of Evidence Eliminator ($149.95) run in the millions of dollars each year, says Andrew Churchill, managing director of England-based Robin Hood Software -- and it’s just one of over a dozen “file shredder” or “anti-forensic” products on the market. Eraser, a similar tool available free over the Internet, is downloaded roughly 2.5 million times per year, according to its distributor, Ireland’s Heidi Computers.
Many of these software vendors claim that their programs “use wipe methods that exceed the standards set by the U.S. Department of Defense” (CyberCide, $29.95) -- while others boast the capability to “erase to both the U.S. Department of Defense and German Military/Government standards” (DataEraser, $29.95). Their websites urge protection against overly curious bosses, family members, corporate competitors and all variants of law enforcement. “You are at very high risk of investigation!” warns the Evidence Eliminator website. “There is no need for you to play Russian roulette with your job, family, car, property.... Act now!”
The government is responding with forensic techniques and claims of its own, and the high-tech arms race increasingly emerges in courtrooms, with judges and juries asked to meditate on that very basic human desire: to hide things. These indictments are often two-pronged, as is the case with Johnson, who was accused in June of downloading and possessing child pornography -- and with trying to make incriminating files disappear. For your average consumer, “the biggest concern is wanting to get rid of things they’re afraid a spouse will find on the computer,” says Brendan I. Koerner, a Wired magazine contributing editor.
But spouses aren’t the only ones encountering sanitized hard drives. Law enforcement agencies such as the FBI say that in the last year an increasing number of suspects chose to use such computer programs and that they expect the trend will continue. “It is not surprising to us that this technology is out there,” says FBI spokesman Paul Bresson. “And tomorrow, six months from now, we’ll see it even more.”
Making files reappear is a booming business also. Computers are evidentiary treasure troves, and law enforcement isn’t willing to roll over without a fight. “Five years ago, there were 1,000 law enforcement and government workers out there attacking this problem,” says John Colbert, chief executive of Pasadena-based Guidance Software, which makes the forensic software most used by law enforcement. “Now there are about 20,000.” Even so, some FBI computer labs are overburdened with the glut of hard drives they’re asked to analyze, says Eugene Spafford, professor of computer sciences at Purdue University. And stories abound in the forensic community of huge backlogs of hard drives coming out of intelligence investigations in Iraq and Afghanistan.
Private-sector forensics is growing alongside law enforcement. Chicago-based Navigant Consulting, a litigation support firm, has doubled its computer-forensics business over the last six months, says managing director James E. Gordon; Deloitte & Touche’s Forensics Investigation Services division had 79% growth in the last year, senior manager Bill Farwell says. Of course, the upswing isn’t linked solely to the new popularity of anti-forensic software -- there are plenty of regularly deleted files to chase after -- but also to the central role that computers are playing these days in most if not every civil, criminal and corporate conflict.
The truth is in between
“We do have methods which allow us to produce the evidence needed for investigation,” says Jim Plitt, director of the U.S. Immigration and Customs Enforcement’s Cyber Crimes Center, the bastion of classified high-tech in charge of analyzing Johnson’s hard drives.
“They’ve got their classified information and we’ve got ours,” counters Evidence Eliminator’s Churchill. “There will never be any way to defeat Evidence Eliminator.”
The truth lies somewhere between these claims, according to Matthew Geiger, a graduate student at Carnegie-Mellon University who recently put six anti-forensic products through a rigorous testing regimen. “The use of counter-forensic tools does indeed pose a challenge to digital investigators,” he says. “These tools have the ability to get rid of incriminating evidence and private information. The question is, will they get rid of all of it? Whether they get rid of all the bits and pieces that turn out to be important is a matter of chance. In some cases, they’re not very good at it.”
All these myriad bits and pieces reside on the computer’s hard drive, the storage device that houses all your data: music, photos, Word documents, spreadsheets, e-mail, instant-messenger conversations. The device itself looks roughly like a record player stacked with mini records, and each of these layers is a magnetic disk capable of spinning several hundred times per minute. Stylus-like tips extend over the surface of the disks and “read” and “write” information, which is converted into the recognizable words and images displayed on your monitor.
When you press “delete” to get rid of, say, that awful picture of you and cousin Harry from the family reunion, the computer’s operating system (Windows, MaxOS, Linux) simply “unlinks” the photo, and the data remains intact on that spinning magnetic disk. Which means that, although you can’t see it anymore, if your Aunt Selma is any good with computer forensics, she can likely recover your ugly mug and use it as the family newsletter centerpiece.
Anti-forensic software takes deletion a step further: Generally speaking, it writes random data over the part of the disk where that photo resides. Some programs overwrite once; some, such as Eraser, overwrite 35 times or more. Don’t gloat. You might be rid of that version of the file, but one of the many programs on your computer could have stored other versions, or thumbnails, or information about the photo, and all these clues are floating around on those spinning magnetic disks, waiting to be found by Selma. Or the FBI.
Forensic investigators gleefully report that of the people savvy enough to use Evidence Eliminator-type software, few are savvy enough to wipe their tracks completely. If by chance someone does zap every single incriminating tidbit, then “for all intents and purposes,” says Deloitte & Touche’s Farwell, “we’re not going to be able to get them back.”
Unless.... There is that certain breed of forensic superhero able to dissect hard drives with gloved hands and use electronic fields and electron microscopes to peer at pictures long gone, documents 35 times overwritten. They’re whispered about in the corners of tech conferences and around forensic firm water coolers.
Super-secret government agents, perhaps? “Exactly true,” says Wired magazine’s Koerner. “If they ship your hard drive to (the FBI lab at) Quantico (Va.) and look at it with an electron microscope, I don’t think Evidence Eliminator can prevent that.” Not so, says Simson Garfinkel, a computer forensics expert at MIT. “Nobody has ever demonstrated recovering overwritten data from a hard drive, ever.”
Leaving a trail
WHETHER or not overwritten data is ultimately recoverable, in courtrooms the use of anti-forensic software is often enough to imply guilt or invite steep sanctions. Even if the software works as planned, each program leaves a unique footprint that is easily identified by investigators. “The courts are pretty harsh when software like this is used on data that should have been preserved,” says Dave Schultz, manager of legal technologies consulting for forensic firm Kroll Ontrack. “You can expect fines, adverse inferences -- like the judge telling the jury to presume that useful information was deleted -- all the way to default judgments.”
Which was the case in April, when the magistrate in a Sacramento civil trial involving the misappropriation of trade secrets ruled that defendant Matthew Hewitt’s use of Evidence Eliminator was “a stark affront to the judicial process.” The data was “gone forever,” wrote the magistrate. Hewitt contended that he used the program only to cover up evidence of an affair and other embarrassments, but he was nonetheless ordered to pay his former employer, Washington-based market research firm Communications Center Inc., $145,000 in costs and fees -- and the court recommended that a default judgment be entered for most of the causes of action.
Last year, the U.S. 9th Circuit Court of Appeals upheld a similar ruling. Former Cisco Systems Vice President Robert Gordon had been convicted of embezzling and was required to pony up restitution, including what it cost Cisco to dredge his Evidence Eliminated computer. The appellate court concurred with that ruling; Gordon, they wrote, “purposefully covered his tracks as he concealed his numerous acts of wrongdoing from [his employer] over a period of years. As the victim, [the employer] cannot be faulted for making a concerted effort to pick up his trail and identify all the assets he took amid everything he worked on.”
There is greater precedent for these kinds of legal sanctions in civil rather than criminal court, but a look at the June indictment against Johnson will give anybody in the gaze of law enforcement pause. Johnson, who maintains he is not guilty, could face up to 30 years in prison if convicted of downloading and possessing child pornography -- and an additional 20 years if convicted of destroying evidence with Evidence Eliminator.
Although not sympathetic to criminals, some anti-forensic software makers and privacy advocates express concern about the use of such software being introduced as evidence of wrongdoing. It seems awfully Orwellian to be punished for deleting personal information, they say.
And at least one federal judge is rethinking the whole hornet’s nest of electronic evidence. “Evidence-gathering is becoming very heavily directed toward cyber materials,” says James M. Rosenbaum, chief district judge of the district of Minnesota. “But is what we’re getting worth anything?”
In 2000, Rosenbaum published an article titled “In Defense of the Delete Key” in which he recommends a cyber statute of limitations: “This limitation recognizes that even the best humans may have a somewhat less than heavenly aspect,” he writes. “It acknowledges that anyone is entitled to make a mistake and to think a less than perfect thought.”
The courts should allow for the existence of “cyber trash,” he writes: “This is what the delete button was meant for, and why pencils still have erasers.” Pieces of the article quickly spread from the obscure law journal to Web pages, dissertations and textbooks. Which was his intent, says Rosenbaum -- to get this conversation started. “Let’s engage in the fiction that maybe human beings just make mistakes once in a while,” Rosenbaum says. “That your first draft is just a first draft, not a fraud. Maybe it shouldn’t be discoverable any more than when you used to throw the first draft of a letter into a wastebasket.”
Contact Steven Barrie-Anthony at Calendar.email@example.com.