Computer Forensics, Data Recovery and Training
Data RecoveryComputer ForensicsTrainingContact Us
   > Home > Computer Forensics > Publications > Beyond the Usual Suspects

Beyond the Usual Suspects

Finding Data in Secret Spots

by: Jeffrey Sassinsky
(Published in "The New York Law Journal")

Topics

Introduction

Today's digital world is deceiving. Like a magician pulling an oversized scarf from his fist, the digital devices scattered around us can hide tremendous amounts of information in tiny places. It is sometimes mind boggling just how much information can be stored in such a small amount of physical space.

Indeed, information storage has moved from ink on paper to digits in a computer, and with that comes the need to retrieve and interpret the ones and zeros making up the data. Finding this information is often a matter of knowing where to look, and the search may take one beyond the usual suspects.

Desktop and laptop computers alone contain volumes of data. But there are many more places to look for electronic evidence during an investigation or lawsuit. For example, if a computer is part of a corporate network, there is a good chance that relevant information may exist on a network server or may have been backed up on tape. Or the search may move to a personal data assistant (PDA), such as a Palm Pilot. Even cell phones can store e-mails, scheduling information and voice notes.

Following are some of the more obscure hiding places where key pieces of evidence may be found.

Corporate Networks

Just about every corporate office today has a computer network of some sort. Networks allow users to access centralized database servers and to read e-mail from the Internet. They also facilitate the simple distribution of information across multiple locations.

When dealing in corporate settings, one may find information on a user's local computer, on a server with private or shared storage or on a backup tape.

Many corporations provide their employees with storage space on centralized servers that are available over the network. This space may be allocated to a single user for general storage or to a group of users to facilitate information sharing.

Because the servers are usually backed up to an offline storage medium, in many cases corporations encourage their employees to save important data to the centralized server. This helps ensure that documents are not lost if a hardware failure occurs.

The distribution of data across a network provides investigators with several locations to search for relevant information. Many times information that has been deleted from a local computer or "user account" may be found on a centralized server or on a backup tape.

Online/Third-Party Data Storage

Many Internet Service Providers (ISPs) offer customers online storage space. Users often use programs supplied by their Internet provider to copy a selection of their files to the allocated space on their ISP's servers.

This space can range from a few to dozens of megabytes, and can often store documents, pictures, spreadsheets or general files. It allows users easy access to their "online files" from almost any computer connected to the Internet.

Data may be backed up to tape (or other offline media) providing another copy of the data stored online.
This storage space also should be searched during an investigation.

CD-ROMs, Floppies and 'Zip Disks'

The amount of data that can be stored on a disk seems to be forever increasing. Many now store or backup data on "removable media," such as Zip disks and CD-ROMs.
The Zip drive, produced by Iomega, allows the storage or backup of information on 100-megabyte or 250-megabyte Zip disks.

The USB (a standardized computer connection) version of the Zip drive can be easily used with many computers to provide a central storage location or to transfer large files from one computer to another.

At the same time, CD burners have become relatively inexpensive and can provide another means of storing or transferring files.

A typical CD-ROM holds up to 700 megabytes of data. New DVD burners now on the market increase that number substantially, and their prevalence can only be expected to increase as their prices decrease.

Personal Data Assistants

The use of PDAs, such as the Palm Pilot and Windows CE devices, also is increasing as their sizes and prices decrease.

These devices store phone numbers, addresses and day planners, but can also hold e-mails, pictures and files.
Software, usually provided with the device, allows owners to synchronize a PDA with a laptop or desktop computers.

Users can even view and modify standard word processor, spreadsheet or database files on many pocket devices.

Cell Phones and Pagers

Cell phones today have more memory than the first computers.

This memory is used to store address and phone books, text messages and recorded voice notes.

With the "wireless Internet" becoming more and more popular, users surf the Web and read e-mail from digital phones. Applications now exist allowing users to view and store e-mails and faxes directly to cell phones or through service providers.

With technology advancing rapidly, the number of functions cell phones can perform continues to increase. In fact, market leaders appear to be merging the functions of digital phones with that of PDAs.

Cell phones also store the most recent outgoing, incoming and missed phone calls. This information is usually paired with the time and date of the call. By searching the memory of a cell phone, investigators may not only discover someone's calling history but may also find text, e-mail, fax and voice messages.

Digital Cameras/Memory Cards

Digital cameras store pictures on a removable memory card sometimes called a "Flash Card" or "Smart Card." In some cases, literally hundreds of photos can be recorded to a single card. Manufactures such as SanDisk produce memory card readers that attach to a computer for quick downloading of stored images.

But most are unaware that storage on these memory cards is not limited to photos. In fact, the cards can be used in conjunction with the card readers to store practically any type of file. With some of the cards containing 256 or more megabytes of data, their large capacity and small size make them especially convenient hiding places for information.

Conclusion

With more and more information being stored electronically, computer and electronic discovery are becoming ever more popular - and necessary.

Although investigators and computer technicians will continue to call upon the usual suspects to unearth relevant data, other high-tech storage devices should not be overlooked when hunting for evidence.

When properly searched, these small devices can expose mountains of information.

(This article is reprinted with permission from the
November 4, 2002 issue of "The New York Law Journal - Techtrends." ©2002 NLP IP Company. Further duplication without permission is prohibited. All rights reserved.)

Back to Top

How can we help?

Computer Forensics and Computer Investigations are regularly used by attorneys, businesses and law enforcement.

More information?

For more information about Computer Forensics, Computer Investigation or Sassinsky Data Services, LLC, please call or send us an email.

We look forward to hearing from you!

Email: information@sassinsky.com
Phone: (800) 975-6193

Retrieving Data | Attorneys | Business | Law Enforcement
Examples | Email | Deleted Files | Internet History
Publications

Also visit our Mac Data Recovery site www.MacintoshDataRecovery.com

©2010, Sassinsky Data Services, LLC. All Rights Reserved.