I Didn't Get The Email-How Often It Happens

Posted on July 15, 2009 by Johnette Hassell, Ph.D.

In the last 12 months, I have had three cases that I've labeled as "I didn't get the email" (IDGTE) cases.  It is often my role to help a judge or jury understand how email sent from one party  to another might not get delivered.  There are obvious reasons such as being removed by a SPAM filter.  However in most systems, you can see what file(s) the SPAM filter removed.  Thus, the recipient can figure out what happened.

But there are so-called silent lost email messages in which neither party is notified of the delivery failure and, in general, we never know what caused the failure.

 "Addressing Email Loss with SureMail: Measurement, Design, and Evaluation" measures such silent loss as approximately  0.71% to 1.02%.

This article caught my attention because most of the material that I have found on lost emails is aimed at bulk mailers, a far different situation than email between friends or business parties. I believe that the number IDGTE cases will continue to rise.  I'd like to hear from anyone who knows about  IDGTE cases.  I'm collecting a library of them.

Questions and comments are welcome.

Tags: , , , , , ,

Deleting Isn't Deleting

Posted on October 21, 2008 by Johnette Hassell, Ph.D.

Today’s blog is about deleting files and file slack space, a rich source of evidence for the forensic examiner—and a favorite topic of mine.

Most people have heard the expression “formatting a disk.” Formatting a drive divides up the space on the drive into pieces called sectors. Each sector has a numeric address. As an application needs disk space, the operating system assigns it enough sectors to fill its needs. To keep track of “who’s got what,” the operating system keeps a directory that is much like a phonebook.   When a user needs to access some data, the operating system goes to the directory and looks up the data’s location.

  But what happens when you delete a file that was stored in one or more of these sectors? Again, the operating system goes to the directory and finds the data’s location. However, rather than actually deleting (removing) the data, all the operating system does is place a special mark in the directory indicating the disk space is no longer needed and can be reassigned to other applications that need space. Nothing is done to the file itself. The file just remains on the drive

until the operating system reassigns the space to some application. It is much like a renter who is told by the landlord “I’m going to put the house on the marked, but you can stay until the new owner moves in.”

What happens when the operating system eventually reassigns the space? The first thing to know is that when disk space is needed, operating system assigns whole sectors at a time. That is, an application needing 2 ½ sectors would be assigned a full 3 sectors. When the information is

written to disk, the first 2 ½ sectors is over-written, leaving the last ½ sector unchanged. This unchanged space between the end of the file and the end of the sector is called slack space or simply slack

What is in the slack space? Remember, when a file is deleted the operating system only marked the space as available to be reused. If a new file only takes up a portion of the sector, the old data “stays” there until it, too, is eventually overwritten. In the example of the file needing 2 ½ sectors, the last ½ sector contains whatever was stored there before the overwriting occurred.

Slack space has the potential to contain any information that was ever stored—or even viewed—on the computer. Photos, documents, credit card numbers, internet browser histories, you name it.  The data in the slack space may be whole files or simply fragments of files (most often a mix of the two), but a forensic engineer can view, retrieve and catalog the evidence found in slack space. 

Slack space is a good example of the difference between a user doing a "copy-and-paste" and a forensic examiner making a valid forensic image.    Using "Copy" in our example, only the 2 ½ sectors would be copied, while a valid forensic image copies the entire 3 sectors.

The bottom line?  1, Don't assume that something is gone off your computer just because you can't see it!  2.  And the data in slack space can be the very piece of evidence you need in a case.

Tags: , , , , ,

But It's MY Computer

Posted on August 12, 2008 by Johnette Hassell, Ph.D.

Mark Fass has an excellent article on the divorce woes of Frank Moore. Ms. Moore filed for divorce citing cruel and inhuman treatment, including an extramarital affair. According to her attorney, she found "hundreds and hundreds of pages" of “really salacious instant message conversations” on a laptop computer Mr. Moore left in the trunk of a car. The parties disputed the ownership of the laptop: Ms. Moore saying it was used by the family and Mr. Moore saying it was issued by his employer for his use. Ms. Moore wanted to use these messages to support her claim. Mr. Moore argued that she had improperly seized his computer.

New York Supreme Court Justice Saralee Evans ruled that Ms. Moore had done nothing wrong and she cited the “filing cabinet” analogy put forth in Byrne v. Byrne, 168 Misc.2d 321. She went on to say “Ms. Moore's actions also did not constitute computer trespass or using a computer without authorization, as the files were on a readily accessible computer.”  The judged ruled that the laptop was subject to discovery.

Note that the messages were in plain sight and discovered by a casual user not extracted by a forensic specialist. Users of text messaging and email often seem to feel invisible, as if no one will know what they have written. I have seen some truly extraordinary sentiments put in email and text messages. I suggest you don’t email or text anything you wouldn’t want your mother or boss to read or to see written in lights in Time Square!

Tags: , , ,

FAQ: What is a Valid Forensic Image, aka Mirror?

Posted on June 10, 2008 by Johnette Hassell, Ph.D.

The first step in a forensic investigation, and in some e-discovery responses, is to get a copy of the hard drive(s) and other storage devices that may have the data you are looking for or that is responsive to discovery requests.  But using Windows' traditional "Copy and Paste" isn't forensically valid.

First of all,  starting the computer alters what's stored on it.  The copy process itself will alter the evidence (changing the metadata and dates)and there goes your chain of custody.  Furthermore, Windows keeps all sorts of little "pockets" of information that the typical user can't see but that may contain valuable evidence.  The copy procedure doesn't gather all these little "goodies."

A valid forensic image or just image is an exact, bit-by-bit copy of the storage device including all the little goodies.  The forensic software that creates such images bypasses the operating system, accesses all the locations where the operating system hides data, and uses a mathematical procedure to start and assure the chain of custody.  From that point on, the analysis is done on the image, again with software that assures chain of custody.

An image is sometimes called a "mirror,"  but I urge clients to avoid that term because it has two different connotations  The confusion has caused at least 2 clients unnecessary time and expense with prior consultants.

Who should make a valid forensic image?  You need a trained forensic specialist with the proper hardware and software tools to make an image.  Special hardware is needed to keep the operating system from making any changes to the original data, thereby preserving the original evidence. Forensic software is needed to bypass the operating system (to get the goodies) and assure chain of custody.  It is human nature to ask the IT department to come in and take a look.  No one wants to make false accusations.  But that "looking around" can destroy the very evidence that you are seeking.  One attorney who has retained me several times says to his clients, "Shut down and get Johnette in there!"

How long does it take?  The time required to make an image is dependent on the size of the device.  But generally speaking, it requires hours not days or weeks.  Fortunately, there is new technology that allows us to make images of servers while they are in use, thereby disrupting business as little as possible.

In another post I'll talk about the objections opposing counsel are likely to make and how you can address them.  If you have had experiences with making or using images, please post a comment on your experiences.  There is always more to learn.

Tags: , , , , , , ,

FAQ: What is Computer Forensics?

Posted on June 9, 2008 by Johnette Hassell, Ph.D.

I'm frequently asked by judges "What exactly is computer forensics?" WorldWeb says this about forensics:  "Scientific tests or techniques used in the investigation of crimes."  The emphasis is on Scientific Techniques.  So computer forensics is the use of scientific techniques to examine computers and the data they contain. 

However, computer forensics is not restricted to crime investigations. Organizations may use forensics to recover lost data or retrieve damaged files. Companies may use forensics to investigate harassment claims or explore potential disclosure of confidential information.  Parents may use forensics to check on their children's web activity.

The most obvious thing we do in forensics is recover deleted files and emails.  And yes, we can recover deleted files even after the recycle bin has been emptied. All operating systems keep pockets of information that the general user cannot access.  For example, Windows keeps a record of the serial number of every USB device that has been plugged into the computer.  Examiners can, as I have, access that information and discover that the computer user had another external hard drive that he had not disclosed.

Windows also keeps a running log of activities being carried out.  In one instance I was able to examine this log and discover that the user had turned back the computer clock in an attempt to "backdate" some critical documents.

There are many tactics available to the forensic examiner and the appropriate ones vary by the nature of the case.  But they all involve intimate knowledge of various operating systems and differences between versions and service packs.

Tags: , , ,

Your Documents are Talking, Are You Listening?

Posted on June 7, 2008 by Johnette Hassell, Ph.D.

Most people have had the experience of trying to open a document with a .pdf extension and having their application say "Cannot open document, does not begin with pdf."  That happens because all applications keep information about the document within the document itself.  Such metadata may tell a lot about you, how you work, and even about your clients or friends.

In actuality, there are two kinds of metadata: that kept by the operating system and that kept by the applications themselves, such as Word and WordPerfect.  The system metadata includes the original author and various dates.  You can usually see all this type of metadata by right-clicking on the document and looking at the properties.

Microsoft Word, in versions prior to 2007, keeps information about the last 10 times a document was saved including the document name and directory structure.  Suppose you use a boilerplate document and modify it for each client.  If you then save it with the client name as part of the file name, the metadata will record that information and reveal the names of past clients for whom you have used this boilerplate.

It is surprisingly easy to see the metadata in a Word document.  From inside Word, choose open and for the file type, choose "Recover Text From Any File" in the pull-down menu at the bottom of the window.  All the metadata will appear at the bottom of the document.  To get rid of Word metadata, convert to the .pdf format.  Or, save as .rft format; reopen in Word; and save in a .doc format.  With either technique, the system metadata will be retained, but the Word-specific metadata will be gone.

If you are emailing Word documents to colleagues and clients, take care!

Tags: , , ,