If I have a Subpoena Giving Me Access to an Adversary's Computer, Where Do I Look for Hidden Information?

If you know where to look, you can find hidden information throughout a computer system. If you're a lawyer seeking discovery, the computer is where you may just find your smoking gun. The key is to know what to request and where to look.

I'm going to write this column as a "how-to" for lawyers and criminal investigators, but it will also help others identify the weaknesses in their computer security. Remember, prying eyes come in many forms with disgruntled employees and industrial spies being two obvious examples.

First, the good news for lawyers and criminal investigators -- if you can get access to the computer and things associated with the computer (disks, backup tapes, printers, external storage devices and related media, etc.) through a search warrant, subpoena or other discovery device, you'll probably find a gold mine of information.

Even if someone has tried to hide information, a skilled computer lawyer guiding a search can still probably find it. After all, computers are information storage devices. That's what they do best. Redundancy is part of what makes them reliable storage devices and this redundancy is also the weak link in computer security.

It all starts with the language used in your subpoena or search warrant. You must involve the experts early so that your request is as comprehensive as possible.

Where to Look

Hard Drive -- The starting point is the primary information storage device which on most systems is a hard drive. Even here, be careful. Don't just turn on the computer and search your merry way.

A savvy user could set up a trip-wire which could run a self-destruct program. For example, a person could write a program that requests a password periodically. If you fail to provide it within let's say 30 seconds, file destruction begins.

One thing that an expert may do is not start the computer the normal way. He may choose to boot the system from a "clean" system diskette thus preventing any programs, including a self-destruct program, from automatically loading on system startup.

Once you're into the hard drive, you should examine the computer's folder and file structure to see if they provide any hints as to where to look for the juicy stuff. Caution - don't rely too heavily on folder and file names. It's not too hard to put the good stuff in a folder named "Children's Games and Hobbies."

Encryption -- A knowledgeable adversary will encrypt files. By employing inexpensive and easily used encryption software, a computer user can turn a computer file into a series of nonsensical and seemingly random characters. The available encryption software, using what's called RSA encryption, is so good that many believe that not even the CIA can break it. Even if they could, it would be a highly classified national security secret that they're not likely to reveal to help you with your civil theft action. Sorry.

So, how do you get to encrypted data? First, don't assume that they've encrypted everything that's password-protected. On some systems, the password is a bad joke where security should be. For example, on some Windows 95 systems, you "beat" the startup password by clicking "cancel" instead of "okay." REALLY!

Even if it's not quite that easy, often, a password is nothing more than a minor and easily circumvented barrier to access. A password may stop you from directly reading a file using the application that created it, but you may find that it's completely readable using a utility program designed to read files written in many formats (a "utility program" is to a computer what a hammer is to carpentry - a tool). It may not look as pretty, but the data may just be intact.

If that won't work, you might try a low tech method like searching paper files, notes, etc. which might reveal the password. An expert may use programs designed to break passwords or might contact the software manufacturer. The manufacturer may have a utility to break the password or know a backdoor to the data.

If the data is RSA encrypted and you can't get the password from somewhere, you probably can't access the file -- at least not directly.

Recycle Bin -- Although a file may be encrypted, the data it holds may reside somewhere else in an unencrypted form. Often that somewhere else is the "recycle bin."

On many computers, you'll find what may be called a "recycle bin." It may go by many other names, but what it does is hold deleted files. On many systems, a deleted file moves itself to the recycle bin before it's truly deleted. The "recycle bin" is the "'oops' emergency-recovery system." It allows you to easily, quickly and reliably undelete files.

That ability to undelete files is the key. You may find that the recycle bin holds an unencrypted version of a file which they encrypted in its final form.

If the computer is using a common program like Norton Navigator or other similar utility program, you may find even a second level of the recycle bin which may hold files not caught by the recycle bin (it doesn't catch everything) and multiple versions of the same file. With this, you can actually see the evolution of a file which in its final form was so sensitive that they encrypted it. What a coup!

After the Recycle Bin -- The recycle bin only holds files for a limited time. Usually, the user can configure it to automatically purge files after a set amount of time or after a certain percentage of the hard disk is full. Usually, it purges files on a first-in, first-out basis.

After files leave the recycle bin and even on systems without a recycle bin, you can often still recover deleted files. On many systems, when the computer purges a file from the recycle bin or otherwise deletes it, all that really happens is that the computer acts like the information doesn't exist. However, it does exist!

Since the computer doesn't recognize the existence of "deleted" files that are not in the recycle bin, it will eventually allow a new file to physically place its new information on that same physical spot on the hard disk. At that point, you cannot retrieve the old information from the hard disk. Nonetheless, until the computer physically writes new information to that particular spot on the hard drive (when that will happen is mostly random), you can still recover the data. At this stage and with the right utility, it may be as easy as supplying the first letter of the file name and the file is back.

Even after new data has truly wiped part of a file's information from the hard drive, you still can possibly recover part of the information that was previously contained in the file. Now, you're getting into more sophisticated utilities (get rid of the hammer and bring in the jackhammer).

An expert can search the parts of the hard drive that don't contain any files now. Those seemingly empty parts may contain fragments of previously existing files. It may be possible to zero in on relevant fragments by using utilities to search for key words like names, places, or dates. Once you find the physical location of key word on the hard drive, a utility can read the surrounding empty areas of the hard drive to see if they contain useful information.

In a future article, I'll continue this "how-to" and discuss the protection of your sensitive information from industrial spies and other prying eyes.