More on Hidden Information on your Computer (Part II)

Previously I've described some places where you can find hidden information on a computer system. This week, I'll take you a bit deeper into the world of computer forensics by talking about extracting information from parts of a computer system that no one thinks of as storing information. Finally, I'll conclude with some suggestions for securing your computer from prying eyes.

Input and Output Devices>

Generally, you don't think of input and output devices like monitors, keyboards, and printers as storing information and generally you're right. Nonetheless, they may hold secrets and you shouldn't overlook them as part of a thorough search.

For example, a monitor could have a burned-in image of some picture commonly left on the screen. When you leave a single unmoving image on some older computer monitors for a long time, the image can actually burn itself into the screen.

While you don't see this often on today's newer monitors, it can still happen. So, when your adversary denies that Ripoff Incorporated even exists, a burned-in image of that company's corporate logo on their monitor might put you in the position to ask: "So then, tell me how the corporate logo of that 'nonexistent corporation' came to be burned into your computer screen."

Keyboards generally don't store information, but some unusual keyboards do contain a disk drive. Although a keyboard is unlikely to bear fruit, don't overlook it.

Laser printers too can hold some interesting and unexpected secrets. Let's start with the low-tech here. Is there a paper jam that's holding anything interesting? More high-tech is that an expert may be able to duplicate the image of the last printed page. This one is probably only feasible in a criminal case where you can seize the printer without warning, but be careful here. This must be done before you move the printer.

Although it's not well known and is usually overlooked, be aware that some printers have their own hard drives. Printers use these hard drives to store images before they print. An expert could search the hard drive for information sent to, and stored by, that printer.

Handhelds and cell phones could also provide you with a wealth of information. These devices are easy to overlook by a company when implementing a data protection strategy, and they have internal memory that could contain valuable secrets.

Also, don't forget all of those external and removable storage devices the company may have floating around. These devices include external hard drives, memory sticks, USB flash drives, and memory cards, and they might contain a wealth of information other security procedures have missed.

Finding them all might involve more of a physical search, but may prove worth the effort.

Backups

Backups are a wonderful source of discoverable information. Oliver North learned this the hard way when he deleted damaging documents, but failed to take into account the routine backups of the White House computers. It was there that investigators found documents which haunted Mr. North.

Backups can take many forms. A computer user may backup his data to tapes or other devices. A thorough subpoena requests all backups of "every kind and nature." There may be daily, weekly, and even archival backups that are often stored off-site. Make sure that you clarify what the backup routine is and make sure that you get all of the backups.

Backups can also take the form of individual file copies. Many programs routinely and automatically create copies of data files. They often get automatically assigned extensions like "bak." For example, I might call this file "column.doc" and Word might automatically create a file called "column.bak" as a backup in case this file gets corrupted. These "bak" files can hold wonderful tidbits and may be unencrypted although the file, in its final form, is encrypted and therefore unreadable.

Swap Files

Some operating systems such as Windows automatically create what are called "swap files" on the hard disk. It's an automatic part of the operation of the computer and has nothing to do with the individual application software that the computer is running.

These swap files may contain information which your adversary never meant to be permanently saved or they later saved in encrypted form. What goes into a swap file is completely unpredictable and so is your result in checking it. Nevertheless, don't overlook it. An expert scanning it may just strike gold. Virtually nobody considers the swap file in terms of computer security and privacy.

Networks

With a network, computers in different locations may communicate through a communications system. Conceivably, one location could have only "dumb terminals," with no storage capability, that manipulate data sent to them by a distant networked computer. These dumb terminals may rely on the network which has a file server which stores the important data many miles away. Even on networks with more powerful desktop computers, these offsite servers can contain valuable data the desktops don't have.

You need to insure that your subpoena is broad enough to cover all parts of a computer network no matter where these parts are found. If you limit your scope, you may find that you missed the good stuff.

Keeping Prying Eyes Out of Your System

So now that I've spent some time telling you just some of the ways to extract hidden information from a computer, I've probably left you feeling quite vulnerable about your privacy. Certainly, most of us aren't criminals. Still, we're entitled to protect our private information from getting into the hands of disgruntled employees, industrial spies and others.

The sobering fact is that the only perfectly secure computer is one secretly locked away in a vault with all of its backups. The problem is that locked away, it's not a very useful computer.

There are ways to strike a balance between perfect and reasonable security. A computer lawyer can help you set up effective and legal ways to control your data and maintain your privacy.

While it's certainly improper to start erasing data after you're served with a subpoena, it's generally not illegal nor improper to control the dissemination of sensitive information. When it's legal to shred a paper document, doing the same to a computer file is likewise legal. The problem with the computer file is that it's not as easy as hitting the delete key. It takes a higher level of computer expertise to insure true destruction of the private data.

Your company should have a policy statement concerning the dissemination and control of sensitive computer data. It should define what data you can legally destroy, when you should destroy it, set up effective procedures for its destruction, and clearly define what data you should encrypt to keep prying eyes out.

You must consider everything in these procedures including the law which may limit what you can destroy and when. These laws may vary by industry. You must take into account things like the recycle bin which lets you easily undelete a file, and utility programs which allow you to irretrievably shred a file, assuming that it's not on a backup or elsewhere.

You must set up procedures requiring effective encryption, proper use of passwords, and file shredding rather than deleting. You must consider your backup routines which should only archive information intended for long term storage. It doesn't help to shred a file if I can get it from your backup tape. And, if I'm doing the subpoena, I promise you that I'll get it from that tape.

I've only given you a primer on how to search someone's computer system and how to protect yours. My advice is to bring in the experts. He who has the best expert will win this little game of measure and countermeasure.