Gaming Strategy
Featured Stories
Legal News Financial News Casino Opening and Remodeling News Gaming Industry Executives Author Home Author Archives Search Articles Subscribe
Newsletter Signup
Stay informed with the
NEW Casino City Times newsletter!
Recent Articles
Mark Grossman

Searching a Computer System

2 September 2005

Having a subpoena or other court order allowing you to search an adversary’s computer can be a powerful weapon. If you know where to look, you can find hidden information throughout a computer system. If you're a lawyer seeking discovery, the computer is where you may just find your smoking gun. The key is to know what to request and where to look.

I'm going to write this column as a "how-to" for lawyers and businessmen, but it will also help others identify the weaknesses in their computer security. Remember, prying eyes come in many forms with disgruntled employees and industrial spies being two obvious examples.

First, the good news: If you can get access to your adversary's computer and things associated with the computer (disks, backup tapes, printers, external storage devices, and related media, etc.) through a search warrant, subpoena, or other discovery device, you'll probably find a gold mine of information.

Even if someone has tried to hide information, a skilled technology lawyer guiding a search can still probably find it. After all, computers are information storage devices. That's what they do best. Redundancy is part of what makes them reliable storage devices and this redundancy is also the weak link in computer security.

It all starts with the language used in your subpoena or search warrant. You must involve the experts early so that your request is as comprehensive as possible.

Where to Look

Hard Drive - The starting point is the primary information storage device which on most systems is a hard drive. Even here, be careful. Don't just turn on the computer and search your merry way.

A savvy user could set up a trip-wire which could run a self-destruct program. For example, a person could write a program that requests a password periodically. If you fail to provide it within let's say 30 seconds, file destruction begins.

One thing that an expert may do is not start the computer the normal way. He may choose to boot the system "cleanly" thus preventing any programs, including a self-destruct program, from automatically loading on system startup.

Once you're into the hard drive, you should examine the computer's folder and file structure to see if they provide any hints as to where to look for the juicy stuff. Caution - don't rely too heavily on folder and file names. It's not too hard to put the good stuff in a folder named "Children's Games and Hobbies. " Also, be on the lookout for "hidden" files.

Encryption - A knowledgeable adversary will encrypt files. By employing inexpensive and easily used encryption software, a computer user can turn a computer file into a series of nonsensical and seemingly random characters. The available encryption software is so good that many believe that not even the CIA can break it. Even if they could, it would be a highly classified national security secret that they're not likely to reveal to help you with your civil theft action. Sorry.

So, how do you get to encrypted data? First, don't assume that they've encrypted everything that's passworded. On some systems, the password is a bad joke where security should be. Don't let this be you - I hope by now your system uses complicated passwords, and not just your birthday or children's names.

Often, a password is nothing more than a minor and easily circumvented barrier to access. A password may stop you from directly reading a file using the application that created it, but you may find that it's completely readable using a utility program designed to read files written in many formats. It may not look as pretty, but the data may just be intact.

If that won't work, you might try a low-tech method like searching paper files, notes, etc. which might reveal the password. You might find this method particularly effective if your adversary has a strong password protection program whereby they change passwords often. Since it takes employees time to remember new complicated passwords, odds are they will write it down somewhere.

An expert may use programs designed to break passwords or might contact the software manufacturer. The manufacturer may have a utility to break the password or know a backdoor to the data.

If the data is properly encrypted and you can't get the password from somewhere, you probably can't access the file - at least not directly.

Recycle Bin - Although a file may be encrypted, the data it holds may reside somewhere else in an unencrypted form. Often that somewhere else is the "recycle bin."

On many computers, you'll find what may be called a "recycle bin." It may go by many other names, but what it does is hold deleted files. On many systems, a deleted file moves itself to the recycle bin before it is truly deleted. The "recycle bin" is the "oops emergency-recovery system." It allows you to easily, quickly and reliably undelete files.

That ability to undelete files is the key. You may find that the recycle bin holds an unencrypted version of a file which they encrypted in its final form.

If the computer is using a common program like Norton Utilities or other similar utility program, you may find even a second level of the recycle bin which may hold files not caught by the recycle bin (it doesn't catch everything) and multiple versions of the same file. With this, you can actually see the evolution of a file which, in its final form, was so sensitive that they encrypted it. What a coup!

After the Recycle Bin - The recycle bin only holds files for a limited time. Usually, the user can configure it to automatically purge files after a set amount of time or after a certain percentage of the hard disk is full. Usually, it purges files on a first-in, first-out basis.

After files leave the recycle bin and even on systems without a recycle bin, you can often still recover deleted files. On many systems, when the computer purges a file from the recycle bin or otherwise deletes it, all that really happens is that the computer acts like the information doesn't exist; however, it still does exist!

Since the computer doesn't recognize the existence of "deleted" files that are not in the recycle bin, it will eventually allow a new file to physically place its new information on that same physical spot on the hard disk. At that point, you cannot retrieve the old information from the hard disk. Nonetheless, until the computer physically writes new information to that particular spot on the hard drive (when that will happen is mostly random), you can still recover the data. At this stage and with the right utility, it may be as easy as supplying the first letter of the file name and the file is back.

Even after new data has truly wiped part of a file's information from the hard drive, you still can possibly recover part of the information that was previously contained in the file. Now, you're getting into more sophisticated utilities (get rid of the hammer and bring in the jackhammer).

An expert can search the parts of the hard drive that don't contain any files now. Those seemingly empty parts may contain fragments of previously existing files. It may be possible to zero-in on relevant fragments by using utilities to search for key words like names, places, or dates. Once you find the physical location of a key word on the hard drive, a utility can read the surrounding empty areas of the hard drive to see if they contain useful information.

What I've discussed this week is just a hint of the many ways that computers can inadvertently drip information to those who know how to get to it. More to follow in a subsequent column.

Searching a Computer System is republished from
Mark Grossman
Mark Grossman