by Andy Spore
People rely heavily on technology in their everyday lives. When a crime is committed, often some piece of technology has been involved, even if one simply had their phone with them when a crime was committed. This information can be used as damning evidence.
So what would you do to get rid of any information? Most would probably attempt to delete it, though there are many ways that the technologically savvy person can alter the data so that it does not implicate him or her or, perhaps, their organization.
How does someone alter data?
By far, the most common attempt is renaming a data file—it’s very easy to do. One could also change the file extension. For instance, if photos pose the threat, the file could be altered from a .jpeg to a .txt file. This, in turn, would fool the operating system, as the file, since the extension changed, has apparently been misplaced.
For those with more technological acuity, they might try “zipping” or compressing the file, password protecting it or using encryption software, rendering the file almost impossible to access without the password. For the very advanced, e.g., mafia or terrorist organizations, one can even create an alternate data stream, where one essentially hides a file inside of a file.
For entities that need to exchange information nearly unseen, alternate data streams are a common method of hiding data. In this method, if you actually open the file, it will show only the file as it originally was, keeping the new information hidden from view. Some software systems are even capable of merging different data types, like a text file inside an image.
Of course, these methods are all masks—the data can still be retrieved.
How can altered data be discovered and recovered?
While the tricks mentioned above could potentially fool even somewhat technologically advanced users, forensic experts are well versed in uncovering these attempts at data manipulation.
DSi frequently conducts forensic exams, which provide a general timeline and description of someone’s use of a device. During these exams, we run a software program that compares the file extensions to the data inside the file itself. Since every file type has a unique file signature indicating the type of data, our process flags any file with a mismatch between the data and file extension. This allows us to go in and look at each “suspicious” file.
As part of our standard process, we also go through and examine each zipped and password-protected file. These show up as flagged, just like the questionable file extensions mentioned above.
Though examining alternate data streams isn’t something we typically have to do, as the majority of our cases don’t involve sophisticated criminals, there are programs that can find and uncover the hidden data. These types of software look at the computers and devices of those sending and receiving information and determine the original program used to create it. When found, we can see the data files that were merged.
So, hiding data is a futile measure for criminals.
What should counsel know?
The most important thing to be aware of is the variety of ways that the goal of altering information can be achieved. We’ve seen several instances where counsel wasn’t aware that data had been altered – or even that it could be – leading to a loss of key information.
Following that, it pays off to get ahead of technological cases early. Devices should be confiscated as quickly as possible, data should be forensically collected and analyzed and the hardware should be maintained in a secure location. It can help counsel know what they’re looking for or find pieces of information relevant to the case that were previously unknown.