We’ve seen many aspiring magicians in our line of work, attempting to boggle the mind (or bamboozle our investigation) with store bought tricks to cover their tracks and wipe incriminating data from their computers. It turns out, there’s only one Houdini and these guys shouldn’t have quit their day jobs. Simply put, most folks confuse when and how a file or data is deleted. When it comes to your hard drive, most of the time when a file is deleted, it isn’t gone until another file or piece of data has been written over where it used to be. Meaning, when a file is deleted, it’s not like a bucket containing the data is poured out to rid the system of the data. Instead, it’s more like the bucket is refilled with something else in order to take its place which results in it actually being deleted. And that’s the key; something has to take its place, that’s what we call overwriting a file or truly wiping the data. When you wipe a file or a drive you’re replacing the files data with other data, be it random or a certain character like “0”. Fun fact, when you buy a brand new hard drive, it’s not really empty. In fact, most are filled with the character “0” as there has to be something written to the drive. With the availability of a number of programs today to help tidy up your computer and delete unwanted data, it makes it a little more complex. Especially in the context of trying to recover evidence that shows someone (like an employee) wrongfully took data out the door when they left an employer. I say tidy up but I’m being nice and putting it in the best context. Programs like CCleaner or BleachBit (which became more well known in recent years in a political context) are used more and more in an attempt to wipe out evidence or traces of wrongdoing, at least in the cases we work. Some of the most likely items “wiped” out when someone runs CCleaner for instance, include temporary internet files, browser history, cookies, recent documents, temporary files and log files. I say “wiped” out but often times these data files are deleted but not written over immediately. Thus many of these files are still available if we can gain access to the computer soon afterward.
Even if access is not quickly gotten, all is not lost. You see, when most folks run these “system optimizers” they install them (although there is the ability to run some from USB) to the computer or hard drive being “tidied” up. This act of installing and then running leaves evidentiary items behind in and of themselves. Items that can then be put to a timeline to show the potential innocence (i.e. the program was installed years ago and has been run and updated regularly) or underhandedness (i.e. the program was downloaded and run the night before the computer was supposed to be turned over for analysis). And yes, the latter scenario has in fact happened a number of times in our investigations. The key take away here being that if your subject (or you if you’re looking for tips on how to hide evidence) is thinking that running one of these programs will magically cover their tracks, they are deluding themselves. To further expand on that point, let’s go through the process of what one does in order to try to cover tracks or otherwise obscure data/actions. Typically someone searches for the program like CCleaner (which we’ve come across the most), which will leave evidence on the browser history and/or cache. Then the program is downloaded to a local location on the computer and installed. This typically leaves artifacts along the way of it being resident on the computer when downloaded and then installs folders, in Program Files for instance. Not to mention (except we are) when it’s installed there are not only shortcuts to the program created, but additional files necessary to run the program as well as entries created in the systems registry (in the case of a Windows computer). After install, the program is then executed and the various option boxes ticked to “clean up” data. When the program is run there is evidence of the file being accessed and additional artifacts created for the execution. Files that are being “cleaned up” are then deleted (and remember “deleted” may not necessarily mean written over yet because we’re talking about cache files, log files, etc.).
Speaking of written over, most of these utilities have an option to do just that, specifically write over evidence (files), which typically really does delete the content. The interesting thing is that they also tend to leave behind telltale evidence that is consistent with the tool used. In the case of CCleaner, we’ve found that when the software overwrites a file, it also changes the filename and extension to “Z”’s. Thus, spreadsheet.xls becomes ZZZZZZZZZZZ.ZZZ. Back to our after the fact analysis, let’s go a step further and suggest that after the program is run, things “cleaned” and the program is then uninstalled. Seems pretty simple that we’ve lost evidence and are unable to determine what took place right? Oh no! Sure, we have lost some evidence, but again all is not lost. If you take a look back at all the individual steps touched on a second ago, if we can recover these clues we can create a very telling timeline like we mentioned a moment ago. This reconstructed timeline can sink most any kind of “we did nothing to cover evidence” pleading of the other party. And once we can shut down their claims of innocence, we can open the door to gather more evidence that we may not already have. We’ll go into that more in the next blog, so when the “magician” is frantically trying to pull a rabbit out of his hat, you’ll have a cool ace up your sleeve.