It was a balmy summer day in Marin County, back near the beginning of my computer forensics career. Back in the day – before we called it that – I had testified as an expert witness only a few times. My feet weren’t flat yet, my shoes not yet gummy.Y2K was just beginning to gleam in the eyes of the neglected armies of COBOL programmers. The weather was right for taking big steps. The place was perfect for learning. The time was ripe for disappointments.
But not at first. At first, I just saw the dollar signs.
A couple of well-heeled L.A. lawyers gave me a call. The firm had seven surnames in its title and one of those names was on the phone. I snapped to attention as they asked if I could look at some 100MB Zip disks, tell these guys what was on the disks, and what used to be on them. Sure, I’m always game for a little show and tell. A hundred Megabytes wasn’t so small then.
After locking and imaging the disks, I took a little stroll through the file structure with old Norton Utilities in maintenance mode. Found some files that shouldn’t have been there. Found deleted files that were newer than the files on the disks. Found that a disk-optimization program had been run – possibly to overwrite files that had been there before. A defrag operation that can frag the files.
You see, when a file is deleted, not much actually happens to it at first. It’s like someone erased an entry in the table of contents – the computer is too dumb to know it’s still there, just because the index to the file has been changed. But until something writes over the contents of the deleted file, it is still lying there, waiting to be reconnected with a directory, waiting to be revealed once again. In time, deleted files will tend to get overwritten, and as it turns out, a defrag is a quicker way to overwrite deleted files – at least near the front end of the disk – so that they become unrecoverable.
These few files that had been deleted, which we recovered, and the few files with the funky dates convinced our moneyed clients to drop a bit more coin and have me fly down to Southeast L.A. to pull the disk drives from nine computers. After they told me the story of the case, it occurred to me that I might be traveling into the lion’s den.
Here was the deal.
This company made containers for pies and cakes and all manner of deliciously displayed and contained goodies. They made them for Costco and hundreds of other stores. You yourself have certainly had food in these containers. The method of manufacturing was unique and secret and based on proprietary software feeding instructions to custom machines.
The company was worth about 60 million dollars and was owned by several members of the same family. The majority of the voting shares went with the idea of selling the company. The minority adamantly wanted not to sell. A certain amount of shenanigans ensued.
While the senior member of the majority went about preparing documents to sell, members of the minority went about secretly setting up business elsewhere, with a deep-pockets partner. Then they went about sabotaging the original operation, destroying a large number of designs that made the company special.
As I made my way out to the place of the dirty deeds, everything that could go wrong seemed to want to go wrong. Murphy was working overtime for free. Flights were delayed and cancelled; car reservations disappeared and they didn’t take American Express, but finally, I was on the road out of LAX to the town of Sandofay Wells. I called my assistant to see how things were going.
“Steve, are you okay?”
Of course I was – what would be wrong, aside from delays?
“Your mom called – she had a premonition you had died.”
Well, that was out of the blue. I called my blessed mother and let her know that nothing much was amiss – I was just out on a gig, and not to worry.
But then it started to get to me. Missed flights, weird car policies, things late and reservations gone. Then the warning from my mom. Who was I going to have to deal with at the site? I go unarmed…
I decided to pull over and calmly tell my wife where the important papers were, who the creditors were and more importantly, who owed us money.
“No, honey, nothing’s wrong. I was just thinking about it. Kiss, kiss, see you tonight.”
I drove to the location and steeled myself for … nothing. The bad guys weren’t there – they had bolted the day before and all was well. This was the only red herring of the trip. I took in a deep breath and walked into the labs.
There were nine computers, and about the same number of people who wanted to talk. Listen, I can cook up a blue streak of words at any given moment, but when I’m trying to work, too many words are too trying.
I took photos, logged serial numbers, wrote descriptions of the systems, their users, their locations and of the drives. I labeled each drive and placed it in an antistatic bag, then in a padded container, then in a big box with the other drives
Two of the guys gave me a tour of the shop. One other guy wanted help with saving a file. Several guys tried their best to ignore me. Some guys were using their computers right up until the moment I had to shut them down to take the disk drives out (Preserve evidence, indeed). And two of the guys had interesting stories.
One of these last two was a hired consultant. He told me that he had been hired to try to find the missing files and computer drawings. He performed an installation of AutoCad on the system where the files had been, in the process overwriting about 300MB of the data! His concern was to let me know that the copy of AutoCad was legit – not pirated. I was dumbfounded. The first rule of evidence is not to destroy any!
Water under the bridge. He wasn’t a forensics guy and I would deal with the situation once I had made a forensic image through a write-blocker, and see if anything was left.
The other guy with a story was the senior member of the majority. The wily old uncle. He sat me down in his office for an hour or more and told me the whole story. It was a pretty close match to the one I told above.
The law office called and asked me to sit tight while one of the lawyers brought over yet one more computer. It belonged to Pablo, the youngest member of the family, a member of the minority, and the most tech-savvy of the bunch. This would prove to be the most important one. But more on that later.
Although I trust your stick-to-it-iveness, reader, a full recounting of the work I did would take more attention than I myself have, so I’ll skip pretty quickly to the conclusions.
There were mysterious holes in the data on several of the hard disks, suggesting that large swaths of data had been deleted. In these holes were both specific and random patterns of bytes. They appeared to have been purposely overwritten with non-file data.
There was a ghost imaging program on a couple of the computers that had files deleted from them, and these same files appeared on the Zip disks I’d looked at earlier. The same files had been copied from the Zip Disks to Pablo’s computer. The perp used the quick imaging capabilities of Ghost to steal data. This same version of Ghost that was on the couple of compromised computers was also on Pablo’s PC and nowhere else.
The areas of deleted files had ben replaced with patterns consistent with a file-destroying program. Lo and behold, the Windows registry on Pablo’s computer showed that it had recently had a program called “Shredder95” on it, configured to produce just such patterns. Shredder95 was an early commercial file-shredding program and though it had been uninstalled, the registry showing it was found only on Pablo’s computers. When the program was uninstalled, it did not shred the remnants of itself.
We headed to a deposition, with me dandied up in my tie and monkey suit. The morning of day one of the deposition, I got some invaluable coaching from a senior partner of the firm that has stuck with me to this day. I was told:
1. Don’t talk over the attorney asking the question – always wait until s/he’s done, for they might be asking something other than what you started to answer – and that may give away things we don’t want to give.
2. Don’t tell jokes. When a jury is reading the transcript later, they can’t can see the body language or hear the laughter in the deposition room. I became embarrassingly aware of this when I later read the transcript and saw my joking words, “I’ll have to ask my Mommy,” completely out of context.
3. Eat a light lunch so you don’t fall asleep afterwards – the other side is waiting for that so they can pounce on you unawares with a tricky question.
4. Always make sure you understand the question. If you don’t, ask for it again.
5. Almost never answer the question with yes or no. Make the question your own by repeating it as you answer, especially if it is a long question. The question that begins, “Isn’t it true, Mr. Burgess, that…” is nearly always a red flag.
6. Always tell the truth, but only answer the question they ask. Don’t be helpful by rephrasing the question so it’s more sensible. You may know what you think they mean, but it’s their job to ask the right question if they want the right information.
Except for the joke I told, the times I was too helpful, the times I spoke over the question, and the times I spoke too fast for the court reporter to get it all down (a habit of mine when I am talking tech), the two days of deposition went pretty well.
There were months of emails, phone calls, reports of how things were going in court, and then finally, the big court date.
Once again prettied up, I stepped into the courtroom, ready for anything, I thought – but not for what happened.
The short of it was: although everyone knew what files had been on the computer, and although I could show they had been destroyed by Shredder95 – the same version that Pablo had, and configured the same way – and although I could show that it happened on the last day Pablo had access to the computers at the shop, and although I could show that Pablo had a copy of the (stolen) deleted files on his computer and on the Zip disks, and although I managed to find an electronic copy of Pablo’s receipt for Shredder, the judge didn’t allow my testimony. Why not? Because I had not personally seen the files before they were destroyed and therefore anything I said about their destruction was hearsay.
I imagined an expert in another case. “Yes, your honor, we have the pieces of the train, we have identified the chemicals used to make the bomb that blew it up, we have the serial number of the detonator, the defendant admits to buying a detonator with that serial number, he’s got the same chemicals in his apartment, but we didn’t see the seats on the train before they blew up, so we can’t be sure these were the same seats. Let him go.”
Perhaps an exaggeration, but when the judge and my client both said, “You’re excused, Mr. Burgess,” it was hard to pick my jaw up off the floor. Two years of work ended without me being able to present it. A bundle of money spent by the client with nothing to show for it. I found it astounding.
But you know, it’s not for me to question the judge. The courtroom is his castle and what he says goes.
My clients ended up okay, though not as okay as they might have been with the additional testimony.
As for me, I got paid to be mentored by a pro. That’s hard to beat.
My feet got a little flatter, and my shoes got a little gummier…
It doesn’t always turn up all roses in computer forensics, but the fees can buy a posey or two and a can of Glade and when you close your eyes on a summer’s day, you can’t always tell the difference. For just a minute, the reports and the courtrooms fade into the reverie.
And then the phone rings with another client who needs us to dig into the digital world once more.
This is just one of the many “CSI – Computer Forensics Files: Real Cases from Burgess Forensics.” Stay tuned for more stories of bad deeds uncovered by science.
Subscribe to our free and informative weekly forensics newsletter!