Forensics: When is Data Truly Lost?Rob Lee of SANS Institute on the Difficulty of Destroying Data
Before embarking on the tragic Newtown, Conn., shootings, Adam Lanza reportedly destroyed his computer. But is the machine's data also destroyed?
See Also: The SOAR Buyer's Guide
Rob Lee, forensics expert and educator from SANS Institute, points out how difficult it is to truly destroy computer data. Particularly in an age when people live their virtual lives in so many forums and through so many mobile devices.
"Data is incredibly difficult to get rid of," Lee says in an interview with Information Security Media Group [edited transcript appears below]. "Individuals that have files stored on a single drive might have connections into the cloud, might have e-mail stored on Yahoo or Hotmail, and could have data posted to Twitter accounts, and it's just - everything is spread everywhere."
For someone intent on destroying data, Lee says, there are three basic tactics:
- Delete the file - which is largely ineffective because of the proliferation of backups that exist on the machine or on servers.
- Wipe the hard drive - which can be effective, even with just a single-pass electronic wipe.
- Destroy the hard drive - which is harder to accomplish than it sounds, Lee says.
"These things are designed to endure a lot of wear and tear from being dropped, being emerged in water and so forth," Lee says. Even if a hard drive's head and motors are damaged, the actual platter that contains the data may still be intact. "So, in order to recover the data all [an investigator] would do is what is called a platter swap and move it into a hard drive with a motor that does work."
If the platter itself is destroyed - say, by drilling directly through the platter - then the data most likely is lost. In the Lanza case, the FBI is investigating the remains of the shooter's computer to determine whether the data is retrievable.
"If, as is suspected here, the shooter hammered against his hard drive," Lee says, "the likelihood is that the platters that are inside of it simply need to be replaced into a working drive with a working motor in order to be able to get the data off the drive.
Lee is an entrepreneur and consultant in the Washington, D.C., area, specializing in information security, incident response and digital forensics. He is the curriculum lead and author for digital forensic and incident response training at the SANS Institute, in addition to owning his own firm. He has more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response.
Following is an edited transcript of this interview with Lee.
When is Data Lost?
TOM FIELD: Rob, we spoke just about a month ago and you took us inside a forensics investigation. Since then we've had some high-profile cases, the most recent being the Connecticut shooter who apparently destroyed his computer so that at least he could cover up some of his electronic tracks. My question for you: In a forensics investigation, when is data difficult or impossible to retrieve?
ROB LEE: Data is incredibly difficult to get rid of. Computers are less stovepipe today, meaning that they are less seen as a single system than they've ever been in the past. Individuals that have files stored on a single drive might have connections into the cloud, might have e-mail stored on Yahoo or Hotmail, and would have data posted to Twitter accounts, and it's just - everything is spread everywhere.
Even if you take a look at how many devices that you have attached to an individual, most people have three or four, from a tablet to a laptop to a desktop system, work PC, maybe one smartphone, your iPod and your e-reader. You could easily share data across all these devices. So, data is fairly resilient at this point and in many forms. That is one of the things that is particularly interesting in this [Connecticut] case is that the individual obviously had a concern that somebody would be looking at his laptop. So, it was definitely premeditated that he destroyed it.
Now, you asked specifically the question about "How hard is it to destroy a data on the laptop?" There are several ways to do this. First of all, if someone deletes an individual file; second if they wipe an entire hard drive; third if they try to physically damage the hard drive.
Let's assume someone wipes an individual file on a system. Is it possible to recover that? Typically, yes, because that file is usually never sitting at the same location on the hard drive. It may have been moved. It might have been defragmented. It might have multiple copies or backup copies on the drive, so even what you think is being deleted or wiped at a single instant, it may still reside in other locations in either backup form or just because the system is stored at another location.
So, this leads us to our second possibility, when someone says, "Well, I'll wipe the entire contents of my hard drive." In that situation, it is probably one of the more destructive means to destroying data. It really does require only a single-pass wipe, even though some government agencies require multiple passes, NIST came out with standards in 2006, also recognized by multiple forensic experts, that if someone has a single-pass wipe on their hard drive, the data is gone. You will not be able to recover it off the drive.
Third is the physical damage that we see here in Connecticut. Now a hard drive's chassis is actually built with really good engineering specs. These things are designed to endure a lot of wear and tear from being dropped, being emerged in water and so forth. That even if these things occurred to it and it damages the chassis ... the data on the drive is almost 100 percent recoverable. Why? The main reason is that usually the head and the motors of the hard drive are damaged, not the actual platter, which is where the actual data is stored. So, in order to recover the data all they would do is what is called a platter swap and move it into a hard drive with a motor that does work.
A situation that makes it very difficult to recover data is if someone actually physically damages the platter of a hard drive. To do this, they would potentially drill through the hard drive and actually cause the platter to shatter in some form or mechanism. That is a lot more difficult to reconstruct. There is no way I know of where someone has even made an attempt of re-create the data off of a shattered platter.
If, as is suspected here, the shooter hammered against his hard drive, the likelihood is that the platters that are inside of it simply need to be replaced into a working drive with a working motor in order to be able to get the data off the drive.
FIELD: Rob, let's take this back to what security leaders can do. How can they preemptively attempt to preserve data on devices that they feel they are going to have to investigate forensically?
LEE: Well, there are a lot of things already built in to Windows to help you accomplish this, but a lot of enterprise actually disable them. For example, for enterprises that are currently upgraded to Windows 7, they are turning off the volume shadow copy. The volume shadow copy actually has entire back-up to the hard drive from earlier points of time, going back probably about a week or two. So, if someone is wiped out today, you could recover [the data] from yesterday. So, my recommendation is: Don't turn off some of the default capability already built into your work station, thinking you're going to see a little more performance out of it. You're not.
The second thing that you can do to really help out is make sure your servers are regularly backed up. You know, e-mails are considered examples here. If someone is trying to actively delete data from e-mails or wipe them, then it may be a week or two that goes by [before you notice], but if you have backups, you'll be able to recreate the entire e-mails.
And as I said earlier, e-mails are also stored at other locations in your network such as mobile devices to laptops. So the ability to still recover e-mail or similar type of artifacts is fairly decent because of the sheer replicated mechanisms that are already in play.