Between a Rock and a Hard Drive
Forensics attempts to find motive behind the Sandy Hook homicides.
The means by which data can be forensically retrieved from badly damaged hard drives is being put to
extreme tests in the high-profile Sandy Hook Elementary School shooting case in Newtown, CT.
The shooter, Adam Lanza, removed the hard drive from his computer, then smashed it before driving to
the school, where he murdered 20 first-grade children and six staff members before killing himself. Investigators hope to learn what may have motivated the madness from data hidden on his damaged drive and
other electronic equipment.
The Newtown police turned the investigation of this incident over to the Connecticut State Police,
which is handling the processing of the computer evidence seized. CSP, in turn, availed themselves of offers of assistance from the FBI and other federal agencies. Attempts to retrieve data from the smashed hard
drive, however, have frustrated investigators.
“We’re using both in-house experts as well as several federal partners to examine the evidence seized,
including but not limited to the computer components,” said CSP public information officer Paul Vance.
In late February, Vance said drive manufacturers were being consulted to see if they might have better luck.
One new forensic challenge is solid state drives, which are not
mechanical. There are no platters to reconstruct. Some SSDs
even have a self destruct function that can make data recovery
impossible using today’s techniques.
Still, there is a good chance you can get data even after the
drive has been wiped, said Cal Waits of the Software Engineering Institute at Carnegie Mellon University. Waits said each
SSD storage chip is individual, so if you damage only a few of
the chips, others may still be in good shape and specialists can
perform a procedure called a chip-off.
“You bypass the damaged chips and
read the undamaged ones if the controllers are still in place,” Waits says.
Road to Recovery
Manufacturers and other experts believe there could be data in the debris.
Disk drives have precision glass
platters with a thin film of magnetic
coating applied to the glass.
Robb Moore, CEO of ioSafe, a hard
drive manufacturer, said, “If the actual
glass platters are damaged, individual
digital bits—the ones and zeros—may be recoverable but it might not be meaningful as data is typically
randomly scattered around the entire disk surface.”
Russell Chozick, co-founder and vice president of Flashback Data, a data recovery and computer foren-
sics firm, said in general it’s not possible to recover data if there is significant physical damage to the plat-
ters, but just because the outside of a drive is damaged doesn’t always mean the media itself is damaged.
“We’ve seen drives repeatedly struck with a hammer but the internals were in perfect condition,” Chozick
said. However, he said, damage to portions of drives called system areas render a drive permanently unrecov-
Figure 1: It is usually impossible to retrieve data from smashed hard rives, given the limited resources of most police agencies. (Photo courtesy of Flashback Data.) Figure 2: Water dam- age inside a hard rive from flooding. Contrary to popular belief, hard drives are not hermetically
sealed. Small breather holes in the top cover help reduce condensation buildup but also allow contaminants like water to enter the