erable—even if the rest of the drive is in perfect
condition.
Jason Bergerson, manager of computer forensics
at Kroll Ontrack, a data storage technology company, said retrieval success depends on the locations
and extent of the damage. If the platters themselves
are smashed or scratched recovery can be more
difficult than environmental damage, such as heat,
water, or smoke.
“If platter one is smashed, platters two and three
may be in good condition and data easily recovered,” Bergerson said.
Recovering 100% of data from the Lanza hard
drive may of course be impossible, but computer forensics operates on the belief that destroying 100%
of data is likewise impossible.
“If I can piece some of a platter together, I can
get data from it,” said professor Jibey Asthappan, of
the Lee College of Criminal Justice and Forensic
Sciences, University of New Haven.
Ultimately, the question becomes one of resources.
Waits said recovering data from shattered drives
is possible but it would be exceedingly expensive
and time-consuming, beyond the resources of most
local police agencies.
Waits said what’s needed is a mechanism that
can either move the platter fragments over a read-head or move the head-over the fragments. Then,
software could possibly stitch the data fragments
together in some meaningful way.
“If you’re talking about unlimited federal
resources, you can do a lot more from a technical
than a practical perspective,” Waits said.
Plan B
Plenty of other information on Lanza is likely available without hard drive evidence. For one, there
may be useful forensic data on game consoles. It’s
been reported that Lanza was devoted to a particular shooting game.
Xbox, for instance, provides download lists and
keeps track of game success. For suspects using a
PC/Mac–based game, online gaming distribution/
management companies are the first stop. Logs from
sites like Steam contain a wealth of user data. Also,
games like Diablo 3 require all users to have an
internet connection to play because a key is passed
to prevent piracy.
“Gaming logs can provide valuable investigative
data,” Asthappan said.
Figure 3: After flooding washed away the owner’s
home office, he located one of his muddy laptops in
a wet pile of debris several hundred feet away in a
neighbor’s yard. Fortunately, DriveSavers was able to
recover his critical data.
place to look. All surfers leave tracks on cyberspace
logs. It’s important, however, to begin cyber investigations as soon a possible, since log data can have a
short shelf life.
Experts advise to first examine the logs on the
suspect’s home cable modem. These will typically
contain MAC (Media Access Control) addresses
of all devices connected to the modem, the IP (
Internet Protocol) addresses assigned to each device,
as well as the modem’s IP address. These logs can
provide specific dates and times those devices were
connected to the Internet.
“With that information, police can seek a court
order and invoke Title 18 USC, Section 2703(f),
requiring the service provider to maintain all
suspect records for 90 days and to provide all logged
information pertaining to the suspect modem’s
IP address in the indicated date range,” said Paul
Henry, senior instructor at the SANS Institute, a
cybersecurity and training organization.
Service provider records will include every Web
site the suspect visited in the requested date range,
including chat rooms and social media. Social
media can be mother lodes of information. Facebook, for instance, logs all comments written to
a suspect’s page, any pages the suspect visited, all
comments left on Facebook pages, and any chat
conversations.
Also, Twitter, Foursquare, and Facebook not only
share information that the user provides directly,
but they can be used to track a user’s location.
Tracking is also possible using photos on devices
like smart phones. iPhone photographs are notorious for providing latitudinal, longitudinal, and
timing data.