Digital Forensics - Summer 2013

erable—even if the rest of the drive is in perfect condition.

Jason Bergerson, manager of computer forensics at Kroll Ontrack, a data storage technology company, said retrieval success depends on the locations and extent of the damage. If the platters themselves are smashed or scratched recovery can be more difficult than environmental damage, such as heat, water, or smoke.

“If platter one is smashed, platters two and three may be in good condition and data easily recovered,” Bergerson said.

Recovering 100% of data from the Lanza hard drive may of course be impossible, but computer forensics operates on the belief that destroying 100% of data is likewise impossible.

“If I can piece some of a platter together, I can get data from it,” said professor Jibey Asthappan, of the Lee College of Criminal Justice and Forensic Sciences, University of New Haven.

Ultimately, the question becomes one of resources.

Waits said recovering data from shattered drives is possible but it would be exceedingly expensive and time-consuming, beyond the resources of most local police agencies.

Waits said what’s needed is a mechanism that can either move the platter fragments over a read-head or move the head-over the fragments. Then, software could possibly stitch the data fragments together in some meaningful way.

“If you’re talking about unlimited federal resources, you can do a lot more from a technical than a practical perspective,” Waits said.

Plan B

Plenty of other information on Lanza is likely available without hard drive evidence. For one, there may be useful forensic data on game consoles. It’s been reported that Lanza was devoted to a particular shooting game.

Xbox, for instance, provides download lists and keeps track of game success. For suspects using a PC/Mac–based game, online gaming distribution/ management companies are the first stop. Logs from sites like Steam contain a wealth of user data. Also, games like Diablo 3 require all users to have an internet connection to play because a key is passed to prevent piracy.

“Gaming logs can provide valuable investigative data,” Asthappan said.

Figure 3: After flooding washed away the owner’s home office, he located one of his muddy laptops in a wet pile of debris several hundred feet away in a neighbor’s yard. Fortunately, DriveSavers was able to recover his critical data.

place to look. All surfers leave tracks on cyberspace logs. It’s important, however, to begin cyber investigations as soon a possible, since log data can have a short shelf life.

Experts advise to first examine the logs on the suspect’s home cable modem. These will typically contain MAC (Media Access Control) addresses of all devices connected to the modem, the IP ( Internet Protocol) addresses assigned to each device, as well as the modem’s IP address. These logs can provide specific dates and times those devices were connected to the Internet.

“With that information, police can seek a court order and invoke Title 18 USC, Section 2703(f), requiring the service provider to maintain all suspect records for 90 days and to provide all logged information pertaining to the suspect modem’s IP address in the indicated date range,” said Paul Henry, senior instructor at the SANS Institute, a cybersecurity and training organization.

Service provider records will include every Web site the suspect visited in the requested date range, including chat rooms and social media. Social media can be mother lodes of information. Facebook, for instance, logs all comments written to a suspect’s page, any pages the suspect visited, all comments left on Facebook pages, and any chat conversations.

Also, Twitter, Foursquare, and Facebook not only share information that the user provides directly, but they can be used to track a user’s location. Tracking is also possible using photos on devices like smart phones. iPhone photographs are notorious for providing latitudinal, longitudinal, and timing data.