It is possible to access the contents of a computer’s memory for up to two days after it’s shut down because a residual charge from the data remains, says Otago University IT senior lecturer Hank Wolfe.
And such information will increasingly be used in forensic examinations of computers, for both criminal investigations and civil cases, says Wolfe. He spoke on the subject at the SEARCC (South East Asia Regional Computer Conference) last week.
During the discovery process in a legal case or investigation, there are three types of data, says Wolfe: open, unknown and hidden. Unknown data is that which the average user is not necessarily aware of. Hidden data is material that has been deliberately concealed. Hidden data includes that concealed in partition waste space, data written to bad clusters and data hidden by diffusion into binary objects.
Another significant category of hidden data is data concealed in graphics files, a variant of the age-old art of steganography, hiding a secret message in an ordinary looking communication, with only the sender and recipient knowing the message is there and how to retrieve it. An example is putting an encrypted message in a JPEG file on a web page so that the recipient, who may be on the other side of the world, can download it. There has been speculation the Al Queda terrorist network uses stenography.
Wolfe reminded his audience that when they delete a file they don’t erase the data. The space it occupied is simply flagged as being able to be written over. Another simple insight was that code-breaking isn’t always necessary to gain access to files — simply guessing the holder’s password can do the trick and is easier than many people think. Just finding the names of someone’s spouse, partner, family members, pets and cultural or sporting idols can be enough, as people often use them as passwords and a few guesses can be enough to get the right one, Wolfe says.
Wolfe has done computer forensics work for the police and lawyers in civil cases.