The Hidden Trail
Time and again we are seeing situations where computer records are being turned to the advantage of those prosecuting others for criminal acts. Two obvious examples are Dr Shipman, and Gary Glitter.
Dr Shipman was a computer nerd. He had relied extensively on, and prided himself in, his computer knowledge in his medical practice. When he anticipated being discovered he took steps to alter his computer records, for example to adjust notes of the times and dates of his attendances upon his clients. Gary Glitter (Paul Gadd) had, rather more simply, stored images on his disk which were discovered by an inquisitive repairman. Others have been prosecuted after discovery of the remnants of files on hard disks.
The fundamental is that computers do leave traces. This is not a technical description of how the forensic investigations are carried out, nor yet less an aid to those seeking to hide their misdeeds. It is an important piece for computer users to understand. There are several considerations:
- Backups. Computer managers have it drummed into them that they must keep back ups of every activity. Hat attitude is ingrained. As time has gone on, and storage costs have all but disappeared, that attitude is re-inforced. Whatever a computer record now says, in any commercial organisation, there are likely to be several earlier backup copies. If it is felt or suspected that a record may have been altered, go for the back-ups.
- Computers are lazy. What is deleted is not always deleted. It is almost trite now that people recognise that they may choose to delete a file, and actually do it, but it is not actually deleted from the PC. Indeed, Windows now makes a virtue of this. A file may be thrown in the rubbish bin, but then, as with a piece of paper, it can usually be retrieved. We understand that a rubbish bin itself may be emptied, and the rubbish bin on the screen also metaphorically emptied. What is not quite so obvious is that even after that, the file itself is not removed from the hard disk. The only change is that the central list of live files has had that file name deleted from its list (or even perhaps just marked as available for deletion). It can be trivially easy to restore such files.
- Redundancy in Files I am not sure that is quite the term, but within files created by modern office software exists a certain amount of redundancy. A Word file with one line of text will occupy several tens of thousands of bytes on the hard disk. If you delete those words, and type others in their stead, quite regularly the old words will still be in the file, even though they are no longer part of the document. This can perhaps be particularly embarrassing if one sends a document by e-mail and the recipient can examine earlier versions of the letter.
This applies also, though to a lesser extent, within databases. A record deleted is not actually deleted, merely its index entry is removed. Again, a skilled practitioner might well be able to examine the database file, and recover deleted records. Databases often have a utility tool called ‘compact’ or ‘minimise’ which will remove all such extra data.
- Caches A cache might be defined as a temporary copy of data taken for the purpose of better managing data flow. The best example are the cache stores maintained by your web browsers. The basic, fundamental, technique employed on the web is that when you visit a site, the site files are transferred onto your computer, and your browser views them from your hard disk. People tend to visit that same site regularly, or the same site might make repeated requests for the same files, and therefore copies of these files are also keep after your visit is concluded, anticipating that they may be need next time. Such files fill a large expanse of an average hard disk, but the browsers are organised so that they are hidden from you.