High-tech criminals outsmarting the law
Computer crime investigations are facing a major upheaval as the shift towards a new type of hard drive technology allows criminals to cover their tracks and outsmart digital forensic specialists, Australian researchers have found.
The new drives found in many of the latest desktop and laptop computers make it virtually impossible to recover files that criminals have deleted, which forensic experts say will cause serious issues when it comes to presenting evidence in court.
Detective Inspector Bruce van der Graaf, head of the New South Wales (NSW) Police computer crimes unit, conceded that with the new technology there would be some evidence that cannot be recovered but said there would always be other sources of evidence for police to draw on.
For decades, the primary method of storing data on a computer has been on a magnetic disc. Even after the disc has been formatted and data removed, most of the information can still be recovered by skilled forensics specialists.
But increasingly, computer makers are moving to a new technology called solid-state drives (SSDs), which are faster, quieter and less susceptible to physical shocks as they store data on memory chips instead of spinning magnetic discs.
Graeme Bell and Richard Boddington of Perth's Murdoch University, in a paper published in the Journal of Digital Forensics, ran tests which discovered that with SSDs, once the user erases their hard drive, the data is gone forever in minutes and cannot be recovered.
The pair said the results were "remarkable" and revealed that SSDs are "quite capable of essentially near-complete corrosion of evidence entirely under their own volition".
In their experiments, with a traditional hard drive almost all files were preserved after the user runs a quick format, and those files could later be recovered perfectly.
"In contrast, with SSD we saw that shortly after reboot the entirety of the files were damaged and almost all were purged completely, including their filesystem and metadata records," the study found.
"After only a few minutes of sitting idle, only a single file among 316,666 was even 50 per cent recoverable; and only 0.03 per cent of data was recoverable. The contrast is startling."
Sydney forensics expert Graham Thompson said: "In summary, yep , it's a problem - forensically, legally, with probative evidence and everything else.
If there's nothing there, there's no evidence, there's nothing we can do about it."
Thompson said there was already evidence of criminals migrating to SSDs.
He said similar issues were encountered when trying to recover data from mobile phones and forensic investigators were also battling with the shift to the internet "cloud", as this threw up jurisdictional and privacy issues when attempting to gather evidence.
"The law is always 10, 20 years behind the technology," he said.
Even when the researchers installed a physical write-blocker, which is designed to prevent data from being erased, the evidence is still purged from the SSD.
The write-blocker angle was the most interesting aspect for Nigel Phair, former team leader of investigationsat the Australian High Tech Crime Centre.
"Write blockers are devices that allow acquisition of information on a hard drive (when it is copied to another storage device) and are the staple of computer forensic acquisition and are used to ensure there is no accidental damaging of the drive contents," said Phair, who now works as a private consultant.
"This occurs by allowing read commands to pass but by blocking write commands. Many are customisable and this would have to be explored in light of this new research to make sure they can still perform the desired role."
Sydney computer forensics expert Nick Klein said the paper was "interesting" and the SSD technology was "very clever". He conceded it would affect how computer forensic investigations were conducted but claimed it was "just par for the course in this field".
"While deleted and unallocated data can be a valuable source of evidence, it's only one source - a good computer forensic investigator should still be able to identify other available sources, depending on the case of course," said Klein.
Klein added that the move to SSDs could provide a false sense of security to users who try to cover their tracks.
"For example those who delete evidence of their activities but are unaware of information such as Windows restore points, which can remain," he said.
"The underlying truth still remains - deleting some evidence of one's actions on a computer is easy; deleting all evidence is much more difficult. And any half-baked effort to cover one's tracks can always look suspicious."
The researchers presented a scenario of a criminal who reformats their hard drive containing evidence of their activities. They perform a quick format and then go and make a cup of tea.
"Meanwhile, the SSD's controller chip analyses the new filesystem and determines that few of the disk blocks are in use. The SSD resets most of the data blocks to prepare them for use, purging all of the data that was previously on the disk," the researchers wrote.
"When police seize the computer a few minutes later, they find it to be almost completely empty of data. A forensic analyst later wonders: was there ever anything illegal there, and if so, did the suspect knowingly purge that illegal data from the drive?"
The researchers concluded that this would cause havoc for police as they would lose access to important evidence and be on the back foot when trying to present their case in court as it would be impossible to prove that someone deliberately tried to destroy evidence.
Bruce van der Graaf, head of the NSW Police computer crimes unit, said accessing deleted files on offenders' hard drives was just one method investigators used to obtain evidence.
"If the research is right there will be some evidence that can't be recovered but that's not the only thing that police use to find people or to prosecute," he said.
"You don't always recover all of the deleted data in any case, that's been the situation for some time."
Phair noted that evidence should always be corroborated, and investigators should ideally never rely on only one source of proof to validate their findings.
Computer storage manufacturer Western Digital said it estimated that worldwide sales of SSDs were $US1 billion last year, compared to $US35 billion for traditional hard drives.
But SSD sales are expected to continue growing as computer manufacturers migrate to the new technology.
Sydney Morning Herald