Criminals attempting to use computers to conceal evidence are likely to be surprised at how easy it is for police armed with the proper tools to retrieve digital evidence, notwithstanding technologies-including encryption-designed to aid in keeping communications anonymous.
Law enforcement officials and software vendors, speaking at the National Institute for Government Innovation's Cyber Crime summit on Monday and Tuesday, demonstrated the ease with which software tools make it possible to recover computer files-even if they have been encrypted or deleted from a user's computer. They recounted examples in which such evidence proved crucial in prosecuting sex crimes, insurance fraud and illegal drugs.
"Computers should always be treated as though they contain crucial evidence," said Shawn McCreight, president of the Pasadena, CA-based Guidance Software. "Computers seized in many cases have been found to contain evidence of other crimes, and computer evidence usually provides links between crimes," he said.
McCreight cited the case of Jeremy Strohmeyer, a 19-year old who pleaded guilty to raping and killing a 5-year-old girl in the bathroom of a Las Vegas casino. Following a brief legal tussle with defense attorneys, prosecutors were able to introduce Strohmeyer's computer in their rebuttal evidence. After denying that he had child pornography on his computer, prosecuting attorneys were able to show the jury a large cache of just those images-and that they had been deleted, along with incriminating e-mails, the day after Strohmeyer discovered he was a suspect in the case.
It has long been known that emptying the "recycle" bin on a Windows-based personal computer does not delete, but merely instructs the machine to write over it when there are other files to be saved. But despite software that claims to wipe the hard drive clean, Windows generally makes numerous backup copies of every file accessed and saved. The same is true for encrypted files.
"If you have something that is really sensitive, there are ways of doing it, but you have to be diligent in tracking down backup files, temporary files, and swap files, some of which you can't do while Windows is running," said McCreight, whose EnCase software is emerging as the dominant computer forensics software for law enforcement officials. In almost all cases, "there is plenty of meat still left on the bones."
NEXT STORY: Budget Battles: Micro vs. macro