The Black Vault Forums-viewtopic-From the courts... Data Retention

From the courts... Data Retention

The Black Vault Forum Index » Information Technology

View previous topic :: View next topic

Author

Message

shadowfx
B.V. VIP - Pioneer

Joined: Oct 08, 2001
Posts: 4040
Location: New Hampshire

Posted: Tue Nov 21, 2006 5:11 am Post subject: From the courts... Data Retention

Deliberate Deletion of E-mails Increases Prison Sentence

United States v. Tamez, 2006 WL 2854336 (S.D.N.Y. Oct. 5, 2006). A judge’s sentence for a defendant convicted of embezzlement, inter alia, was increased by two levels for obstruction of justice -- namely the defendant’s deliberate deletion of e-mail from a workplace-issued laptop. A computer forensic expert determined the defendant, a high-ranking official with the U.S. Drug Enforcement Administration (DEA), deleted incriminating e-mails and files from his government computer shortly after the agency placed him on administrative leave for suspicion of embezzlement. The defendant filed a motion asking the court to set aside the upward departure from the sentencing guidelines because the e-mails were not deleted deliberately. He argued he deleted the files because department policy required departing employees to return laptops in the same condition in which they were issued. The defendant further argued his personal America Online log-in information was only deleted to p!
revent others from obtaining his personal information. The court found the defendant’s arguments “patently absurd”. There was no doubt the defendant was “intentionally seeking to destroy this evidence to interfere with the investigation. By deleting the files--some of which have not been recovered in usable form or at all--he impeded the Government’s investigation.” The upward departure of two levels in sentencing was affirmed by the court.

***

Hard Drive Wiping Warrants Default Judgment

Arista Records v. Tschirhart, 2006 WL 2728927 (W.D. Tex. Aug. 23, 2006). In a copyright infringement case involving the illegal downloading of music from the Internet, the plaintiff motioned the court to award default judgment against the defendant for deletion of key computer records. The defendant was required to produce her computer for inspection two times to determine if songs were illegally downloaded from the Internet. However, once the defendant eventually produced her computer, a computer forensic expert determined wiping software was run shortly before and after production was ordered. The defendant argued she ran a defragmentation program which comes installed on most computers and is run automatically. The plaintiff argued the defragmentation was performed at key moments in the litigation and was not indicative of a program running a monthly or weekly scan. The court held the timeliness of the data deletion was consistent with intent to destroy. The defend!
ant argued the sanctions should be sufficient to prevent the destruction of any more evidence in the case. The court found no other relevant evidence existed that the defendant could destroy. Therefore, the court held that only an order for default judgment would be fair since key evidence was missing and without it, only piecemeal evidence would remain which greatly prejudiced the plaintiff in presenting its case.

************************

Recently, the Computer Security Resource Center of the U.S. National Institute of Standards and Technology (NIST) released a new piece of research entitled, “Guidelines on Cell Phone Forensics.” This document outlines general principles and provides technical information intended to aid organizations evolve policies and procedures for preserving, acquiring, and examining digital evidence found on cell phones. These guidelines (available at http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf) are in draft form, and computer forensic specialists and members of the law enforcement community are encouraged to provide feedback.

As outlined in the NIST research, potential cell phone evidence may include:

• Subscriber/Device Identifiers - These entries are helpful in identifying the owner of the phone, and other background information such as date/time/language settings, billing and usage information, and location tracking.
• Phonebook Entries - Phonebook entries may contain more than just names and phone numbers, it also may include e-mail and postal addresses.
• Call Logs - Phone logs capture recent calls attempted from the phone, received by the phone, and missed by the phone.
• Message Entries - Message entries include voice, text, and e-mail received and sent by the phone. Undelivered messages also may be recoverable.
• Calendar Items - Similar to a paper-based date-planner, electronic calendar entries may provide dates, times, and locations of scheduled events.
• Photographs/Video - Many mobile phones have a built-in camera and video devices and can receive messages containing photos or videos.
• Other File/Website Content - Some cell phones can navigate the Internet or display word processing documents, graphic files, spreadsheets, presentation slides, and other similar electronic documents.

If a cell phone might be a source of crucial evidence in your next case or investigation, seek the assistance of a qualified computer forensic expert, skilled in cell phone investigation best practices.

*********************************************************************

Just thought some others here might find this info interesting.

Author

Message

ninor
B.V. VIP - Friend

Joined: Sep 28, 2001
Posts: 3535
Location: Northern Canada

Posted: Tue Nov 21, 2006 2:40 pm Post subject:

Deleted files aren't always as deleted as you think. I had a buddy back East that specialized in recovering deleted files from hard drives and reconstructing them. Even when you format a hard drive, the files that were flattened can be retrieved and reconstituted. The data is still there it's just not in a easily recognized form. The only sure way to delete a file is to physically destroy the hard drive (cut it up into numerous pieces and then throw it into a blast furnace until there's nothing left but molten metal). Contrary to popular belief, a magnet doesn't always do the job (although rare earth magnets come pretty close).

Author

Message

CUJOXXL
B.V. VIP - Adventurer

Joined: Jan 29, 2003
Posts: 7100
Location: Nor-Cal

Posted: Tue Nov 21, 2006 5:29 pm Post subject:

"magnets will do the trick"

nnnnnnnnnnnnnnnnnnnnnnnnnn

Some friends tried this once......They used one of those magnets

(flat circular) to play a little prank on a friend. It was one of those

strong magnets, the kind that you have to peel off. They placed it on the

back of his tower and when he booted the system it wiped the hard

drive clean as a whistle. Only problem was is that this guy did work

from home and all those files had been completely deleted.

Some he had backup for and some he did not. At any rate it took

him a week to rectify the matter. They never told him............ Surprised

Author

Message

tarsustom
B.V. VIP - Contributor

Joined: Oct 11, 2003
Posts: 17507
Location: Not of this world

Posted: Tue Nov 21, 2006 5:37 pm Post subject:

I've always wondered if there is any danger in PC Speakers (including a big woofer) are in danger of corrupting the hard drive if they sit too close.

Of course, I don't take any chances but...

Author

Message

shadowfx
B.V. VIP - Pioneer

Joined: Oct 08, 2001
Posts: 4040
Location: New Hampshire

Posted: Tue Nov 21, 2006 10:42 pm Post subject:

Ninor, every use KrollOnTrack?

Honestly if you ever really need to recover data. I'd highly recommend their stuff. Either service or software. It's not cheap stuff.

Quote:

The only sure way to delete a file is to physically destroy the hard drive (cut it up into numerous pieces and then throw it into a blast furnace until there's nothing left but molten metal).

I think you just solved the molten metal conspiracy from the WTC debris. Laughing

Author

Message

CUJOXXL
B.V. VIP - Adventurer

Joined: Jan 29, 2003
Posts: 7100
Location: Nor-Cal

Posted: Tue Nov 21, 2006 11:45 pm Post subject:

"PC speakers too close"

TTTTTTTTTTTTTTTTTTTTTTTTTTTTTT

Most satellite speakers are of the "shielded" variety and not a threat to

your data. Most sub-woofers are NOT shielded and can cause data

corruption. That is why it is recommended your sub be at least 18in.

from your tower&monitor................ Cool

Last edited by CUJOXXL on Sat Nov 25, 2006 12:39 am; edited 1 time in total

_________________
Never argue with an idiot in that they will drag you
down to their level then beat you with experience.

Author

Message

tofu_kronos
B.V. Info Seeker

Joined: Jan 11, 2005
Posts: 3813
Location: the netherlands, d00d where´s mi bong

Posted: Wed Nov 22, 2006 4:36 am Post subject:

CUJOXXL wrote:

If someone would pull this kind of stunt with me, i would send them directly to the E.R.

Author

Message

shadowfx
B.V. VIP - Pioneer

Joined: Oct 08, 2001
Posts: 4040
Location: New Hampshire

Posted: Wed Nov 22, 2006 5:42 am Post subject:

I've never done a trick like that.
I have pulled someone's hard drive and replaced it w/ a new one.
Let them sweat for a little bit about their data and then when they leave for a few minutes put it right back. Laughing

Never out to destroy someone's stuff though.
Maybe just move it. Wink

Author

Message

Nesaie
B.V. Info-a-holic

Joined: Aug 04, 2005
Posts: 10412

Posted: Wed Nov 22, 2006 9:21 am Post subject:

What would happen if some one happened to have a "virus" on a disk that reset the master boot record to 0s and then overwrote the whole harddrive with garbage? It could happen. A person could accidently leave this disk in the drive and boot the computer. Wink

Author

Message

uxo_tech
B.V. Info Seeker

Joined: Jul 15, 2004
Posts: 2680
Location: Texas North - Alberta

Posted: Wed Nov 22, 2006 9:38 am Post subject:

ninor wrote:

. The data is still there it's just not in a easily recognized form. The only sure way to delete a file is to physically destroy the hard drive (cut it up into numerous pieces and then throw it into a blast furnace until there's nothing left but molten metal).

Not quite true... a program like Boot & Nuke, PGP-Wipe or Kremlin will overwrite your unused space on the hard drive a few dozen times. What's not there can't be recovered.

Kremlin will also handle your Window's swap file and volatile memory at the same time.

It is however time consuming to run on larger hard drives so it's not something your going to be doing if your getting your door kicked in by the police during a raid.

Laughing

Which are what encrypted partitions on your hard drive are for. Very Happy

_________________
Ex Ignorantia Ad Sapientiam; E Luce Ad Tenebras

Author

Message

shadowfx
B.V. VIP - Pioneer

Joined: Oct 08, 2001
Posts: 4040
Location: New Hampshire

Posted: Thu Nov 23, 2006 12:05 am Post subject:

Quote:

Now nes.. don't go getting ideas. Wink

But in that senario then yes the data is still recoverable. Real easy to get at = no. Still able to get at = yes.

Something like uxo was talking about "Kremlin" If you use the DOD settings it will take 3 passes at the drive. I believe In that case trace amounts of data are still recoverable. But mainly only table indexes and such. Nothing really usable.

Author

Message

uxo_tech
B.V. Info Seeker

Joined: Jul 15, 2004
Posts: 2680
Location: Texas North - Alberta

Posted: Thu Nov 23, 2006 4:17 am Post subject:

shadowfx wrote:

Something like uxo was talking about "Kremlin" If you use the DOD settings it will take 3 passes at the drive. I believe In that case trace amounts of data are still recoverable. But mainly only table indexes and such. Nothing really usable.

We used 8-10 passes with Kremlin as a "standard".

The last thing you want is a complete set of Canadian Forces Technical Orders turning up on a PC in a meth lab somewhere like the Los Alamos data did recently. Admitedlly that was stolen but...

Laughing

As I mentioned previously though thats something you start when you leave at the end of the day and it might not be done when you get in the next morning if you have a large hard drive.

Speed is in no way compatible with making something unrecoverable.

_________________
Ex Ignorantia Ad Sapientiam; E Luce Ad Tenebras

Author

Message

sotexas_spi
B.V. VIP - Contributor

Joined: Jun 20, 2003
Posts: 4095
Location: Texas/SPI

Posted: Thu Nov 23, 2006 4:22 am Post subject:

I have an old 3 1/2" disk that was given to me years ago by a computer tech, he labeled it simply "NUKE". He told me it would completely wipe any hard drive. In all the years I've owned it, I've neve even put it in the disk drive in fear I'll accidently f*ckup. Embarassed

Pax Vobiscum Cool

Author

Message

shadowfx
B.V. VIP - Pioneer

Joined: Oct 08, 2001
Posts: 4040
Location: New Hampshire

Posted: Thu Nov 23, 2006 4:57 am Post subject:

Send the files on it here.
I'll test it for ya.
Very Happy

He probally gave it to you because he knows about all the porn on your computer and thought you might run into a senario where you might need it.

Get a Degauss Wand and see if that does the trick also.
Smile

Author

Message

Nesaie
B.V. Info-a-holic

Joined: Aug 04, 2005
Posts: 10412

Posted: Thu Nov 23, 2006 12:50 pm Post subject:

shadowfx wrote:

Quote:

Now nes.. don't go getting ideas. Wink

I didn't say I'd do it. I've just heard about viruses (or is it viri?) that might do something like that. Wink

The Black Vault Forum Index » Information Technology

Display posts from previous:

View previous topic :: View next topic


Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Forums ©

blocks-left.jpg



		Black Vault Radio

	Download FREE On Demand Radio! Now Playing: Episode #44 - People Speak Out Edition! (11/03/2008) Program Archives Get BVRN on YOUR WEBSITE! Subscribe to the RSS/XML BVRN feed for iTunes or any other podcast software