Skip to main content

How to Explain Deleted Data: For Attorneys, Clients, Juries and More


How to Explain Deleted Data
For Attorneys, Clients, Juries and More

I was recently asked by a colleague for an analogy to help them explain how it was possible to recover data that a user had emptied from the Recycle Bin / Deleted. The question reminded me that it’s easy to slip into the belief that everyone inherently knows how stuff works. Attending forensic training and conferences we sometimes forget that what appears to us to be basic and simple, can sound like Star Trek Next Generation’s well known technobabble. i.e. “Increase the neutrino stream to the warp engine transducers”.

Completing reviews of digital data and finding new artifacts can be exhilarating for a forensic investigator. The feeling of accomplishment at finding the truth from the data is euphoric. That is the fun part. The truly difficult part comes when we have to explain the information verbally and in written form so that it is useful to those that need it most. The recipients can include management, clients, attorneys, judges, juries and more. These individuals may make life altering decisions based on their understanding of our work product.

A few of my own ideas came to mind, but it occurred to me that they were getting old and not very relatable. Many adults today have never used a library with a card catalog, let alone a cassette tape or a phone book. It was time to go to the #DFIR community for some fresh ideas. The community responded! 

(If you don’t follow #DFIR on Twitter, you are missing out on outstanding information sharing from some amazingly talented people in the industry)

There were some great ideas. For reference, I’ve listed all the suggestions and sources at the end of the blog. Among the comments was a critique that “The analogies are just as complicated as the technical explanation.” That is partly my concern as well. However, when people have an innate fear or resistance to technology, many times they can relate equally complex ideas from a world/experience they do understand.

@DFIRTraining had a very logical suggestion: “Choose the analogy that fits the audience. Someone who cooks can relate to a stovetop being RAM. The more burners (RAM) you have, the more you can cook (run) at the same time.” This is the idea that should drive your choice as to how you plan to explain a highly technical artifact to your audience. With this concept in mind, I choose the table of contents and a book. My intended recipient is an attorney. They are very familiar with books, table of contents and indexes.

The Table of Contents (TOC) idea can be used in a simple or more in depth explanation. In simple terms, a book’s TOC can have an entry removed while the pages that it references including the text can remain. A reader could scour the book for the undocumented chapter and read the contents.
Sometimes the case is more intricate. It may include digital artifacts from slack space or the original file metadata can be intact but the data has been partially or completely overwritten. I can still rely on this analogy. This can work for most any analogy that you choose. Just take some time to use your imagination and tailor it to your audience.

I made a sample TOC and a slide containing data “pages”. I can show the TOC entry marked for deletion and explain at print time, it’s hidden from the viewer. All the while, the actual chapter and pages remain in the book. This demonstrates how the file’s metadata can be recovered. The next step would be to show that the TOC entry is needed for a new chapter in the book and is overwritten.
In another scenario, I could show how a replacement chapter overwrites part or all of a chapter no longer needed. This keeps the book the same number of pages just like a drive volume size, but demonstrates how the partial data could be found and that the original “deleted” TOC entry’s metadata could be found.

This starts to sound pretty complex, but when shown as a slide or multiple slides, a picture makes it much easier.





The Point

The overall take away is like most things in digital forensics, the answer is “it depends”. Know your audience, understand their perceptions and tailor your explanation and reports to them.


Sources:


Stacey (@4n6woman)
Throwing things into the trash can. As the bag fills up, it’s harder to pull the item out. Recovery can vary based on if the bag is empty, full, in your kitchen, in the dumpster by the road, taken by the garbage collector, or sitting at the landfill.
Also varies based on what goes on top of the item in the bag. If it’s all paper, relative simple recovery. If it’s paper and then you cover it with spaghetti sauce, little more difficult. If burned trash, not recoverable.
Scott (@scottforensics)
My go-to is using the comparison of a hard drive and a book with a table of contents.  I can expand on that if needed...

So... when a file is created, it tells the table of contents, I need ten pages for this file. The TOC gives the system ten pages. When the file is deleted, the TOC deletes that the file name but the ten pages containing that file remain intact and can still be read if you flip to those pages, even though there is no record in the TOC. Once the TOC needs those ten pages for a new file, the TOC grants some or all of the pages to the new file.
I think I heard it on @ovie ‘s CyberSpeak forensic podcast. It resonated with me & I’ve used it ever since. If it wasn’t him, it was definitely someone else on a podcast ~7 or 8 years ago.
Santiago Ayala (@darthsaac)
For a Windows environment I have use a diary an index. The index is the MFT, the files are pages. If you write page 2, you add an index. The deletion process only removes the index entry and allows page to be overwritten. The new paragraph may not completely overwrite the old one. In that case, you can explain slack space also.

@DFIRTraining
Choose the analogy that fits the audience. Someone who cooks can relate to a stovetop being RAM. The more burners (RAM) you have, the more you can cook (run) at the same time. In that case, you can explain slack space also.
Vern (@malanalysis)
Neighborhoods: If you just take the address numbers off all the houses, the houses are still there and can be found and readdressed. If you destroy the houses they cannot be recovered.
Richard Harman (@xabean)
Hard drives are dry-erase boards, with stuck-on dry-erase marker that doesn't completely come off when you erase it.  You can write over-top of it though!
It's a bit oversimplified, but I think it *begins* the discussion to get into the technical details.
Alternatively to describe the importance of a MFT/FAT/TOC/whatever: mentally visualize a jigsaw puzzle. The box it comes in shows what order the pieces are in, right? Now viz the same puzzle, no box showing what it's SUPPOSED to be, and all the pieces are perfect squares.
Puzzle can be reassembled in any order to show anything.  Or you can mix in a *completely different* puzzle's pieces (showing interleaving of data).
Andrew Hay (@andrewsmhay)
Paper shredders. Strip-Cut vs. Cross-Cut vs. Micro-Cut
Madeye Moddy (@madeye_c3t)
You can checkout of a hotel room but still be in the room until the next guest arrives.
Troy Schnack (@troyschnack)
The computer stores data similar to a grid of PO Boxes like at Mail Boxes Etc. What happens if you cancel your box rental while there is mail still in the box? The box has no name or association with an address or person, but the boxes can be manually inventoried
and the mail found. Or, to more closely compare to a computer, the mail isn't removed until the PO Box number is used for a new rental customer or "filename"


Comments