How to Explain Deleted Data
For Attorneys, Clients, Juries and More
I was recently asked by a colleague for an analogy to help
them explain how it was possible to recover data that a user had emptied
from the Recycle Bin / Deleted. The question reminded me that it’s easy to slip
into the belief that everyone inherently knows how stuff works. Attending
forensic training and conferences we sometimes forget that what appears to us
to be basic and simple, can sound like Star Trek Next Generation’s well known
technobabble. i.e. “Increase the neutrino stream to the warp engine transducers”.
Completing reviews of digital data and finding new artifacts
can be exhilarating for a forensic investigator. The feeling of accomplishment
at finding the truth from the data is euphoric. That is the fun part. The truly
difficult part comes when we have to explain the information verbally and in
written form so that it is useful to those that need it most. The recipients
can include management, clients, attorneys, judges, juries and more. These
individuals may make life altering decisions based on their understanding of
our work product.
A few of my own ideas came to mind, but it occurred to me
that they were getting old and not very relatable. Many adults today have never
used a library with a card catalog, let alone a cassette tape or a phone book.
It was time to go to the #DFIR community for some fresh ideas. The community
responded!
(If you don’t follow
#DFIR on Twitter, you are missing out on outstanding information sharing from
some amazingly talented people in the industry)
There were some great ideas. For reference, I’ve listed all
the suggestions and sources at the end of the blog. Among the comments was a critique
that “The analogies are just as complicated as the technical explanation.” That
is partly my concern as well. However, when people have an innate fear or
resistance to technology, many times they can relate equally complex ideas from
a world/experience they do understand.
@DFIRTraining had a very logical suggestion: “Choose the
analogy that fits the audience. Someone who cooks can relate to a stovetop
being RAM. The more burners (RAM) you have, the more you can cook (run) at the
same time.” This is the idea that
should drive your choice as to how you plan to explain a highly technical
artifact to your audience. With this concept in mind, I choose the table of contents
and a book. My intended recipient is an attorney. They are very familiar with
books, table of contents and indexes.
The Table of Contents (TOC) idea can be used in a simple or
more in depth explanation. In simple terms, a book’s TOC can have an entry
removed while the pages that it references including the text can remain. A
reader could scour the book for the undocumented chapter and read the contents.
Sometimes the case is more intricate. It may include digital
artifacts from slack space or the original file metadata can be intact but the
data has been partially or completely overwritten. I can still rely on this
analogy. This can work for most any
analogy that you choose. Just take some time to use your imagination and tailor
it to your audience.
I made a sample TOC and a slide containing data “pages”. I
can show the TOC entry marked for
deletion and explain at print time, it’s hidden from the viewer. All the while,
the actual chapter and pages remain in the book. This demonstrates how the file’s
metadata can be recovered. The next step would be to show that the TOC entry is
needed for a new chapter in the book and is overwritten.
In another scenario, I could show how a replacement chapter
overwrites part or all of a chapter no longer needed. This keeps the book the
same number of pages just like a drive volume size, but demonstrates how the
partial data could be found and that the original “deleted” TOC entry’s
metadata could be found.
This starts to sound pretty complex, but when shown as a
slide or multiple slides, a picture makes it much easier.
The Point
The overall take away is like most things in digital
forensics, the answer is “it depends”. Know your audience, understand their
perceptions and tailor your explanation and reports to them.
Sources:
Stacey (@4n6woman)
Throwing things into the trash can. As the bag fills up,
it’s harder to pull the item out. Recovery can vary based on if the bag is
empty, full, in your kitchen, in the dumpster by the road, taken by the garbage
collector, or sitting at the landfill.
Also varies based on what goes on top of the item in the
bag. If it’s all paper, relative simple recovery. If it’s paper and then you
cover it with spaghetti sauce, little more difficult. If burned trash, not
recoverable.
Scott (@scottforensics)
My go-to is using the comparison of a hard drive and a book
with a table of contents. I can expand
on that if needed...
So... when a file is created, it tells the table of contents, I need ten pages for this file. The TOC gives the system ten pages. When the file is deleted, the TOC deletes that the file name but the ten pages containing that file remain intact and can still be read if you flip to those pages, even though there is no record in the TOC. Once the TOC needs those ten pages for a new file, the TOC grants some or all of the pages to the new file.
So... when a file is created, it tells the table of contents, I need ten pages for this file. The TOC gives the system ten pages. When the file is deleted, the TOC deletes that the file name but the ten pages containing that file remain intact and can still be read if you flip to those pages, even though there is no record in the TOC. Once the TOC needs those ten pages for a new file, the TOC grants some or all of the pages to the new file.
…
I think I heard it on @ovie ‘s CyberSpeak forensic podcast.
It resonated with me & I’ve used it ever since. If it wasn’t him, it was
definitely someone else on a podcast ~7 or 8 years ago.
Santiago Ayala (@darthsaac)
For a Windows environment I have use a diary an index. The index is the MFT, the files are pages. If you write page 2, you add an index. The deletion process only removes the index entry and allows page to be overwritten. The new paragraph may not completely overwrite the old one. In that case, you can explain slack space also.
@DFIRTraining
Choose the analogy that fits the audience. Someone who cooks
can relate to a stovetop being RAM. The more burners (RAM) you have, the more
you can cook (run) at the same time. In that case, you can explain slack space
also.
Vern (@malanalysis)
Neighborhoods: If you just take the address numbers off all
the houses, the houses are still there and can be found and readdressed. If you
destroy the houses they cannot be recovered.
Richard Harman (@xabean)
Hard drives are dry-erase boards, with stuck-on dry-erase
marker that doesn't completely come off when you erase it. You can write over-top of it though!
It's a bit oversimplified, but I think it *begins* the
discussion to get into the technical details.
Alternatively to describe the importance of a
MFT/FAT/TOC/whatever: mentally visualize a jigsaw puzzle. The box it comes in
shows what order the pieces are in, right? Now viz the same puzzle, no box
showing what it's SUPPOSED to be, and all the pieces are perfect squares.
Puzzle can be reassembled in any order to show
anything. Or you can mix in a
*completely different* puzzle's pieces (showing interleaving of data).
Andrew Hay (@andrewsmhay)
Paper shredders. Strip-Cut vs. Cross-Cut vs. Micro-Cut
Madeye Moddy (@madeye_c3t)
You can checkout of a hotel room but still be in the room
until the next guest arrives.
Troy Schnack (@troyschnack)
The computer stores data similar to a grid of PO Boxes like
at Mail Boxes Etc. What happens if you cancel your box rental while there is
mail still in the box? The box has no name or association with an address or
person, but the boxes can be manually inventoried
and the mail found. Or, to more closely compare to a
computer, the mail isn't removed until the PO Box number is used for a new
rental customer or "filename"
Comments
Post a Comment