“Palo Alto Networks” reviewed the role of digital forensics in examining computers whose data have been deliberately deleted with the aim of concealing some evidence and illegal activities on them.
Many people believe that deleting data from a computer is similar to the process of burning copies of paper documents for the purpose of destroying them, that is, as if “What’s done is done”. Some people may take additional measures to ensure that the data has been deleted irreversibly, perhaps for the purpose of hiding any trace of practices related to criminal behaviour. On the other hand, however, we will find another group trying to collect and retrieve this data to form a trail of evidence.
Use digital forensics to recover deleted data
Every action a user performs leaves a digital footprint on the computer. Digital forensics experts use tools and techniques that track these traces by looking at the data at the level of your hard drive or disk. For example, digital forensics analysts can determine when a user is connected to a coffee shop’s Wi-Fi network, uncover chat history between two co-workers, identify previously connected external storage devices, and other actions.
Digital forensics can tell details of a user’s interaction with their personal computer, especially when it comes to actions taken by the user to hide or delete data. In the world of digital technologies, “what’s done” does not necessarily mean that it is actually “done”.
Examples of digital forensics work in data recovery operations
Palo Alto Networks reviewed two examples of forensic investigations in detail and their monitoring of malicious practices.
Example 1: Data recovery operations reveal attempts to hide intellectual theft
In the first example, a female employee quits her job and joins a competitor company working on a similar project. The former company suspects that the employee may have shared some information about the organization with the new competitor before formally resigning. However, the employee had already returned her personal computer after she “deleted” all the user’s data.
Digital forensics eventually revealed intellectual property theft and data corruption. An expert in digital forensics was able to recover scattered fragments of files as well as some other traces that had been previously deleted from the personal computer of a former employee. The results of the analysis revealed evidence indicating that an external flash drive was used to access design revision files, publishing plans, and other information that is considered the company’s intellectual property, while the computer was connected to the network of the competitor (the company that the employee moved to work with) two days after the resignation .
However, the biggest damage revealed by the digital forensics analysis was the relatively long stride that this former employee made when she tried to remove any trace of her action by deleting files en masse. Just days before she returned her computer to the company, the former employee installed a remote login tool and received a call from an Internet protocol number that later turned out to be one of the websites of an outsourced maintenance contractor who was suspected of participating in the crime. Just seconds after the connection was successful, the data was mass deleted from the computer. Without the use of digital forensics, the company would not have been able to detect and prove these illegal practices carried out by the former employee in collusion with the external maintenance contractor.
Second example: Digital forensics prove the theft of files
In another case, a company suspected that a former employee had violated the company’s intellectual property rights by stealing them before he was recently received from work for it, but the company did not have the evidence to prove that. After conducting an initial check on the employee’s Mac computer, it was found that most files and folders had been deleted. However, digital forensics operations proved that the former employee accessed his personal account on his personal iCloud account, synced a number of folders that contained data from the company’s intellectual property, and then deleted the same folders from his personal computer just days before he submitted his resignation. The experts succeeded in analyzing the impact of digital forensics and system records that kept previous historical records of these folders, and the approximate time it took to sync them with the iCloud account and then delete them from the computer.
Digital forensics established that the data was backed up during about the same period. These findings strengthened the legal basis that enabled the company’s attorneys to order an examination of the former employee’s personal devices.
As can be seen from the previous two examples, just because the data has been deleted does not necessarily mean that it is completely gone. Digital forensics allowed for different details of each of the former employees stealing the intellectual property information of the companies they previously worked for, and then trying to destroy and hide any trace of their actions. It is possible that the perpetrators in both cases did not realize what digital forensics experts can do, and the ability of these experts to trace the impact of their digital actions and uncover the truth.
Source: Palo Alto Networks press release.