Computer sleuths dig deep to solve crimes
For experts, 'delete doesn't mean gone'
By Marsha Walton
Kennesaw, GEORGIA (CNN) -- John Mallery says his current job as a computer forensic expert has some parallels to his former calling as a comedian, juggler and knife thrower.
"I've thrown knives around my wife. If I'm not in shape and I don't practice, I put her at risk," he said. "If I'm a forensic examiner and I don't keep up with my skills, bad guys get away."
Speaking at the Southeast Cybercrime Summit at Kennesaw State University outside Atlanta, Georgia, Mallery told participants that computer forensics now are part of an increasing number of criminal and civil investigations.
He is a managing consultant for the U.S. accounting firm BKD, LLP.
"Sexual harassment cases, embezzlement cases, corporate espionage, fraud, medical malpractice, wrongful death, child custody: I've worked all of these cases," he said. The most common cases he deals with involve theft of trade secrets, and wrongful termination.
Mallery, who has lived in Kansas for 17 years, is familiar with the BTK case, the serial murders that haunted the Wichita, Kansas, area for three decades. Press reports say police obtained a floppy disk from suspect Dennis Rader's church to help track him down.
"There is a possibility that residual data would be there that would aid law enforcement in matching that back to whoever created it," he said. "In the BTK case, that might have been what helped law enforcement track this person down."
The variety and sophistication of digital devices is providing new possibilities for investigators. Mallery says law enforcement and corporate detectives no longer seek information just from desktop computers, servers, and laptops, but now also USB flash drives, PDAs, Blackberrys and cell phones.
One mantra for those in this field is: "Delete doesn't mean gone."
He compared the delete function on a computer to a library.
"For those who remember card catalogs, if you take a card out of the card catalog, the book is still on the shelf," Mallery said.
Deleting a file, emptying the recycle bin, even re-formatting a hard drive will not necessarily get rid of information -- or evidence.
Law enforcement, and increasingly private businesses, have a number of tools to dig deeply into a computer.
"The Windows operating system, I liken to the Wizard of Oz," said Mallery. "It does the whizbang stuff, but the man behind the curtain with the applications, that's the realm of the computer forensics examiner."
For example, opening a Microsoft Word document creates 15 temporary files. Often, says Mallery, those temporary files, in the background of a computer, contain the exact same contents as the original file. There are many such nooks and crannies that investigators can search, from virtual memory to temporary Internet files to spooler files that are created before a document is printed.
But recovering data is not often a clean and simple task, especially if suspects have taken some steps to cover their tracks. There may be tens of thousands of files and file fragments that have to be examined to get useful evidence.
Once in awhile though, the criminal makes it easy.
"A methamphetamine dealer actually documented all of his sales on an Excel spread sheet: Name, customer, what they purchased, when they purchased it," said Mallery. "Very good for law enforcement!"
But what's good for law enforcement also raises some privacy and practicality questions.
Judge James Rosenbaum, Chief District Judge for the District of Minnesota, wrote an essay for a legal journal called "In Defense of the DELETE Key."
Rosenbaum said just about everything we do these days is first generated on a computer, and anyone in the business of dealing with ideas shouldn't be afraid to express those ideas without self censorship.
"If you choose to edit it or change it or shorten it or modify it doesn't mean you were lying when you started," said Rosenbaum. "Give me all your early stuff and I can probably make you look foolish," he said.
Rosenbaum says his essay was primarily an "idea piece" to recognize that human beings are still human beings. In the essay, he said some recovered information from deleted files "in less electronic times, would have been wadded up and thrown into a wastebasket."
Mallery said the field of computer forensics is constantly evolving, both on the legal and technology sides. But he's pretty sure about one thing.
"The only secure computer is one you never turn on, and you bury in the ground, six feet deep and covered with dirt," he laughed.