Data Recovery, Forensic Artifacts and Flight 370

13 Apr

We're all computer users now and by virtue of the fact that we write, we're all content creators as well. But what happens when you do not like the created content and decide to dump it – or accidently close something without saving it? Is it necessarily gone?

The answer is, "No."

When a file is deleted, very little actually happens to it right away. It is de-indexed, and the space it occupations is marked as unused and available to be used again. It takes little effort for the right tools and the right skill set to bring that file back. But in time, because the computer sees that space as available, the file may get overwritten.

Overwriting a file is the only way for the file to get destroyed on a still-working hard disk. While this could happen in the casual use of a computer – or just in the computer being left on – there are typically billions of other places to which the computer could casually write. The file could be destroyed quickly – or it could hang around on the computer for years.

Additionally, when a file is created, it is not necessarily the only copy on the computer. Just by opening certain applications, like MS-Word, an additional but invisible file on the computer is created. It's there as a temporary autorecovery backup file so that when Word crashes, this extra file can save the day. It's deleted upon safely closing the document on which you are working, but a new one is created every time you reopen your file. And the deleted "temporary" version also hangs around on the computer, possibly for years.

There are programs designed and sold for the purpose of shredding or destroying data, but they do not know about these extra copies of documents. So, shredding a file does not get rid of the extra copy – or multiple copies, if you have worked on the same document several times.

These, along with many other operating system artifacts, provide grist for the forensic investigator or data recoverer's mill. It's extremely rare for there to be nothing to recover. Even when the hard drive is physically bad, a properly equipped lab has many tricks to get the thing into working order and recover the data. 30 years of real-world experience proves this out.

So we are led to the case of the data that may have been lost in connection with the recent ill-fated Malaysia Airlines flight 307.

There are many stories about the pilot's use of a home-grown flight simulator. There has been much speculation in the international press about this mysterious device. As it turns out, there's a strong likelihood that the pilot was just using a Windows computer with a commercial flight simulator program in it – one that's available to you and me. There are likely to be multiple loadable scenarios that the pilot traded with other pilots and players, but otherwise, not much different than what we might buy from a computer store. Deleted flight simulator files are like most other deleted files – not too hard to recover if simply deleted. And indeed, on April 2, the FBI announced that there was nothing unusual to be found on the pilot's "homemade flight simulator."

What about the plane itself? There are no reports of any communications between the passengers and anyone not on the plane. This is not necessarily unusual. Most or all of the passengers may not have had any idea the plane was off course, and by the time something dire looked like it was happening, they may have been over the middle of a remote ocean, out of range of any cell tower.

Surely though, at some point, people must have realized that something was going wrong. We can expect that electronic devices came out and people would have started trying to contact their loved ones, or some kind of help. Unfortunately, they did not get through, but if the debris of the plane is ever found, there may well be hundreds of smart phones and tablets found as well. Even though the messages did not go through to their intended recipients, drafts of messages, unsuccessful phone attempts, pictures, videos and voice recordings are likely to be on the mobile devices that may be floating in the sea.

As with computers, data from mobile devices can be recoverable, even if submerged in water, burned in a fire , or doused with fire retardant foam. We've done so many times over the decades. Some phones even have a kind of keylogger that records the last few hundred words typed on the device.

The wreckage might never be found and the mystery may never be solved. But, like a message in a bottle, a few of these mobile devices might ever get pulled up by a fisherman, or wash up on shore. It could be years hence, but we'll all want to see those last words recovered, those last images immortalized.

Some data can get lost, but some can last forever.



Source by Steve Burgess

Leave a Reply

Your email address will not be published. Required fields are marked *