Forensic Update

Reflections on information management within the legal and regulatory arena

Perusing the Digital Library via your Computer’s Card Catalog…

Posted by Johnny Lee on September 14, 2010

Binary Card CatalogWhether we recognize it or not, our daily work with computers involves a great deal of behind-the-curtain changes within these systems that most of us never contemplate.  Indeed, the mere fact that you are reading this article indicates that you’ve altered the computer or device on which you’re perusing this site.  Some of these are automated changes, and some are the direct result of “manual” intervention by the user; all of them are potentially impactful to a forensically thorough review of a given system.

The vast majority of the changes performed by an end-user are mere housekeeping, such as removing the no-longer-useful drafts that lead up to the final version of an email, spreadsheet, or document.  However, to understand how computer forensics professionals recover files that don’t depart via such innocent means, it is imperative to learn a little more about the life cycle of a so-called deleted file.

To begin, we must assume that the audience is at least familiar with the concept of a library card catalog.  So, for the benefit of those who came of age after the 1990s, I will characterize the card catalog as a large bureau comprised of very skinny drawers, filled with thousands of index cards, each containing bibliographic information about a given book housed within that particular library.  In theory, every book within the library has a corresponding card (within the catalog drawers) that tells the reviewer of the card: (1) the book exists within the library, (2) some basic indicia about that book, such as the author, title, publication house and date, copyright information, etc., and (3) where to go within the library to lay hands on the book itself.

For most computer systems (and memory devices) in use today, the digital equivalent of the card catalog is called the File Allocation Table (“FAT”).  Simply put, the FAT is the framework of the file system that provides the means for a computer to identify where files have been written to the hard drive so that it can quickly retrieve them for use.  (For a broader introduction to FATs, please click here.)

When a new computer file is created (again, in most systems), a short entry is made within the directory where the file is to reside (akin to choosing the appropriate drawer within the library’s card catalog), then a new FAT entry is recorded (akin to creating a new card to place within that catalog drawer) to describe the file and tell the computer/librarian where to look within the hard drive/library for the file itself, and finally the data is written to the disk (akin to placing the “book” on an actual shelf within the library).

In the physical world, removing a book from a library would typically involve taking the book off the shelf, removing its corresponding bibliographic card from the card catalog, and disposing of both items.  However, the digital equivalent of this process undertakes only one of these steps.  Specifically, when a file is deleted the directory entry is changed to a “please ignore me” flag (using the E5 HEX value), which is akin to a hallway conversation with the librarian, quickly forgotten, that one of her 800,000 books has gone missing.  Next, the FAT entry is “zeroed out” (i.e., its previously useful information is overwritten with zero values), which is tantamount in the physical library to pulling the card from its catalog drawer, tearing it up, and throwing it away.  Finally, the computer does something otherwise quite curious, it leaves the data itself alone (i.e., nothing is touched where the file has been written to the hard drive), which is equivalent to leaving the physical book on its shelf.

Obviously, for those looking through the library for the contents of a given book, the card catalog provides a wealth of time-saving information in that search.  However, forensic examiners consider it second nature to review the computer’s card catalog (FAT) exhaustively then to promptly discount that the catalog represents the complete holdings of that library.  These examiners then employ a host of techniques to identify the library’s true inventory—whether the files/books are known to the librarian or whether they have been partially destroyed but still reside on the shelf.  Put differently, when a forensic examiner performs an analysis of what is on the computer, no stone is left un-turned; the examiner will interrogate the librarian, pour over the card catalog, thoroughly review each individual bookshelf, and even delve into the dumpster out back for remnants of disposed books.

So the next time you’re thinking about your daily use of a computer, try to appreciate what is really going on related to file storage and retention.  The delete button is an eminently useful device, but it is somewhat of a misnomer.  To a trained forensic examiner, the delete button is a semi-transparent fig leaf that merely obscures the deleted file for a short while.

The author would like to acknowledge the early adoption of the card catalog metaphor by authors Steven C. Bennett, Esq. (partner at Jones Day and Chair of that firm’s eDiscovery Committee) and Thomas M. Niccum, Ph.D. (founder and President of Lancet Software).  While their original use of this metaphor dates back (at least in print) to 2003, it has only recently started to become commonplace among the judiciary seeking to become more savvy on evidence obtained via computer forensic techniques.  Like any clear picture, the Bennett/Niccum metaphor speaks more eloquently than volumes on the subject.

Sorry, the comment form is closed at this time.

%d bloggers like this: