August 5, 2008
‘Deleted’ Clues Help Solve Crimes
By Augie Frost, The Oklahoman
Aug. 5--You may think you deleted that file from your computer. You might think emptying the recycle bin will erase it forever.
But deep in the recesses of your hard drive, the file remains intact and can be found -- by someone who knows how to look.
The same is true for any device that stores data electronically, such as printers, cell phones and answering machines.
That saved one Oklahoma City detective who accidentally deleted a key confession from a voice recorder, said Oklahoma City police Sgt. Rob Holland, who heads up the computer forensics unit. Holland was able to find and restore the deleted file using special software.
Computer forensics is becoming a key component of solving crimes, but not just computer crimes, said Patrick Kennedy, lead computer forensics agent with the Oklahoma State Bureau of Investigations. Electronic evidence has helped solve murders, rapes, robberies, child pornography cases and even has jailed a few officials.
"We're more than doubling our caseload each year," Kennedy said. "People are becoming more computer savvy, and computers are more and more embedded in people's everyday lives."
Clues for law enforcement In years past, investigators would have to dissect only one computer with a 20 gigabyte hard drive; today they typically confiscate several computers with much larger hard drives. The amount of data they must sift through is often "daunting," Kennedy said. But increasingly it's a necessary job.
More than half of all computer-based cases involve child pornography, Kennedy and Holland said. And in nearly every case, digital evidence can be extracted and used to prosecute, Holland said.
When homicide detectives have exhausted all leads, they might look at e-mails sent by the victim, what cell phone calls were made or even the person's Internet history, Holland said.
Such was the case in Weleetka, where Taylor Paschal-Placker, 13, and Skyla Whitaker, 11, were shot to death June 8 on a rural road.
Investigators confiscated several computers the girls might have used to determine whether they could develop any leads, Kennedy said.
He would not say whether the computers have aided in the investigation, but said it never hurts to have one extra tool.
"If agents solve the case in two or three days without the computer, then fine," Kennedy said. "But if they run out of leads, then we can break into the computer and at least get the address book and take a look at e-mails and Web history and see if there is something there that will provide a lead."
How to hunt for clues on the computer Investigators start by taking detailed photos of a computer and its components.
One thing they never do is turn a computer on, because even that action can write over a potentially incriminating file. Files are never really deleted unless they are written over by another file, which occurs randomly in a hard drive, Kennedy said.
Investigators make an exact copy of the hard drive to preserve the original as evidence. That copy is subjected to special software on high-speed computers that can find and extract files, Kennedy said.
From there, it is the job of the investigators to turn what they find into viable courtroom evidence, Holland said.
Aiding in corporate investigations Computer forensics is not limited to law enforcement. The Center for Computer Forensics, based in Southfield, Mich., handles a lot of corporate investigations, such as allegations that an employee is stealing from or sabotaging a company, said Ives Potrafka, lead investigator for the company.
Much like police, the company investigator will preserve the data first and ask the employer to explain the problem. Then the investigator starts running key words on the computer to find incriminating active files or deleted files that are hidden away in the hard drive, Potrafka said.
"An employer might be able to find some evidence, but it is important to have a professional preserve the data," he said. "An employer might destroy the evidence if not done right."
Often cases involve allegations from employees about another or violations of company policies, such as romantic relationships, Potrafka said. Some workers get in trouble simply for stealing music and storing it on the company's computer.
The bottom line, Potrafka said, is if it was ever there, it is still there and they will find it.
To see more of The Oklahoman, or to subscribe to the newspaper, go to http://www.newsok.com.
Copyright (c) 2008, The Oklahoman
Distributed by McClatchy-Tribune Information Services.
For reprints, email [email protected], call 800-374-7985 or 847-635-6550, send a fax to 847-635-6968, or write to The Permissions Group Inc., 1247 Milwaukee Ave., Suite 303, Glenview, IL 60025, USA.