Ask Anything: 10 questions with digital forensics expert Larry Daniel
Posted December 30, 2008
Updated January 5, 2009
Given the forensic shows now on TV, do you think that people can get away with crimes today because of things they learn on the shows? – Melissa Lancaster, Rocky Mount
If you are talking about the “real” forensics shows that you see on the Discovery channel, then I suppose you could learn some things that would make it harder for law enforcement to catch you by using forensic techniques.
However, the vast majority of crimes do not involve any kind of forensics work. Most crimes are solved using plain, old detective work such as talking to witnesses, looking for evidence and questioning suspects.
In major crimes like murder, rape or fraud, forensics may play a large role in connecting a suspect to the victim through DNA, computer and paper records and fingerprints.
With privacy in mind, what tips can you offer for reducing our digital footprints on our personal computers and/or online? I’m interested in both behavior changes and software tools. – Wes Miller, Raleigh
There is always a trade-off between being secure and having convenience. In the long run, most people opt for convenience by storing their passwords on their computer, not using up to date anti-virus software and by using easy-to-guess passwords.
To reduce your digital foot print online, you should definitely be behind a firewall, do not store passwords in your Web browser and keep your anti-virus software up to date.
Do not store your passwords on the computer. I have seen documents on users' computers that list every password for every account they have, including their online banking and credit card accounts.
How can deleted data be retrieved from a PC? How is it possible to know what Internet sites have been visited? Thank you. – Susan Prior, Raleigh
The foundation of computer forensics is actually data-recovery. Without the ability to recover deleted files, computer forensics would be a very limited area. You can even purchase data recovery software at major retailers that can recover your deleted files.
As far as Internet history goes, every browser stores history of the Internet sites that the user visits. You can turn this feature off on some browsers, and you can use the built in tools in the browsers to delete Internet history. To view the history on the computer, providing that it has not been deleted, you can simply use the history feature in the browser to look at sites visited.
However, make note that deleting the Internet history in the browser does not remove all the evidence of sites visited as some information is stored in different places on the computer, depending on which operating system is being used, i.e. Windows XP, Vista or others.
If I donate or sell a computer I no longer need, what should I do to erase my data so that I can feel confident that no one will later be able to access personal information previously stored on it? – Cyndi Tomblin, Cary
The simple solution that is fine in most cases is to use the recovery disks that came with the computer to do a destructive system restore. That will delete the existing partitions and re-create them like they were when the computer was prepped at the factory.
Be aware that this is not a 100 percent solution, as it will leave files in areas on the drive that can be recovered using forensics software.
To be 100 percent certain that no data is recoverable, you need to forensically wipe the hard drive using software that will overwrite the entire hard drive with ones or zeros. You can buy this software at some major retailers, download it from the Internet or have a trusted computer technician do it for you. We offer forensic cleaning of hard drives as one of our services as well.
Is the forensic technology as advanced as television shows such as "CSI" portray? – Amber, Raleigh
Shows like CSI and movies that use forensics as part of the story line use a combination of real forensics techniques and “Hollywood” forensics. Many of the devices you see in movies and on television do not exist at all, or if they do, they do not perform as shown in these stories.
This is especially true regarding computer hacking that you see in movies and on television. You simply cannot break into the Department of Defense's computer network in a couple of minutes by entering some keystrokes into a computer.
Also, when you see someone attach a device to a computer in a movie and they get all the data in 30 seconds, that is plain fantasy. It can take hours to get a copy of a hard drive.
Once you format your hard drive, does it erase everything or can information still be retrieved? – Charles Elliott, Rocky Mount
Formatting a hard drive does not erase any of the data stored on the drive. All formatting does is remove the table the computer uses to find those files, making them invisible, so to speak. Almost any data recovery software can retrieve files from a formatted hard drive.
How did you get started in computer forensics? What was your background beforehand and what classes, etc. did you have to complete prior to your first forensics position? – Wes Miller, Raleigh
I got started in computer forensics initially by doing data recovery for clients. That led to clients asking me to recover specific data that could be used in some types of civil cases.
When I started in this field, I already had more than 20 years of experience with computers and software, doing programming and hardware maintenance. Since 2002, I have attended an additional 100 hours of forensics-specific training.
I am looking into a career in computer/digital forensics. Can you help point me in the right direction in terms of education and as a mentor? – Rissa Chan, Durham
When I started in this field, there were no college programs or public educational programs specific to digital forensics. In the last few years, many universities have added computer-forensics degree programs to their catalogs.
Most of the career opportunities in this field are still in law enforcement. The issue there is that in the vast majority of cases, they require you to serve as a police officer for several years before you can apply to do computer forensics. And even then, there is no guarantee that you will be able to get the position.
The private sector is growing and hiring computer forensics graduates, however, I have not seen the growth in jobs catching up to the number of graduates as of yet.
My daughter is graduating this year from high school and is planning on majoring in forensic science at Western Carolina University. Does this degree get her an entry-level position or will she have to go further to become an expert in a certain area? – Susan Hall, Wake Forest
Nearly all of the traditional forensic fields require advanced degrees and several years of experience to become an expert. Most of the experts such as forensic anthropologists, forensic psychiatrists and DNA experts all practice in a primary area or work as university professors/researchers and only do forensics as part of their practice.
I know “deleting” is a misnomer as it still is retained in your hard drive. Without a court order for search and seizure, with probable cause, how can it be used against me? While the data may be deleted, the hard drive is still my original property in my possession. Yes, any data from most any device can be used in criminal/civil matters (with proper court orders). How does this “free-seizure” of my data be legal (unless aforementioned facts were followed) and then allowed against me? Is this not a violation of my constitutional rights? Thank you! – GDSB, Roanoke Rapids
All data can be used in criminal and civil matters under certain circumstances. I believe your question is more about, when can it be used.
The Fourth Amendment protection against unlawful search and seizure only applies to government entities such as law enforcement.
The Fourth Amendment does not apply to private searches. A private search can be conducted or authorized by anyone who has a legal right to the data stored on the computer, such as employers or spouses. Since computers are common property, spouses can give consent to a private search of the computer.
Also, it is important to remember that you can give up your right to privacy through several means:
- When you take your computer to a repair shop, you are giving the computer technician the right to any data on the computer because you have placed the computer in his or her custody.
- If you have peer-to-peer file sharing programs installed on your computer and are sharing files on the Internet, intentionally or unintentionally, you have opened the computer to the public and anyone can search the computer remotely, even law enforcement, without a warrant.
- If you give the computer away, the new owner has full rights to any data on the computer.
- If the police come to your door without a warrant and ask to search the computer, any adult residing at the residence can give consent, whether they own or use the computer at all. As long as the police reasonably believe that the person giving consent has the right to do so, it will normally be allowed in court.
If you have specific questions concerning privacy, your best avenue is to consult an attorney.
Read more Ask Anything interviews!