A commonly held adage in the field of digital forensics is that “Nothing is ever really deleted”. A recent announcement by the Department of Justice regarding the missing Strzok/Page text messages completely supports that line of thinking. In an article posted on the Fox News Channel website (Jake Gibson & Alex Pappas), Justice Department Inspector General Michael Horowitz was quoted as saying that they “succeeded in using forensic tools to recover text message from FBI devices, including text messages between Mr. Strzok and Ms. Page that were sent or received between December 14, 2016 and May 17, 2017.” Horowitz went on to say that the DoJ will provide recovered messages to the Department so their leadership can take appropriate action. Considering the fact that we’re talking about roughly 50,000 text messages, this could take some time. The hardest part of digital forensics is not finding the evidence, but sorting through the evidence and finding the “smokin’ gun”. Sophisticated forensic tools in the hands of experienced investigators like those at McCann Global Investigations help reduce the challenge of looking for the proverbial “needle in a haystack”.
When is a file actually deleted?
When a file is “deleted” from a digital device, it isn’t really erased from the system. The operating system keeps track of where a file is stored on the device by way of an index. When a file is copied to a hard drive, the operating system makes an entry in this index that includes the location of the file and its size. When I file is deleted, the operating system simply flags the index entry as having been deleted and makes the space available for another file. If the location of the original file is not overwritten by another file, then the original file can be “undeleted”. This is not to be mistaken with the venerable Windows Recycle Bin. The Recycle Bin is merely a place where the operating system moves the deleted file temporarily so it can be easily recovered if necessary. Even if a user empties the Recycle Bin, the file in question will remain intact in an area referred to as unallocated disk space.
What about email?
Deleted email falls into a similar category but in most cases, can be much easier to recover. At any given time, an email that was sent and received exists in at least three locations; the sender’s computer, the recipient’s computer, and the email server. If an email is deleted from the sender’s computer, the email in question still exists on both the recipient’s computer as well as the email server. Even if both the sender and recipient delete the email message from their computers, the email (in most cases) remains on the server. Typically, email servers are backed up regularly, so it is likely that a copy of the email in question exists on a backup as well.
Is it the same for text messages?
The text message process is similar, but there are a few differences to consider. Like email, a text message exists in three places at the same time however, the nature of text message servers is quite different. Text messaging is provided as a service by cell phone providers. It uses a protocol called Simple Message Service (SMS). In most cases, a text message doesn’t go directly from phone to phone, but is processed through a server similar in function to an email server however in most cases, a typical text message is not retained on the server for more than a few days at most. The volume of data is just too massive to try and store for any longer than that. This being said, most people have an automatic backup system configured on their smartphones which backs up entire text message conversations to cloud storage (Apple iCloud, Verizon Cloud, etc.) The text message can be deleted from both the sender’s and recipient’s smartphones as well as the text server, but the message could STILL exist on the user’s cloud storage. If the user gets a new smartphone, these conversations can be recovered by restoring the phone from the cloud backup.
About McCann Global:
In today’s complex legal cases, evidence is rarely singularly digital or traditional, but begins in one realm and quickly cross over into the other. The days of an investigation involving merely taking statements and photocopying documents are all but things of the past. Modern evidence gathering requires the agility to go where the evidence leads, no matter the source.
This not only means overcoming the challenge of understanding the ever-evolving web of digital evidence, but owning the entire evidentiary space; The nexus of both the digital and the non-digital.
McCann Cyber runs the table in this space. We either have the digital or traditional expert you need on staff, or we know that expert…. personally. McCann operates its own dedicated state of the art digital forensics lab, staffed with certified technicians, supplemented with a former cyber prosecutor, veteran law enforcement investigators, government cybersecurity experts, and certified fraud examiners. McCann is the only turnkey solution for the gathering, processing, analyzing, and reporting all types of evidence, no matter the source. Our team, drawn from both government service and private industry, has the resources, knowledge, and experience to provide expert testimony ensuring the evidence is both relevant and defensible in all proceedings.
McCann Cyber IS that nexus.