Hard drive investigation

[Andy B]

Hi.
New to site. hope this is in the correct place.

Ive got a problem with a contractor who has falsified some letters by predating them. If I can get an expert to search his computer will the correct order the letters were written in be on the hard drive or is it possible for him to corrupt the information.

Many thanks

 

[PohTayToez]

It depends on who you are hiring, but it should be easy to find the order in which they were written. Also, it would be relitively easy for him to falsify that as well, but then again, it would be possible to see past that too. It's just a game of cat and mouse, but with the right expert, it can be done.

 

[Andy B]

It depends on who you are hiring, but it should be easy to find the order in which they were written. Also, it would be relitively easy for him to falsify that as well, but then again, it would be possible to see past that too. It's just a game of cat and mouse, but with the right expert, it can be done.

I need to be sure he cant insert the earlier letters without them being detected.
I need a really big cat.
Found a company called Dataclinic on Web. Forensic computer crime investigation. Will give them a ring tommorow. Has anyone any suggestions of a good expert?

 

[tlarkin]

your chances are extremely slim. Modern file systems like NTFS, HFS+, ext3, and reiser all use meta data for their files. You see before meta data was around and you modified a file, like for example, changed the date on it; it would actually make a whole new copy of the file and mark the old one for deletion when the space was needed. That caused a lot of fragmentation issues. These days that is no longer the case. Every time you modify a file it overwrites the existing file and all the data about your data is stored in the meta data. And of course you are able to even edit the meta data as well.

The only thing you may be able to salvage is the creation date of the invoice, but again that does not prove anything. I also work as an independent/sub contractor for onsite technology. My invoice template was created over a year ago, so every single invoice I make using MS word, all have the same creation date. This is because I made a template where i could just fill in the blanks. I can only assume anyone who is writing invoices would do this, it makes much more sense than recreating the file every time you needed to send out an invoice.

I wouldn't bother trying to prove this unless you really are willing to spend the 1000s upon 1000s of dollars it costs to do a complete data salvage from a HD. Which would require having the physical disk and destroying it. The machinery they use will destroy the HD during the process. Or if this person actually kept the original invoices and the modified ones. However, you won't know until you have physical access. Also be careful because if you use any unlawful methods to obtain this data it will be totally inadmissible in court.

 

[Andy B]

your chances are extremely slim. Modern file systems like NTFS, HFS+, ext3, and reiser all use meta data for their files. You see before meta data was around and you modified a file, like for example, changed the date on it; it would actually make a whole new copy of the file and mark the old one for deletion when the space was needed. That caused a lot of fragmentation issues. These days that is no longer the case. Every time you modify a file it overwrites the existing file and all the data about your data is stored in the meta data. And of course you are able to even edit the meta data as well.

The only thing you may be able to salvage is the creation date of the invoice, but again that does not prove anything. I also work as an independent/sub contractor for onsite technology. My invoice template was created over a year ago, so every single invoice I make using MS word, all have the same creation date. This is because I made a template where i could just fill in the blanks. I can only assume anyone who is writing invoices would do this, it makes much more sense than recreating the file every time you needed to send out an invoice.

I wouldn't bother trying to prove this unless you really are willing to spend the 1000s upon 1000s of dollars it costs to do a complete data salvage from a HD. Which would require having the physical disk and destroying it. The machinery they use will destroy the HD during the process. Or if this person actually kept the original invoices and the modified ones. However, you won't know until you have physical access. Also be careful because if you use any unlawful methods to obtain this data it will be totally inadmissible in court.

Oh dear, thats not what I was hoping for. The origional files date from 1999, I assume the computer will be older still. How long have the modern file systems been around? It is a very small company and I assume they will not update their systems too often.
Everything will be through the courts, so legally it will be ok.

How many thousands are we talking about. (Dollars ok, im in UK all £s here) Already spent £50,000 as we go to court.

 

[PohTayToez]

You may be in luck then. Assuming that the computer ran on Windows 98 or older, the drives should be using FAT32, not NTFS.

 

[tlarkin]

well over in the US, data recovery can range from about 1,000 to 5,000 dollars on one hard drive depending on the circumstance. If the file system on the computer in question is in fact FAT 32, then every time a file was modified a totally new file was created and the old one was just marked for deletion. NTFS file system did not come around full swing till about 2002 because a lot of users who upgraded from 98 to xp did not convert their file system to NTFS.

There may be a good chance to recover the data however it would probably take weeks to go through a HD thats has been used for almost 8 years now, and that would drive the cost up even more.

what you would want to do is salvage all original files off the HD and see if you can actually access them. Now, I mean is this even the original HD? a HD to last 8 years is a pretty slight chance.

 

[Andy B]

well over in the US, data recovery can range from about 1,000 to 5,000 dollars on one hard drive depending on the circumstance. If the file system on the computer in question is in fact FAT 32, then every time a file was modified a totally new file was created and the old one was just marked for deletion. NTFS file system did not come around full swing till about 2002 because a lot of users who upgraded from 98 to xp did not convert their file system to NTFS.

There may be a good chance to recover the data however it would probably take weeks to go through a HD thats has been used for almost 8 years now, and that would drive the cost up even more.

what you would want to do is salvage all original files off the HD and see if you can actually access them. Now, I mean is this even the original HD? a HD to last 8 years is a pretty slight chance.

I will check if hard drive is origional!
If he has upgraded the computer I assume he would have transferred all the files to the new one, would the new one contain all the information im after?

 

[tlarkin]

Andy, its completely circumstance with your ordeal. I would recomend you hire a reputable professional to consult you on these matters, not some kid and some guy across the pond over the internet. Its not that I don't want to help, its that once someone gets a chance to physically see it, they can better answer your question.

 

[StrangleHold]

I agree with tlarkin, plus if this is from 1999 its more than likley been reformated a few times since then anyway

 

[tlarkin]

I agree with tlarkin, plus if this is from 1999 its more than likley been reformated a few times since then anyway

well formating a drive does not get rid of the data unless they actually wrote like 0s to every sector of the drive and did a secure wipe. Even then it is still not impossible to retreive data, or so at least the FBI claims.

Typically a specialist should be contacted. I have done my fair share of data recovery but all of it has been software based, someone who actually operates the recovery machinery (which is expensive) would know a lot more than I would. In the past I have used this company for clients of mine.

www.drivesavers.com

it may be a place to start asking questions.

 

[Andy B]

Thanks for info, will speak to expert tommorow.

 

[StrangleHold]

I know but your chances are slim if data has been wrote over and over plus having the OS reinstalled 2 or 3 times

 

[tlarkin]

I know but your chances are slim if data has been wrote over and over plus having the OS reinstalled 2 or 3 times

yes I agree but formatting a drive does not over write any data. It just simply wipes the table of contents and marks every sector as open. A full format does the same thing and verifies the sector. The only way to do a secure format is through a third party utility because windows does not offer that with their disk utilities. Linux and OS X do however.

You can format a drive 1000 times and I can still pull all the data off it, unless you are actually writing zeros and ones to every sector, and that takes a long time to do on a HD.

 

[Andy B]

Spoke to a computer forensic expert today, he says he is almost certain that he can retreive the required data. I realise he was bound to say that but he did sound extremely confident.

 

[tlarkin]

cool, if you find out what method they use to recovery it, I would be interested to know.

 

[Andy B]

cool, if you find out what method they use to recovery it, I would be interested to know.

Will do.
Firstly I need to get hold of it!
Although if he makes excuses for not handing it over it will make him look bad in court.

 

[heyman421]

not even windows xp detects dating errors

if you changed your calender to 1995 right now and downloaded some files from the internet, and then changed your date back to 2007, and sorted the files by date created/modified they'd show up first, and say they were created in 1995.

Not only that, but hard drives are completely non-linear. There's really nothing you can do, except get a backlog from his or your email service showing when the e-mail was actually delivered (and i don't know what hoops you'd have to jump through to do this)

modern privacy laws pretty much prevent any personal level vigilant efforts over the internet, unless somehow it becomes a federal level trial, in which case the feds don't really care about the law, they'll just scoop up his computer, and hold the server operators at gunpoint until they give them the delivery backlog

so make up a story.... say he predated the e-mails...... and attempted to sell you kiddie porn

 

[heyman421]

i just thought of the word i was looking for...

you'd have to have the backlogs EXTRADITED by a judge

i don't think a P.I. could do that for you, or the papers wouldn't be presentable in court

 

[tlarkin]

i just thought of the word i was looking for...

you'd have to have the backlogs EXTRADITED by a judge

i don't think a P.I. could do that for you, or the papers wouldn't be presentable in court

he is in europe, and in the US you would need a subpoena to access someone's private data. They would also have to be served that subpoena. so i am not sure how the court systems work out there over in the UK he may just need a judges approval.