Hot on the E-Trail of Evidence at Enron


Alex Salkever -
Hot on the E-Trail of Evidence at Enron
Wed Jan 30 01:10:29 2002

JANUARY 29, 2002

By Alex Salkever

Hot on the E-Trail of Evidence at Enron

Much of that "shredded" data is being restored by computer forensics experts who know where and how to find it

How much information about the Enron case did Arthur Andersen and Enron actually destroy? And what can investigators retrieve? The answer to both questions, surprisingly, is quite a lot.

David B. Duncan, the Andersen parter who oversaw dealings with the now-bankrupt Houston energy concern, was fired on Jan. 15 for allegedly ordering aides to shred documents in late October. Duncan claims he was following Andersen policies. The process halted on Nov. 9, when Andersen received a letter of inquiry from the Securities & Exchange Commission. On Jan. 15, the company claimed it had "...successfully recovered documents from electronic backup files, and is continuing efforts to retrieve more."

The key word here is electronic. While shredded paper is hard to reconstitute into meaningful documents, electronic information, such as e-mail, word-processing files, and spreadsheets, can be retrieved with the right software. In fact, this case may hinge more on electronic records than on hard paper.

SINS OF OMISSION. E-mail is fairly easy to retrieve. Unwisely or not, people are often more open in electronic communication than they are in hard-copy documents. Witness how skillfully David Boies wove e-mail evidence together in pressing the Justice Dept.'s antitrust case against Microsoft.

Even more important is that copies of e-mail and other electronic data often reside in multiple places. Simply deleting a file rarely removes all traces of it from a hard drive. Indeed, the very disaster-recovery software and hardware that many companies have installed to ensure business continuity, particularly in light of September 11, works against anyone trying to quickly destroy evidence.

What's more, many computers record information when specific files are deleted. That can provide valuable clues of omission to investigators. "There's only one completely effective method to destroy data. Take your computer into the yard and get busy with a very large hammer," says Dave Stringer-Calvert, a forensics expert at high-tech research and development shop SRI International, based in Menlo Park, Calif.

NICHE BUSINESS. For now, the spotlight isn't so much on Enron as it is on Arthur Andersen. Although the Big Five accounting firm declined to discuss for this article the specifics of the recovery efforts now under way, experts can provide some insight. Resurrecting evidence from deleted electronic documents is known as computer forensics, or electronic discovery. The process of poring over hard drives of former employees or subpoenaed workers has become a niche business in the high-tech world.

Just like in a traditional crime case, e-detectives usually start by winnowing the field of suspects -- and the times at which information was likely recorded. "Once you narrow the dates and the people, then you narrow down what you need to grab," says Dave Stenhouse, the director of operations at Computer Forensics in Seattle.

While the details of the Enron/Andersen investigations remain secret, experts say what usually happens in such cases is probers seize the desktops and laptops of suspects, as well as mail servers, backup servers, and any other device that could hold evidence. That can be no small task, as they might be widely dispersed around the country -- and even around the globe in the case of big companies such as Andersen and Enron. But that can be a good thing, as the more widely dispersed evidence is, the harder it is for anyone to destroy it all.
Special read-only software won't alter the captured data
Turning on any confiscated computer is a definite no-no, however. Rather, investigators make copies of hard disks or any other storage media holding information. This includes backup servers, e-mail servers, or any other place that system information and files might be stored. Having the copies allows investigators to preserve the originals as evidence, a standard procedure in IT forensics.

EASY CATCH. Then investigators start to sift through the replicas with specialized read-only software that cannot further alter the data. Starting up a computer could trigger a data booby-trap program that a clever user might have installed to destroy evidence automatically. "Even a computer that hasn't been tampered with will alter the contents of the disk in various ways when started up, potentially destroying evidence," says Stringer-Calvert.

If suspects have left any evidence in clear text on those machines or if backups have captured this evidence in clear text, then it's a relatively easy catch for investigators. But even deleted e-mail messages and other data files can often be retrieved.

E-mail in particular is a treasure trove to many forensics experts. Generally, whenever someone sends an e-mail, it passes from their own machine to their corporate mail server, which in turn directs it to the mail server indicated as its destination point, located either at another corporation or at a large Internet service provider. The second mail server then directs the e-mail to the final recipient.

SERVERS AROUND THE WORLD. Some mail servers archive material and messages for a number of days, weeks, or even months. Those messages might remain in the mail server's archives long after they were ostensibly deleted from the computer that sent or received them, says Rob Lee, a computer forensics instructor with security organization SANS Institute in Bethesda, Md. "You may have one or two e-mail servers that handle the majority of the e-mail being routed in and out of your office," says Lee. "If you take a company like Enron or Andersen that have multiple locations, you probably have redundant servers."

Bigger organizations also use magnetic storage systems, designed to archive large amounts of data ranging from e-mail to spreadsheets to more specialized documents. Even these magnetic systems, as well as the servers themselves, are often backed up for easy recovery in case of earthquake, power outage, or other business interruptions. "These are a virtual gold mine for people like us," says Stenhouse.

But he adds that many companies don't keep archived e-mails or other constantly changing types of files, such as Word documents, for long periods. They know that keeping scads of information can open companies to all kinds of questions when lawsuits arise.

NOT-SO-EMPTY TRASH. Computer forensics investigators can also extract from machines information that the user might think he has deleted. Indeed, to an untrained person, it would appear that the information is completely gone. "Say you highlight a folder, you hit the delete key, and everything deletes. You would think everything is gone. That's not true at all," says Lee. "More likely than not, all that information is sitting on your system." Yes, you heard it right. Even when you empty your trash, the computer does not discard the information completely.

How could that be? Computers don't erase data unless it is overwritten with other data. Fragments of deleted files are often pushed into unoccupied portions of the hard drive. Investigators using special scanning tools, such as EnCase from Guidance Software, can perform searches for relevant fragments, much as one might use a search engine to locate information on a certain term. Even reformatting a hard drive won't eliminate fragments of deleted files. "That's a common misconception. All that does is change the data at the beginning of the drive," says Lee.

Not that it's impossible to eliminate files. So-called "wiper" programs are widely available for free on the Internet. Even commercial applications are inexpensive, with many programs running less than $100. What wipers do is write new, meaningless data on top of older data. That permanently alters the configuration of the computer's memory by writing over portions of it that are marked as unused but may hold file fragments. This makes it nearly impossible to recover good information.

PERSISTENT LOGS. Using a wiper, however, isn't something that can be done in an instant. According to Lee, wiping 10 gigabytes of data would take two hours. "That's the same as shredding an entire roomful of paper documents," he says. Wiping out information across multiple data systems, from PCs to backups to mail servers, is harder still and would likely require a concentrated effort by info-tech personnel.

Even if a determined exec manages to successfully wipe out data on his own machine and archived material, some evidence still hangs around. Many programs keep close tabs on what files get erased and when, even down to the user who erased them. "There is a log mechanism internal to Windows that shows which files were deleted, who deleted them, and what deleted them. That log information is very difficult to erase, and it takes a skilled Windows operating system person to do that," says Lee.

The upshot? Destroying electronic evidence is pretty hard to do. Right now, that's a good thing for the SEC and investigators hot on the trail of a bankruptcy debacle like Enron.

With reporting by Joseph Weber in Chicago

Salkever covers computer security issues twice a month in his Security Net column, only on BusinessWeek Online
Edited by Douglas Harbrecht


Hit Counter