Almost anyone surfing the web (and no doubt everyone using Internet Explorer rather than Firefox) has experienced intermittent, annoying pop-up advertisements offering products that are gar-run-teed to scrub your hard drive of embarrassing or sensitive files.

China's The Standard business paper has an interesting article on the proliferation of such software, its effects on computer forensics and the potential legal repurcussions for those who utilize them in an attempt to hide illegal conduct:

Software hide and seek

August 9, 2005
The Standard
By Steven Barrie-Anthony
(Article originally appeared in the L.A. Times)

...Making files gone has become a booming industry unto itself. Sales of Evidence Eliminator run in the millions of dollars each year, says Andrew Churchill, managing director of Robin Hood Software of Britain - and it's just one of more than a dozen ''file shredder'' or ''anti-forensic'' products on the market. Eraser, a similar tool available free over the Internet, is downloaded roughly 2.5 million times per year, according to its distributor, Ireland's Heidi Computers.

Many of these software vendors claim that their programs, in the words of one, ''use wipe methods that exceed the standards set by the US Department of Defense'' (CyberCide); others boast the capability to ''erase to both the US Department of Defense and German Military/Government standards'' (DataEraser). Their Web sites urge protection against overly curious bosses, family members, corporate competitors and all variants of law enforcement. ``You are at very high risk of investigation!'' warns the Evidence Eliminator Web site. ``There is no need for you to play Russian roulette with your job, family, car, property. Act now!''...

...For your average consumer, ``The biggest concern is wanting to get rid of things they're afraid a spouse will find on the computer,'' says Brendan Koerner, a Wired magazine contributing editor. But spouses aren't the only ones encountering sanitized hard drives. Law enforcement agencies such as the FBI say that in the last year an increasing number of suspects chose to use such computer programs and that they expect the trend will continue. ``It is not surprising to us that this technology is out there,'' says FBI spokesman Paul Bresson. ``And we'll see it even more.''

Making files reappear is a booming business also. Computers are evidentiary treasure troves, and law enforcement isn't willing to roll over without a fight. ``Five years ago, there were 1,000 law enforcement and government workers out there attacking this problem,'' says John Colbert, chief executive of Guidance Software, which makes the forensic software most used by law enforcement. ``Now there are about 20,000"... Private-sector forensics is growing alongside law enforcement. Navigant Consulting, a litigation support company, has doubled its computer-forensics business over the last six months, says managing director James Gordon; Deloitte & Touche's Forensics Investigation Services division had 79 percent growth in the last year, says senior manager Bill Farwell.

Of course, the upswing isn't linked solely to the new popularity of anti-forensic software, there are plenty of regularly deleted files to chase after, but also to the central role that computers are playing these days in civil, criminal and corporate conflict. ``We do have methods which allow us to produce the evidence needed for investigation,'' says Jim Plitt, director of the US Immigration and Customs Enforcement's Cyber Crimes Center, the bastion of classified high-tech in charge of analyzing Johnson's hard drives. ``They've got their classified information and we've got ours,'' counters Evidence Eliminator's Churchill. ``There will never be any way to defeat Evidence Eliminator"...

...Whether or not overwritten data ultimately is recoverable, in courtrooms the use of anti-forensic software is often enough to imply guilt or invite steep sanctions. Even if the software works as planned, each program leaves a unique footprint easily identified by investigators. ``The courts are pretty harsh when software like this is used on data that should have been preserved,'' says Dave Schultz, manager of legal technologies consulting for forensic company Kroll Ontrack. ``You can expect fines, adverse inferences - like the judge telling the jury to presume that useful information was deleted - all the way to default judgments.''

Which was the case when the magistrate in a California civil trial involving the misappropriation of trade secrets ruled that defendant Matthew Hewitt's use of Evidence Eliminator was ``a stark affront to the judicial process.'' The data was ``gone forever,'' wrote the magistrate. Hewitt contended that he used the program only to cover up evidence of an affair and other embarrassments, but he was ordered to pay his former employer, a market research company Communications Center, more than US$145,000 (HK$1.13 million) in costs and fees.

Last year, the 9th US Circuit Court of Appeals upheld a similar ruling. Former Cisco Systems vice president Robert Gordon had been convicted of embezzling and was required to pony up restitution, including what it cost Cisco to dredge his Evidence Eliminated computer. There is greater precedent for these kinds of legal sanctions in civil rather than criminal court, but a look at the June indictment against Johnson will give anybody in the gaze of law enforcement pause. Johnson, who says he is not guilty, could face as many as 30 years in prison if convicted of downloading and possessing child pornography, and an additional 20 years if convicted of destroying evidence with Evidence Eliminator.

Although not sympathetic to criminals, some anti-forensic software makers and privacy advocates express concern about the use of such software as evidence of wrongdoing. It seems awfully Orwellian to be punished for deleting personal information, they say. And at least one federal judge is rethinking the whole hornet's nest of electronic evidence. ``Evidence-gathering is becoming very heavily directed toward cyber materials,'' says James Rosenbaum, chief district judge of the district of Minnesota.

In 2000, Rosenbaum published an article titled ``In Defense of the Delete Key'' in which he recommends a cyber statute of limitations: ``This limitation recognizes that even the best humans may have a somewhat less than heavenly aspect,'' he writes.``It acknowledges that anyone is entitled to make a mistake and to think a less than perfect thought.'' The courts should allow for the existence of ``cyber trash,'' he writes: ``This is what the delete button was meant for, and why pencils still have erasers. Let's engage in the fiction that maybe human beings just make mistakes once in a while,'' says Rosenbaum. ``That your first draft is just a first draft, not a fraud. Maybe it shouldn't be discoverable any more than when you used to throw the first draft of a letter into a wastebasket.''

The full article, with expanded info on the techniques used by forensic investigators can be found here.

-- MDT

Labels: Kroll