Recovering Deleted Data from Flash Devices

Article

Added 29th Nov 2011

Team CIO

The man who claimed to have attached a bomb collar to an Australian high school student some weeks ago thought it would be a good idea to leave a ransom note on a USB stick looped around her neck. What he probably didn’t realize is that he also left his name, hidden deep in the device’s memory.

Court documents that were recently describe the harrowing incident, which began when a man broke into Madeline Pulver’s bedroom wearing a striped balaclava and wielding a black aluminum baseball bat. He told her to sit down and chained a black box around her neck.

He also draped a purple lanyard over the terrified girl with a note saying that the black box was a bomb. The note included ransom instructions for Pulver’s family, telling them to e-mail a Google address—dirkstraun1840@gmail.com—for further instructions. Also on the lanyard was a 4GB USB stick that contained a digital version of the note, saved as a PDF file.

The next 10 hours were a grueling ordeal for the girl before a Sydney police bomb squad was able to determined that the threat was a hoax. But a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: Paul P.

A few days later, US authorities arrested Paul “Doug” Peters, 50, in La Grange, Kentucky, seeking to extradite him to Australia to face kidnapping and breaking-and-entering charges. It’s not clear why Peters attempted such a bizarre crime, but US prosecutors say he once worked for a company linked to Pulver’s family. The girl’s father, Bill Pulver, is the CEO of voice recognition software company Appen Butler Hill.

Police collected footage from surveillance cameras in a library where a computer was used to access the Gmail account. The footage, along with the USB drive and circumstantial evidence, such as purchases made around the time of the incident, link Peters to the crime, prosecutors say.

Even if the collar bomber had known his name was on the USB drive, it would have been very hard to remove it, according to Frank McClain, an independent computer forensics expert.

As computer geeks and investigators know, when users delete a file from a computer the file isn’t deleted immediately from the hard drive. Instead, the computer takes note that the area of the disk where the file is stored is now available to be written over. So investigators can often recover at least snippets of data from files that are supposed to have been deleted.

With flash drives things are more complex, thanks to mechanisms built into the drives to prolong their lifespan. Because flash memory cells stop working after they’ve been overwritten too many times, flash devices use tricks called “wear leveling” to even out how the memory cells are used. A side effect of wear leveling is that it is “almost impossible” to completely erase data from a flash device, McClain said.

That can come in handy for people trying to recover photos or other files they’ve accidentally deleted, and there are many tools, some of them free, to help recover their data.

latest Articles

CIOs Don't Need to be Business Leaders

Given the complexity of today's applications, it's folly to suggest that the future role of the CIO is less technical and more businesslike, columnist Bernard Golden writes. If anything, it's the opposite -- the business side of the enterprise should embrace technology.
10 Steps to Business Process Transformation

Spurred by the recession, CIOs have sharpened their focus on processes, as companies strive for greater efficiency, and transformed business models, believes Coonie Moore Principal Analyst at Forrester Research.
Keeping IT Up

How IT business continuity is challenged by four tech megatrends: Social, mobile, virtualization and cloud.
5 Things I Have Learned: Alagu Balaraman

Alagu Balaraman, former CIO and current partner and MD India Operations at consultancy firm CGN & Associates, has spent 20 years doing different things and doing things differently.

View all articles

articles

10 Ways To Improve Disaster Recovery Preparedness

articles

Making Sure It's Business as Usual, even During Earthquakes

What happens if your company's system cracks under pressure due to natural disasters,such as the earthquake that sent tremors around the world today?

news

Forrester's Outlines 5 Rising, 5 Declining Security Tech

Security technologies rise and fall in popularity, and Forrester Research in its TechRadar report puts its bets on five it thinks are in a growth mode and five it thinks are dying away.

news

PwC: India Inc Gets Pay Right(er)

The growing use of a risk-to-pay variable--like ESOPS--as a portion of compensation packages of Indian senior executives is a sign of growing maturity in the way India Inc looks at compensation, says PwC.

news

Microsoft Planning Real-Time Feed of Core Threat Data

Microsoft holds a trove of valuable threat data gathered from botnet takedowns, and now is reportedly testing a system to share that data.

news

RIM's Future Hangs on Developer Support for "New BlackBerry"

Research in Motion at its annual BlackBerry World conference next week will focus on simplifying development for its soon-to-be-unveiled BlackBerry 10 operating system.

View all »

CIO Book Club

Price: Rs 800

Reviewed by:

Vijay Ramachandran, Editor, CIO

V. Subramaniam, Director-IT & CIO, Otis India and Gulf Area

CIOIN