Computers hinder paper shredders

In the shredding scandale du jour, involving bankrupt energy company Enron and its auditor, Arthur Andersen, the digital office has immeasurably changed the landscape for would-be document destruction--and recovery. The reason: The average office shredder does nothing to alter the computers where the vast majority of those paper documents originated.

As investigators contemplate the Herculean jigsaw puzzle of reassembling shredded paper strips, computer forensics experts are preparing for the comparatively easier task of examining desktop computers, laptops, e-mail servers, backup tapes and other digital media for information on the Enron debacle--and any evidence of a cover-up.

"Most people don't think of the computer as a continually running tape recorder," said Joan Feldman, president and founder of Computer Forensics in Seattle. "But it is. It's the closest thing we have in our culture to something that's recording our every thought and every word. And we're not taught to think of them that way."

Three years after Justice Department lawyers in the Microsoft antitrust suit embarrassed software mogul Bill Gates with damaging e-mail records, digital trails continue to provide stunningly intimate details of private activities. Although forensic details of the Enron meltdown are not yet being made public, powerful data-recovery techniques promise to turn a spotlight on the inner workings of the beleaguered energy company, which abruptly tumbled into bankruptcy in December amid accusations of accounting improprieties.

The attempt to destroy documents has become a focus of Enron's collapse and its dealings with its accounting firm, Andersen. Federal investigators have accused Andersen employees of trying to wipe out documents that showed they knew the energy giant was engaged in fraudulent activity.

Specifically, investigators have focused on an Oct. 23 meeting, during which Andersen partner David Duncan allegedly headed an effort to destroy documents related to Enron after learning the Securities and Exchange Commission had requested financial records from the company.

When asked about his role during a congressional hearing last month, which examined the destruction of e-mails and other documents, Duncan invoked his Fifth Amendment right not to incriminate himself.

Digging through data
In a sign that computer evidence will figure prominently in the Enron investigation, Andersen last week hired Cedar Park, Texas-based computer forensics company ASR Data Acquisition and Analysis, to recover deleted or overwritten digital data.

The obligation to preserve documents that might figure into an investigation or trial is well-known among businesses and in government. But the extension of that legal principle to include digital data was, until just a few years ago, a hazier matter. Many lawyers argued, with some success, that their clients didn't understand that they were violating the rules of discovery when they wrote over a file.

Three years ago, that argument went out the window.

"The disingenuous reaction became useless as soon as Bill Gates became the poster child for bad e-mail," said Feldman, referring to the then-Microsoft CEO's testimony after lawyers in the government's antitrust case read recovered e-mails from company executives on a nationally televised videotape. "There was sort of a turning point where any last gasping chance that people thought they had to say they didn't know about this issue was over."

Like other digital files, e-mail is easy to search using keywords--for instance, "Enron" or "Netscape." But more than other digital files, e-mail has a tendency to leave copies of itself in places the average sender wouldn't think to look when attempting to make it go away.

In the process of composing an e-mail, copies may exist in the "out" box of the e-mail program, on the client's hard drive and on a corporate backup tape. That's before the e-mail is even sent.

Once delivered, the e-mail can exist on any number of servers between sender and recipient, not to mention the myriad destinations where it might be forwarded once it reaches its destination. Then there are synchronizations between desktop computers, laptops and PDAs (personal digital assistants) where more copies may reside.

"If you have a hard time grasping this, think of rabbits," Feldman said. "Think about their incredible reproductive nature, and think about trying to get them all back. That's the challenge for people trying to get rid of e-mail, and that's where we prevail."

Search and destroy
Computer forensic investigators approaching situations such as the Enron and Arthur Andersen case start by collecting potential sources of digital files. Corporate backup tapes must be transferred to a hard drive, where massive amounts of information can be searched and sorted.

Then investigators turn to individuals' computers. For each person under investigation, there may be two or three computers targeted--for example, a desktop at work, a laptop and a home computer.

Instead of booting up the targeted computer, forensics experts typically make an evidentiary copy of the hard drive to capture everything on the computer--deleted files and all. That copy lets investigators avoid accusations of tampering with evidence.

"If, in addition to examining files directly on the computer, I open it up to read it, I have changed the meta-data for that file," Feldman said. "That changes the last access date and time, and if I do anything more I may have also modified that file. So, it becomes very difficult to weed out or parse through that which was there prior to the review. If you have to testify it, you wind up dancing through a sea of razor blades and you start to look like an idiot."

Once the investigators have their copy, they bring it back to the lab where they use special software tools to dig through the data. One popular software suite is called En Case. Produced by Guidance Software, a computer forensics hardware and software company in Pasadena, Calif., the tool examines the hard drive, identifies and locates deleted files, and allows for text searching and other analysis tricks.

The software can also tell investigators if a deleted file has been written over partially, leaving some data that can be recovered.

Still, people who are serious about making information disappear don't settle for writing on top of a file just once. Typical government procedure is to write over it four times, said Anthony Pellicano, an investigator at Forensic Audio Lab in Los Angeles who examined the 18-1/2 minutes of erased tape from the Nixon White House, among other crucial pieces of evidence in high-profile cases. Another computer forensics expert said the Department of Defense policy is to write over files seven times.

"If I drag a file to the trash and empty the trash, that just means that there was a pointer and now it says don't point to that anymore," Pellicano said. "But if something is erased and something is written on top of it, then you can forget about it--you'll never get it back."

Computer forensics specialists draw a distinction between merely writing over information and deliberately wiping a file. A deleted file may be written over partially and without the computer user's knowledge. But someone who sets out to wipe a file does so with the aid of software such as Norton Utilities Wipe Info, repeatedly, from beginning to end.

That distinction is more than a forensic one. Investigators, lawyers and congressional representatives are particularly interested in finding out whether someone deliberately wiped information after it was reasonable to think a court might want to see it.

"We look for system activity to see if someone was using a file-shredding program--which in itself isn't illegal or unethical, unless you're under subpoena or the threat of subpoena," said Computer Forensics' Feldman.

Learning from pack rats
Christopher Wolf, an attorney at Proskauer Rose who deals with issues of "spoliation," or the destruction of documents, said clients should keep items they know may be needed in an investigation or case.

Parties involved in a case can later ask a judge to withhold documents as evidence, but destroying them once an investigation has begun can lead to real trouble.

For one thing, it can result in charges of obstruction of justice. Or in a civil case, a judge can allow the jury to question a document-destroying party's intentions. For example, judges in certain cases will tell jurors they should assume missing documents are harmful simply because they were destroyed--even if they never see the contents.

Wolf says digital documents have been fertile ground for evidence in many cases. "People say things in e-mails and attach documents to e-mail they might not have done in the hard-copy world," he noted.

But the success of efforts to recover data from Arthur Andersen and Enron computers depends on several factors, not least of which are the savvy and persistence of those who might have tried to destroy data.

"It's almost kind of like a game of leapfrog," said Andrew Rosen, chief executive of ASR. "As the technology used to recover the data gets better, the technology used to destroy data gets better."

Rosen, who likens his quest to digital archaeology, said the challenge comes not so much from retrieving deleted information, but from piecing it together and developing a time line that tells the story of what actually happened.

"Simply getting the data back is one of the easiest questions, but figuring out the who, what, where and why often involves a significant bit of analysis," he said.