Original Post Date: June 24, 2014
Lois Lerner and her bad sectors
In attempting to inform about digital forensics in a topical
and relevant manner, we'll seek to answer some questions about the current
events surrounding Lois Lerner and the "bad sectors" on her IRS computer
hard drive, which, if taken at face-value, were the culprit in losing part of a
large archive of emails which could possible serve to implicate or exonerate
her in any wrongdoing in her official capacity.
So what is a sector?
Picture a traditional (i.e., not a solid state or flash memory) hard
drive as a stack of magnetic pancakes or discs.
These "pancakes" store data magnetically and are divided into
sectors for the purpose of locating and presenting the when the user requests
it. The operating system addresses the
sectors in a standard format so it knows where it put your data, almost like
GPS coordinates for information on your hard drive. This data is not written to the sectors in a
sequential or linear format, rather plopped down on the hard drive wherever the
operating system thinks it can fit it.
This is why you often hear geeks tell you to "de-frag" your
hard drive if it's running slow. The
larger the hard drive, the more space there is between bits of data and
therefore, the longer it can take for the operating system to locate the
information you need (especially when multi-tasking) and get the information to
you. When you "de-frag" (or
defragment) your hard drive, it takes all the data and neatly stacks it one on
top of the other so the empty (or unallocated) spaces on the hard drive are in
one area of the drive and the usable portions (allocated space) is all
together... more or less... but data still resides in the space where it was
moved from, it's simply re-named in the file system so the operating system
knows that is not usable, writable space, but it is not empty.
Most hard drives do have bad sectors, but they are
identified by the operating system and tagged as unusable. They generally don't amount to a great amount
of space on the hard drive, so you generally don't miss that space when you're
trying to write information to the drive.
If the drive has not been maintained properly, is simply old or is of
poor quality, bad sectors can form over time and the data inside them can be
"lost", however that doesn't mean it can't be recovered at all.
When data resides in bad sectors, it can mean several
things. As stated in the article located
here: (http://www.atola.com/products/insight/bad-sector-recovery.html),
there can be a number of reasons for bad sectors to form, but the overriding
principle is that some data
may be recovered from those sectors. A
key point, however, is that the data can be presented as garbley-guck (that's a
scientific term) or inverted when recovered as to not render properly for
analysis. It may also only be partially recovered, which may only partially
help the investigation... but partial is better than none.
It's also important to note that the data may not be able to be recovered. One great block of instruction from an attorney over the years relayed that the best answer in a digital forensics investigation is "it depends"... and this situation very much depends on the physical state of the hard drive, the manner in which the sectors went bad and other factors such as the care of the hard drive, storage methods, recovery methods, time, etc. Politicians and lawyers don't generally like the answer "it depends" because it's not definitive, but increasingly in life, things aren't as definitive as we'd like them to be. It may appear dubious that such a prominent figure in the IRS was archiving her emails locally (on the desktop computer) and not on a server. In fact, in our research to date, we haven't seen much mention of a server archive, only temporary storage. Regardless, it is entirely possible that the emails Congress is seeking may either not exist or not be able to be recovered (fully)... that is simple scientific fact.
Author:
Patrick J. Siewert
Owner, Lead Forensic Examiner
Pro Digital Forensic Consulting
www.ProDigital4n6.com
