Computer Sleuths
The job of recovering the missing Enron Corp. accounting documents is falling to computer sleuths whose work can foil the casual use of the delete button.
They've been called on before in high-profile cases, looking for suspected spy transmissions and missing Clinton White House e-mails.
And now they'll be asked to recover documents from the computers of Arthur Andersen LLP, which acknowledges its employees destroyed thousands of e-mails and paper documents about Enron.
Investigators want to know who knew about the problems at Enron, which shocked the financial world and its own employees with its fall from Wall Street grace to bankruptcy.
Computer sleuths move quickly to preserve hard drives and backup tapes before the bits of deleted data are overwritten forever.
"If the data was there, rarely can you not find a sign of it," said Jeff Bedser of Internet Crimes Group in Princeton, N.J. "The closer to the time frame it happened, the better the chance of recovering the data."
|
Most computer users think a simple stroke of the delete key is enough to make a message disappear forever.
"The general practitioner doesn't know that once you hit delete and get it out of your inbox that it's not gone," said David Schultz, legal counsel at Ontrack Data International. "That is why this is a very fertile area for key evidence in litigation."
In most cases, hitting the delete button simply erases the file from general view. But the underlying data remains until the computer fills that free space with new data.
Government agencies with sensitive information - like the National Security Agency, the CIA and the FBI - use software that repeatedly overwrites free space on ard drives to foil recovery of deleted data.
E-mails are even harder to permanently erase, because they often reside in many locations along a computer network. Lotus Notes stores e-mail messages on a central server and gives most users only limited access, so a person who deletes an e-mail has no way to ensure it is permanently erased and overwritten.
Investigators also use backup tapes. Major companies tend to back up their files nightly or more often. The backups are eventually overwritten, so preserving them early is critical.
Recovering e-mails from backup tapes is far from a sure thing. Millions of e-mails from the Clinton White House were never recovered, even after contractor Vistronix tried to extract them from tapes. Andersen said it has retrieved some of the deleted Enron files from backups.
Andersen may also need to check personal computers used by the Houston auditors, looking for bits of e-mail messages or original copies of documents that have since been shredded.
While the e-mails might not have been intentionally stored, some portions may be lodged on individual computers just because someone read the messages. Joan Feldman of Computer Forensics called the phenomenon "data debris," and said it's hard to work with.
"The e-mail may or may not be stuck on the hard drive," Feldman said. "The 'may or may not' part is really big enough to drive a car through."
Shredded paper is also extremely difficult, but not impossible, to re-create. Jason Paroff, a forensics expert at Kroll Worldwide, said his company has put shredded documents back together before, but success is dependent on the efficiency of the shredder.
While the results of straight-cut shredders are relatively easy to work with, Paroff said, "there are some shredding machines that almost produce a dust on the other end. Good luck piecing that together."
With all the uncertainties in forensic work, the experts said Andersen would benefit if it gets another company to monitor its work. That would protect Andersen against some routine pitfalls, like a technician throwing out an obsolete but evidence-rich computer.
"It would probably be a good alibi for whatever their status is," said Stan Wilson of Kroll. "You don't want to go into something like Enron with yourself as the lone gun."
By D. Ian Hopper © MMII The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed