In a story stunning Toronto yesterday and spreading beyond Canada into news media around the globe, Toronto Police Chief Bill Blair admitted that a video showing Toronto Mayor Rob Ford smoking what appears to be a crack pipe had been recovered. The video, never been seen by the public, has been the subject of a great deal of speculation since some photos from it were reported in the press earlier in the year. Mayor Ford received a torrent of allegations about its supposed contents and flatly denied it even existed. A bombshell of sorts yesterday when the Police Chief exclaimed that evidence seized in a series of police raids included electronic devices and computer hard drives that after months of investigation contained the video in question. According to Blair, the footage is “consistent with what has been described in the media,” but he will not further describe what depictions are within. So how did the police department get the deleted data of the mysterious video files from the hard drives?
Over the past 20 years data recovery methods for deleted information have improved dramatically. There is better training available to forensic staff and better software tools to be used in data recovery processes. In fact, 20 years ago IT forensics and forensic investigators did not even exist.
Deleting files from a computer is an action which primarily removes a file entry from the computer’s master file table (MFT). However, the physical disk space where a file is actually located is simply allocated as free space and made available to be written to. Until the point when new data is written to these physical data blocks, the original data file – such as the video file retrieved by Police – is still available. If you were to think of a hard drive as a book, the table of contents referencing a chapter is no longer available to the reader, but that chapter’s actual words are written on the pages still.
In a delicate case such as the one with Toronto’s current mayor, Toronto Police Services would have extracted the suspect hard drive from a computer they seized and forensic investigators secured a bit-by-bit image copy of the hard drive in order to maintain the original source unit in pristine shape.
Software tools developed by data recovery companies over the past many years have allowed for a more automated and accountable process of the retrieval of information. Instead of the archaic method of trying to locate a certain file type and following its internal file mapping entries to various physical portions of a hard disk drive by hand, software tools now empower trained investigators to search for multiple files and file types, while instructing the CPU to do the exhaustive searching throughout large disk spaces. This cuts down the time required for investigations and maintains an impeccable chain of custody.
Various forensic and data recovery tools are used by police investigators in an attempt to locate any files which are not currently indexed by the hard drive. Data recovery software like CBL Pro-V or professional investigative software products like EnCase by Guidance Software allow for forensically sound data collection, data recovery and investigation procedures and one which is repeatable and defensible should a sensitive case go to court.
In the end, Toronto Police Investigators would have recovered and saved the now infamous video file, along with other available deleted items from the same computer; dates and times of the file deletion; and which user was logged in at the time of deletion. This information, combined with traditional Police investigative procedures of placing people at a scene can create a plausible and defensible account of who, when, where, why and how the video files was stored, saved, deleted and ultimately recovered.
Category: data recovery