In attempting to inform about digital forensics in a topical and relevant manner, we’ll seek to answer some questions about the current events surrounding Lois Lerner and the “bad sectors” on her IRS computer hard drive, which, if taken at face-value, were the culprit in losing part of a large archive of emails which could possible serve to implicate or exonerate her in any wrongdoing in her official capacity.
So what is a sector? Picture a traditional (i.e., not a solid state or flash memory) hard drive as a stack of magnetic pancakes or discs. These “pancakes” store data magnetically and are divided into sectors for the purpose of locating and presenting the when the user requests it. The operating system addresses the sectors in a standard format so it knows where it put your data, almost like GPS coordinates for information on your hard drive. This data is not written to the sectors in a sequential or linear format, rather plopped down on the hard drive wherever the operating system thinks it can fit it. This is why you often hear geeks tell you to “de-frag” your hard drive if it’s running slow. The larger the hard drive, the more space there is between bits of data and therefore, the longer it can take for the operating system to locate the information you need (especially when multi-tasking) and get the information to you. When you “de-frag” (or defragment) your hard drive, it takes all the data and neatly stacks it one on top of the other so the empty (or unallocated) spaces on the hard drive are in one area of the drive and the usable portions (allocated space) is all together… more or less… but data still resides in the space where it was moved from, it’s simply re-named in the file system so the operating system knows that is not usable, writable space, but it is not empty.
Most hard drives do have bad sectors, but they are identified by the operating system and tagged as unusable. They generally don’t amount to a great amount of space on the hard drive, so you generally don’t miss that space when you’re trying to write information to the drive. If the drive has not been maintained properly, is simply old or is of poor quality, bad sectors can form over time and the data inside them can be “lost”, however that doesn’t mean it can’t be recovered at all.
When data resides in bad sectors, it can mean several things. As stated in the article located here: (http://www.atola.com/products/insight/bad-sector-recovery.html), there can be a number of reasons for bad sectors to form, but the overriding principle is that some data may be recovered from those sectors. A key point, however, is that the data can be presented as garbley-guck (that’s a scientific term) or inverted when recovered as to not render properly for analysis. It may also only be partially recovered, which may only partially help the investigation… but partial is better than none.
It’s also important to note that the data may not be able to be recovered. One great block of instruction from an attorney over the years relayed that the best answer in a digital forensics investigation is “it depends”… and this situation very much depends on the physical state of the hard drive, the manner in which the sectors went bad and other factors such as the care of the hard drive, storage methods, recovery methods, time, etc. Politicians and lawyers don’t generally like the answer “it depends” because it’s not definitive, but increasingly in life, things aren’t as definitive as we’d like them to be. It may appear dubious that such a prominent figure in the IRS was archiving her emails locally (on the desktop computer) and not on a server. In fact, in our research to date, we haven’t seen much mention of a server archive, only temporary storage. Regardless, it is entirely possible that the emails Congress is seeking may either not exist or not be able to be recovered (fully)… that is simple scientific fact.Author:
Patrick J. Siewert
Owner, Lead Forensic Examiner
Pro Digital Forensic Consulting