Digital Detectives Dig Through Data Deluge

Jan. 30, 2012 — -- What you do on your computer stays on your computer.

That may seem obvious, but a document in a new FBI terrorism case provides fascinating reminders of just how much information government agents can mine from your computer and other electronics, revealing cyber secrets you thought you'd long ago deleted.

Jamshid Muhtorov is a refugee from Uzbekistan who was living in Aurora, Colo., until his arrest on Jan. 21. The FBI began investigating Muhtorov last year for his support of the Islamic Jihad Union. The group is designated a foreign terrorist organization by the U.S. government and has claimed responsibility for multiple attacks on coalition forces in Afghanistan.

Muhtorov allegedly pledged money and his allegiance to the IJU, emailing a representative of the group that he was "ready for any task, even with the risk of dying," according to the criminal complaint. He was taken into custody at Chicago's O'Hare airport just before catching a flight out of the country.

Read the criminal complaint against Jamshid Muhtorov

In an affidavit, FBI Special Agent Donald Hale noted that Muhtorov communicated with associates using two email addresses, an Android Blackberry smart phone and a Sony Vaio laptop computer that Hale suggested could yield a bounty of information.

When "Delete" Does Not Mean Delete

"Computer files or remnants of such files can be recovered months or even years after they have been downloaded onto a storage medium, deleted, or viewed via the Internet," Hale wrote in the affidavit. "Even when files have been deleted, they can be recovered months or years later using forensic tools."

Hale explained that when a person deletes a file on a computer, the data doesn't actually disappear, but remains on the hard drive until it gets overwritten by new data. The computer's operating system may also keep records of deleted files in something called a "swap" or "recovery" file.

A computer's internal hard drive can keep records of how it was used, who used it, and when, Hale wrote. This digital evidence can point to information that once lived on a hard drive or memory stick, but was later altered or deleted. For example, agents might even be able to see where an incriminating paragraph was erased from a word processing document.

"Computer users typically do not erase or delete this evidence, because special software is typically required for that task," agent Hale wrote.

The trail doesn't end there. Web browsers, email and chat programs can reveal online nicknames and passwords. The computer can also tell investigators when a memory stick or external hard drive was connected, and how and in what sequence files were created.

Analyzing all that electronic evidence, Hale wrote, takes "considerable time."

That work gets done at one of 16 computer forensics laboratories around the country run by the FBI, in partnership with 130 state and local law enforcement agencies. The first Regional Computer Forensics Laboratory, as they are officially called, was established in San Diego in 1999.

Agents who first obtain court approved search warrants can scour cell phones, cameras, GPS units, tablet computers and more for information that can make or break an investigation.