Digital Detectives Dig Through Data Deluge

Digital detectives digging through a data deluge that can make or break cases.

January 30, 2012, 9:31 AM

Jan. 30, 2012 — -- What you do on your computer stays on your computer.

That may seem obvious, but a document in a new FBI terrorism case provides fascinating reminders of just how much information government agents can mine from your computer and other electronics, revealing cyber secrets you thought you'd long ago deleted.

Jamshid Muhtorov is a refugee from Uzbekistan who was living in Aurora, Colo., until his arrest on Jan. 21. The FBI began investigating Muhtorov last year for his support of the Islamic Jihad Union. The group is designated a foreign terrorist organization by the U.S. government and has claimed responsibility for multiple attacks on coalition forces in Afghanistan.

Muhtorov allegedly pledged money and his allegiance to the IJU, emailing a representative of the group that he was "ready for any task, even with the risk of dying," according to the criminal complaint. He was taken into custody at Chicago's O'Hare airport just before catching a flight out of the country.

Read the criminal complaint against Jamshid Muhtorov

In an affidavit, FBI Special Agent Donald Hale noted that Muhtorov communicated with associates using two email addresses, an Android Blackberry smart phone and a Sony Vaio laptop computer that Hale suggested could yield a bounty of information.

When "Delete" Does Not Mean Delete

"Computer files or remnants of such files can be recovered months or even years after they have been downloaded onto a storage medium, deleted, or viewed via the Internet," Hale wrote in the affidavit. "Even when files have been deleted, they can be recovered months or years later using forensic tools."

Hale explained that when a person deletes a file on a computer, the data doesn't actually disappear, but remains on the hard drive until it gets overwritten by new data. The computer's operating system may also keep records of deleted files in something called a "swap" or "recovery" file.

A computer's internal hard drive can keep records of how it was used, who used it, and when, Hale wrote. This digital evidence can point to information that once lived on a hard drive or memory stick, but was later altered or deleted. For example, agents might even be able to see where an incriminating paragraph was erased from a word processing document.

"Computer users typically do not erase or delete this evidence, because special software is typically required for that task," agent Hale wrote.

The trail doesn't end there. Web browsers, email and chat programs can reveal online nicknames and passwords. The computer can also tell investigators when a memory stick or external hard drive was connected, and how and in what sequence files were created.

Analyzing all that electronic evidence, Hale wrote, takes "considerable time."

That work gets done at one of 16 computer forensics laboratories around the country run by the FBI, in partnership with 130 state and local law enforcement agencies. The first Regional Computer Forensics Laboratory, as they are officially called, was established in San Diego in 1999.

Agents who first obtain court approved search warrants can scour cell phones, cameras, GPS units, tablet computers and more for information that can make or break an investigation.

Digital Detectives

"The analysis could directly implicate or eliminate the suspect based on the information recovered, or serve as corroboration or contradiction to a suspect or witnesses statement," said FBI Supervisory Special Agent Sean O'Brien, director of the Rocky Mountain Regional Computer Forensics Lab in Centennial, Colorado.

In the 2010 fiscal year, the regional laboratories conducted 6,564 examinations of everything from hard drives and cell phones to floppy disks and VHS videotapes. During that time examiners combed through 3,086 terabytes of data. (For comparison, just one terabyte is equal to about 1,000 gigabytes.)

The digital deluge can be overwhelming.

"The sheer volume of information investigators request to be analyzed exceeds the capacity of forensic examiners available to analyze the data in the laboratory," O'Brien told ABC News.

When two Roy, Utah, teenagers were arrested last week for allegedly plotting an attack on their high school, their computers were sent to be analyzed at the lab in Salt Lake City, according to FBI spokesperson Deborah Bertram.

The Rocky Mountain Regional Computer Forensics Lab played a key role during the 2009 investigation of Najibullah Zazi, who later pleaded guilty in a plot to trigger bombs on New York City subway trains. Analysts searched for evidence on several computers, helped execute search warrants, and examined surveillance video that showed Zazi buying bomb making ingredients at a beauty supply store.

Golden Age of Surveillance

Law enforcement officials still need a warrant to search your physical property, like a laptop. Privacy advocates, however, worry that information you store in the "cloud" or with service providers (think Gmail, Hotmail) can be accessed by a less-stringent subpoena, a legal document that doesn't require a judge's approval.

"The standards to access to that information are very low," said James Dempsey, vice president for public policy at the Center for Democracy and Technology. "Most people don't realize that."

Dempsey's organization is part of a group called Digital Due Process, made up of privacy advocates and companies including Amazon, Google and Microsoft that want Congress to update the Electronic Privacy Communications Act. The law was enacted in 1986, before service providers had become major players in email and cloud computing.

Dempsey says the law should require the government to get a warrant signed by a judge before accessing information stored by service providers.

"The warrant requirement is in the Constitution.We just have to make it clear that it applies not only to your physical effects, but also to your digital life." Dempsey told ABC News. "This is golden age of surveillance. There is more information available more easily to the government than ever before."

ABC News Live

ABC News Live

24/7 coverage of breaking news and live events