PDA

View Full Version : Forensic Analysis of Computers



NightTrainLayne
11-27-2010, 02:49 PM
Relating to several news stories that mention the fact that the NFL offices did a "Forensic Analysis" on Broncos computers, I'm curious if anyone can inform the board about the capabilities and limitations of this kind of analysis.

My own layman's understanding would lead me to believe that it's pretty limited, but apparently they uncovered the deleted files showing the walk-through practice.

Would that uncovering reveal the timing of not only the recording, but the timing of when the file was deleted? As I understand it, McD says that when Scarnecchia told him of the recording that he did not watch it and told Scarnecchia to delete it.

Obviously, no-one can truly verify whether McD watched the tape or not, but the timing of the deletion could very easily refute McD's statement, or lend credence to it. I.E. if it wasn't deleted until after the game that would pretty much blow McD's story out of the water.

How much can actually be gleaned from this.

Also, as an aside. .. .why the heck do these stories reference "tape" when NOBODY uses tape anymore to record. I highly doubt that NFL teams even use DVD's or disks, but rather keep all their "film" on hard drives.

Which leads me to question #2. I would assume that the NFL didn't just look at Scarnecchia's computer. Was evidence of this "tape" on any other Bronco's computer systems? Is there any record of it being accessed by Broncos coaches at any level?

jhildebrand
11-27-2010, 02:52 PM
I would sure love to hear Scharnecchia speak.

CHARLIEADAMSFAN
11-27-2010, 03:02 PM
The Broncos are idiots right now..... no doubt they could have at least hidden it better. Regardless i still disagree with the filming.

frauschieze
11-27-2010, 03:04 PM
I'm sure there are more here who can explain better and in more detail but I'll give it a stab.

Nothing on a hard drive is truly "deleted". The saved location of the file (which can and usually is spread over many different areas on the physical disk) is merely marked as available to be written. Until that space is actually overwritten, the file itself still exists, even though the operating system cannot "see" it.

In addition, there is usually extensive information saved in the file called meta data. It can include information on when the file was created, who created it, what was used to create it (up to a specific serial number of the camera which did the recording), etc.

Computer forensics can recover just about everything you can imagine. Their capabilities are far from limited.

There's a saying around my school that the only way to truly delete a file and remove all evidence of anything on a hard drive is to throw it in a volcano. It's really not that far from the truth.

scott.475
11-27-2010, 03:48 PM
I think Frau is pretty much right on. Very hard to actually delete info from a hard drive, and even if you do there may be enough fragments left to still lead you to the evidence.

Regarding the use of the word "tape", I don't know whether they actually still put games, etc on actual tape for long term storage or not. But when you think even deeper, using the word "film" would not using be an accurate statement, as "filmed the practice" because it probably is not even saved to film anymore. Just throwback terms for what was used in photography and movie making for 100+ years, and digital has only supplanted film in the last ten years. "Rewind" would be another one, and on and on.

A funny aside, we were watching a show some time ago and a guy was reviewing a video on his computer using some media player. Every time he he ran it backwards it would make that "whirring" sound that we used to get on cassette players...laughable, I can't believe they actually put that in there. Funny to think kids born today, or maybe even in the last 5, could conceivably grow up without even knowing what camera film or audio/video tape is. Totally off topic, but maybe some comic relief.

elsid13
11-27-2010, 04:17 PM
The only true way to clean a hard drive is either format c it, use a special cleaner program to remove data or the tried and true method swipe it with a powerful magnet device (the last is how the US Government cleans classified harddrives).

At this point Clay is looking for magnet within his kids toy box.

frauschieze
11-27-2010, 06:44 PM
The only true way to clean a hard drive is either format c it, use a special cleaner program to remove data or the tried and true method swipe it with a powerful magnet device (the last is how the US Government cleans classified harddrives).

At this point Clay is looking for magnet within his kids toy box.

"How do I reformat my hard drive?"
"Throw it in a volcano."

Reformatting DOES NOT "erase" old information on a computer. It can still be recovered with the proper tools and know-how . Ditto special cleaner programs. And I'm horrified our government uses magnets, although it's the best option of the three. For classified info, they ought to use magnets and then physically destroy the whole drive. Hammer and safety goggles, people.

elsid13
11-27-2010, 07:47 PM
"How do I reformat my hard drive?"
"Throw it in a volcano."

Reformatting DOES NOT "erase" old information on a computer. It can still be recovered with the proper tools and know-how . Ditto special cleaner programs. And I'm horrified our government uses magnets, although it's the best option of the three. For classified info, they ought to use magnets and then physically destroy the whole drive. Hammer and safety goggles, people.

By the time the magnets are done with the hard drive it does won't work ever again.

frauschieze
11-27-2010, 08:03 PM
By the time the magnets are done with the hard drive it does won't work ever again.

I sure hope so!

Day1BroncoFan
11-28-2010, 01:31 PM
All formatting does is resets the MBR (master boot record). It does not erase data at all.

The government uses more than one method to erase hard drives. They use a program that basically writes all 0's to the hard drive multiple times first. The more times you write to the hard drive the harder it is to pull the original data off.

frau is pretty correct in what she stated. The OS changes the first character of the file name to a ? and reallocates the space to "free" so it can be used again.

Nomad
11-28-2010, 01:34 PM
wha!!!!! I'm gettin me some compooter edgimication!!

Honestly, I didn't know any of this!!