THE CANADIAN PRESS/Chris Young
TORONTO – Court documents from a police investigation into Toronto Mayor Rob Ford and his friend Sandro Lisi shed how police get their hands on video, text and audio files from computers and smartphones seized as evidence.
READ MORE: Police documents describe Rob Ford crack video
Previously released judicial authorizations reveal that police obtained one laptop computer and seven cellphones as part of the ongoing investigation – well after Lisi's arrest on an extortion charge in connection with the now-infamous "crack video."
Police have gleaned multiple media files from the devices they've seized, but it looks like one had them stumped: Lisi's iPhone 4S.
iPhone sent to Apple to be unlocked
Another key detail in Wednesday's court documents reveals that Toronto Police travelled to Apple headquarters in Cupertino, Calif. to gain access to the data from an iPhone 4S belonging to Lisi.
"LISI's phone was unable to be analysed because they did not have the current forensic tools to extract information from the phone," police documents read.
Toronto Police aren't the only ones turning to Apple for forensic assistance.
"There is a security and encryption level that right now is proprietary to Apple," said Tim Margeson, president of CBL Data Recovery, a Canadian data recovery firm headquartered in Toronto.
Apple assists law enforcement agencies to decrypt seized iPhones by court order. Apple reports the number of requests for information related to law enforcement investigations as part of its transparency report, which can be viewed online.
"Law enforcement requests most often relate to criminal investigations such as robbery, theft, murder, and kidnapping," read a statement regarding Apple's national security and law enforcement orders released in January.
"Apple reviews each order, whether criminal or under a national security authority, to ensure that it is legally issued and as narrowly."
According to Margeson, Apple isn't providing any information; they just provide the service to enable access to the phone.
But some private firms say they can do the same thing, gaining access to a wealth of information stored on devices like the iPhone.
Ben Carmitchel, computer forensics expert and president of DataRecovery.com, said his company has software that would allow them to extract data from an iPhone.
"The iPhone makes it so easy to delete a text; however – just like a computer – that text is not deleted and is retained for a very long time. They are retained in a database that is stored on the phone, marked as deleted and left alone," Carmitchel told Global News.
"Let's say we have a 16GB iPhone 4S. We can acquire an image of that iPhone and end up with a 16GB image of everything that is on that device – then we use software to see what's on that phone."
Data recovery
Last Halloween, Chief Bill Blair said investigators had extracted a deleted file from a hard drive seized in the Project Traveller raids last June. During a press conference in October, Blair described that video as containing "images that appear to be those previously reported in the press."
But just how did police manage to retrieve these files?
The process would include using data recovery and computer forensics to examine the hard drive in order to discover evidence.
"What they would do in a situation like this is secure what's called a bit by bit image of the unit onto some of their own storage. This alleviates any risk of damaging the original unit and keeps the chain of custody and evidence all intact for later on," Margeson said.
When you delete a file on your computer the file is not actually deleted – it's flagged and marked to say that it has been deleted, but the information is still there.
The information will remain there until your computer uses that space to overwrite the files.
According to Margeson, police would be able to use data recovery tools to scan through the indexed and un-indexed portions of a hard drive. He said if files had been deleted, it's likely that some of the video evidence and other documents pertaining to the case were found in the un-indexed portion.
"The way a computer works to store information is a lot like a book," Margeson explained.
"There is a table of contents and there are pages. When you delete information from a computer all its doing is eliminating the entry in the table of contents; but the page is still there. So they [would have been] able to go through all the pages and restructure that to find the appropriate images or documents."
That's how Toronto police would have been able to recover the video that shows Mayor Ford smoking what appears to be crack cocaine – one described for the first time in documents released Wednesday.
"Let's say for instance there is a file that has been deleted, but no new information has been written on top of it," said Herna Viktor, associate professor of computer science at the University of Ottawa.
"The recovery software would then simply go through the files, see that it has been flagged as deleted, try to un-flag it and then scan the disk and find the information for you."
But despite sophisticated data recovery software, 100 per cent file recovery is not always achievable.
There are two common instances where information could not be retrieved from a hard drive – if it's been physically scraped off, or if that particular file was overwritten with new information.
© Shaw Media, 2014
0 comments:
Post a Comment