Damon Hacker, Vestige President, is presenting to the SAME Mt. Tacoma Post & engineering students at the University of Washington-Tacoma on April 9.

Of IRS and Crashed Computers

Articles

Of IRS and Crashed Computers

Author photo
Vestige Digital Investigations, CTO and Founder
BS, EnCE, DFCP

Know Your Data

Over the last few months, one of the topics we’ve attacked from various angles is that of understanding your data.  It is paramount for a company to know:

·       What data it is storing

·       Where that data is being stored

·       How the data is being protected

·       How long that data is saved

Furthermore, it is important for the company to know how the data map interacts with industry regulations governing a company, litigation holds and how legal, HR and IT wish to respond to various investigatory and legal incidents.  Let’s give an example.  IT has been tasked (and lately have it drilled into their heads) with protecting the company’s data.  So when an employee leaves, they will want to shut down the employee’s account and get their hands around the employee’s access to data, specifically remote access.  However, actions taken by IT may alter company data or destroy evidence that would compromise an investigation around that employee’s actions before they left.  HR may want to repurpose the former employee’s computer to a new employee. Doing so, however, may again alter electronic evidence that can be used to prove or disprove allegations in a matter.

But let’s get back to the IRS….

According to reports, the IRS had quotas on employee mailboxes.  Once a mailbox hit 500 MB, emails had to be exported or deleted or the account was shut down.  As a result, individuals, including Ms. Lerner, would export emails to their local machines.  Of course, the local machines were not backed up through the IRS backup system (in all fairness to the IRS, finding a sasquatch petting a unicorn is easier than finding a company which backs up its workstations).  Even if the IRS backup system handled individual workstations, it only held backups for six months.  Once a backup reached six months in age, it was written over.

That last part seems to be at odds with an organization that can audit up to seven years of your financial information.  The IRS likely augments that policy with another policy that states anything which is an office record of the IRS cannot be deleted and also needs to have a hard copy filed.  The decision maker as to whether a record is official appears, from media reports, to be the users themselves.  By recent accounts, there are over 90,000 employees with the IRS.  Do you think that they all interpret the definition of office record the same way?  The next time you have a dozen people in a meeting, quiz them on a couple dozen emails as to their importance.  Now remember that the next time someone wants to allow employees to determine what emails should be subject to litigation hold.

So the end results with the IRS is that the backup tapes were for the most part worthless and the email server only held a small percentage of what the Congressional committees were seeking.  So everyone had to turn their attention to the workstations.

“Crash”

It kind of makes me cringe on the level of someone running finger nails on a chalkboard when I hear someone report a “computer crash” being responsible for the loss of emails as if that phrase describes something technical and definitive.  It isn’t.  Not even close.  To those of us who labor over bits and bytes for a living, a crash means that something (a computer, application or otherwise) stopped working.  A crash doesn’t mean a permanent stop or a temporary one.  A crash doesn’t mean a device became permanently inoperable or that data was forever lost.  A crash is just a generic, all-encompassing term that can mean different things to different people in different situations.

The bigger question is what really happened to the hard drive that contained the emails.  According to reports, the IRS Information Technology Division tried “multiple processes to recover the information”.  Getting close, but what needs to be determined is:

·       Was the damage physical (damage to the components of the hard drive) or logical (data corruption)?

·       Who undertook the recovery attempts and what specialized training did they have?

·       Was a copy of the entire hard drive made, and attempt made on the copy so that initial attempts didn’t diminish the ability for subsequent attempts to be successful?

·       What processes were attempted?

The answers to any one of the above questions can have a dramatic effect on the possibility of success regardless of the tools or skillsets involved.  Not performing data recovery properly can turn the most simple recovery job into a drastic failure.

This entire blog post further underscores another point we have been making.  When faced with data retention or litigation hold questions, hiring an outside consultant who can understand how the different policies, parties and regulations interact is time and effort worth spent.  When faced with vague technical terms such as a “crash”, pick up the phone and ask an expert as to what that means and more importantly, what that means to your investigation.

Greg Kelley - Vestige CTO lft smallby Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations