Hakki -------------------------------------------------- http://www.knoxstudio.com/shns/story.cfm?pk=ENRON-DATA-01-29-02&cat=AN Computer sleuths may find key Enron data By CLINT SWETT Scripps-McClatchy Western Service January 29, 2002
- When Arthur Andersen auditors deleted e-mails and shredded reams of documents related to the Enron scandal last fall, it's likely they thought they were covering their tracks under a blanket of confetti.
But they may have been wrong.
Computer experts say that though the paper trail may now be destroyed, it might still be possible to recover much of the information from the computers that produced the original documents.
"About 99 percent of people think that when they've deleted files they are gone," said Kevin Jackson, who owns the California office of American Data Recovery, which helps firms recover data from damaged hard disks.
In fact, the information isn't deleted at all. It still resides on the hard disk until it is "overwritten" by new data, a process that could happen immediately or take several months.
Officials at the Justice Department declined to say what, if anything, is being done to pry the missing e-mails and other documents out of either Arthur Andersen or Enron computers.
But computer security experts say it's possible that much of that information is still hidden on numerous hard drives.
"There are infinite possibilities," said Keith Aiken, a former FBI agent now working under contract as a computer evidence examiner with the Sacramento Valley High-Tech Crimes Task Force. "Just deleting it won't cover up anything."
E-mail can be especially hard to eradicate, Aiken said.
In large companies, most e-mail is stored on central servers, but there could be traces of it found on individual computers, he said. If the missing e-mail was sent to multiple recipients, it might be found on their PCs, too.
Before the e-mail was deleted, it could have existed for days or even weeks on the server's disks. During that time, Aiken said, large businesses would likely have made backup copies of their data on special tapes.
So if e-mail can't be recovered from the server, it might still live on in the backup tapes - at least until those tapes are erased and reused.
The same goes for other documents, such as spreadsheets or memos written with word-processing programs. They might be stored on a server or could have been stored on the PC's hard disk, or both.
In recovering deleted information from a computer, time is an important consideration, experts said.
When data are deleted, it really means that the information is still on the disk, but the computer reads it as free space to which it can write new data.
After the files or e-mails are overwritten, it's much harder or impossible to recover. "The longer you wait, the greater the chance that it will be overwritten," Jackson said.
And it's not certain where the overwriting will take place, Aiken said. "Where it writes on the hard drive is very unpredictable," he said. "Your operating system is like a housekeeper when you aren't home. Things happen without your input."
Arthur Andersen officials said its auditors began deleting e-mails on Oct. 23 and stopped Nov. 9. From then until the time officials tried to recover the material earlier this month, it could have been overwritten.
---------------------------------------------------------------------------- ----
(Contact Clint Swett of the Sacramento Bee in California at cswett(at)sacbee.com)