Whole Truth

The Whole Truth

We have all heard the words: “Do you swear to tell the truth, the whole truth, and nothing but the truth.” But what does that mean today? Drug companies write thousands of pages of disclaimers, and public servants lie about extramarital affairs all the time. So what is “the truth”?

I recently had a case where my client’s computer was placed under a preservation order by the courts. He was prohibited from deleting any files on his computer. He was accused of having many files that he was not supposed to have, therefore the opposing council ordered a complete forensic examination of his computer, and asked me to provide them with a copy of my evidence files.  My client asked me to look for any deleted files, or files that he was “not supposed to have.” I performed a forensic examination of his computer hard drives and found nothing of interest and no evidence that he had deleted anything.

On a Sunday night, after I had done my examination, I received a frantic call from my client. Opposing council’s forensic computer expert had written a report stating that he had found considerable proof that my client had deleted “hundreds of files.” My client emphatically maintained that he had not deleted anything, so I reassured him that I would look into the report from the opposing expert.

The opposing expert stated that he had found an “Evidence Eliminator” on my client’s computer which was used to destroy hundreds of files. I was shocked; I had done a thorough examination and had found no evidence of malfeasance. I felt confident that my client had not deleted any files. I quickly returned to my exam machine and re-opened the case.

The first thing I found was there were indeed around seven hundred files that had been deleted.  How could I have missed that?  I then looked for a file mentioned in the opposing expert’s report called, “SymEraser,” and to my astonishment there it was, as we say in Texas, “Bigger than Dallas!” Wow, I started to believe that I had failed my client. Before I lost all hope that I was doing my job properly, I quickly ran a Google search for “SymEraser.”

I discovered that “SymEraser” is a file included in Norton Antivirus, Symantic Antivirus, and various other Norton and Symantic packages that include antivirus software.  It was not an evidence eliminator, it was a virus eliminator. OK, that’s not too bad, I thought, but what about all those files? There were definitely hundreds of deleted files. I re-examined them. They were all deleted from a folder called “virdef.” They were in fact, Virus Definition files. My client had not deleted them; Norton Antivirus had deleted them when it had updated the computer to a newer set of definitions! This was not the blatant act of a human, but rather an automatic function of a piece of software.

I had done my forensic examination and had not found anything malicious or suspect. Opposing side’s expert had done his examination and had found quite a lot. So what was the truth? The truth was that files were deleted during a time that my client was not supposed to delete files. The truth was that there is a software program called SymEraser, which eliminates things. That was the truth.  Fortunately for my client, it was not the whole truth!

Related posts:

External Hard Drive Without CasingsDIY Data Recovery Versus Professionals smashed hard drive5 Reasons Hard Drives Fail Deleting DataData Recovery Myths Debunked expert repairing a hard driveHow Does Hard Drive Data Recovery Work?
A Digital Forensics Primer Inigo_Montoya I do not think that word means what you think it means