Deleted data and gu...
 
Notifications
Clear all

Deleted data and guilt?

10 Posts
8 Users
0 Likes
489 Views
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
Topic starter
 

I’ve been thinking for the past hour or so whether or not this question is appropriate for the FF forum. I’m just wondering if anyone else has been thinking similarly?

I was just watching some of the Malaysian Air coverage and they say the Pilot deleted some data from his flight simulator. The tone in how the information was presented seemed to possess an aura that they guy was guilty of something because he deleted data. I was thinking the simulator may have limited memory capacity?

All of us that work with computers and cell phones love to capture deleted data, but is it possible that there is a tendency, barring additional facts, to assign some sort of guilt to someone just because something is deleted?

Some people do it to free up space. Others may because they want to try and keep systems running at optimum performance?

I know that what I am saying is very general, but does anyone think that occasionally too much emphasis is placed on things being deleted?

 
Posted : 20/03/2014 2:54 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

According to the WSJ there were in fact 3 different flight simulator games on the PC.
The deleted material was described as "data logs".
Without knowing a lot more detail I don't think too much can be read into the fact files were deleted. It might even be an automatic function of the game to only keep 1 month of logs, or the last 10 logs, etc..

 
Posted : 20/03/2014 4:09 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

On at least one news channel, the talking head made a remark, most likely overlooked by many. She said deleting could have been just freeing up space. Double deleting, and only that information would suggest something to hide. But, she closed, no one really knows because the information sources are inconsistent.

I presume she meant over-writing as "double delete", but it was refreshing.

 
Posted : 20/03/2014 4:48 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Anything printed/written/displayed in the media is always heavily slanted depending on what message they want to get across.

I have had so many dealings with the media in my LE days and it never ceased to amaze me how often they would print out right lies, full well knowing they were lies, knowing that they could do so with impunity.

Hence, I never believe anything I see in the media unless I can confirm it form other more reliable sources.

 
Posted : 20/03/2014 5:43 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@hcso1510
I have a very similar feeling, see the issue about defragmenting for Anti-Forensics here
http//www.forensicfocus.com/Forums/viewtopic/t=5410/

jaclaz

 
Posted : 20/03/2014 3:04 pm
(@dcs1094)
Posts: 146
Estimable Member
 

All of us that work with computers and cell phones love to capture deleted data, but is it possible that there is a tendency, barring additional facts, to assign some sort of guilt to someone just because something is deleted?

Some people do it to free up space. Others may because they want to try and keep systems running at optimum performance?

I know that what I am saying is very general, but does anyone think that occasionally too much emphasis is placed on things being deleted?

I guess we should always keep an open mind on this sort of thing, as for all we know he may have deleted these logs for the exact purposes you have detailed and not to cover up things. Then again, these logs may detail crucial evidence, who knows!?

Hence, I never believe anything I see in the media unless I can confirm it form other more reliable sources.

Exactly agree with this. Straight away people will just assume/jump to conclusions and it's completely wrong in my opinion. (nothing will ever stop the media doing this). I think the agencies involved should just be left to do their job rather than constantly being asked questions which could jeopardize the case. It must be a nightmare for the families - one minute hearing the plane landed somewhere and the next to hear it was someone on board etc…

 
Posted : 20/03/2014 5:15 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

I would like to know if he had a pattern of deleting logs - at a guess are they numbered, if so holes would be seen.

If he normally deleted everyone, nothing odd this time. If the last 6 months all exist, then this might be significant?

If there are lots of holes, then maybe he only keeps special ones.

Secure wiping I would as more significant. Not many people do this as routine. But again I would like to know if everything is always securely wiped.

For disk cleaning/space etc. How full is his disk?

 
Posted : 20/03/2014 9:11 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

So, you plan to bring a passenger airplane down on March 8 and on February 3 you delete a bunch of files from your PC. 😯

It is thought the files were deleted last month by pilot Capt. Zaharie Ahmad Shah. Files containing records of simulations carried out on the program were deleted February 3.

http//www.dailymail.co.uk/news/article-2584123/Revealed-Malaysian-Airlines-pilot-high-security-US-base-Diego-Garcia-programmed-homemade-flight-simulator-deleted-data-just-taking-control-missing-plane.html

Malaysia’s inspector-general of police, Khalid Abu Bakar, said an examination of the flight simulator seized from Capt Zaharie’s home revealed that the data logs were deleted on Feb 3. The simulator was apparently used to play three games Flight Simulator X, Flight Simulator 9 and X-Plane 10.

http//www.telegraph.co.uk/news/worldnews/asia/malaysia/10709162/Malaysia-Airlines-Flight-MH370-Clues-deleted-from-Malaysia-Airlines-pilots-flight-simulator.html

The "news" (on the accusation front) are that

  1. he used the flight simulator to attempt landing on "short" strips
  2. his flight simulator has data about a military airport Diego Garcia in the Maldives
  3. [/listo]

    #1 So WHAT? What the heck is the use of a flight simulator to a pilot/enthusiast if not experiment the most difficult scenarios?
    #2 as well as the data of - say- 1500 other airports all around the world…

    About credibility of the press, I believe that anyone that writes the following sentence (or that actually publishes it)
    http//www.telegraph.co.uk/news/worldnews/asia/malaysia/10704769/Malaysian-Airlines-MH370-March-19-as-it-happened.html

    05.40 After ASMA said two objects up to 24 metres (78 ft 9 inches) in size had been spotted by satellite in the southern Indian Ocean, Reuters has published a list of the basic dimensions of the Boeing 777-200ER which was used on Malaysia Airlines Flight MH370, according to Boeing's website.

    Wing span 60.9 metres (199 feet 10 inches)

    Overall length 63.7 metres (209 feet)

    Tail Height 18.5 metres (60 feet 9 inches)

    Fuselage Diameter 6.19 metres (20 feet 4 inches)

    (The length of each wing was not immediately available but the published data implies that each wing is about 27.4 metres long, after adjusting for the width of the fuselage).

    is capable of *anything* evil.
    I mean, WOW, (60.9-6.19)/2=27.355 😯
    I guess that no less than two consultants (a mathematician and an aviation expert) were called to obtain this astonishing result. wink

    jaclaz

 
Posted : 20/03/2014 9:57 pm
(@datendrache)
Posts: 6
Active Member
 

The Flight 370 investigation is one of the best examples in recent history of where finding clues is most important, not establishing guilt. It highlights one of my personal crusades about making forensics faster and easier, because if we could analyze data quickly, the people who's lives are at risk might have a chance of survival. Flight 370, amber alerts, human trafficking, etc- all examples of the importance of computer forensics for saving lives.

On the topic at hand, the first time I performed forensics a computer with a "privacy cleaner" (anti-forensic) tool installed and periodically used, I was quite upset and tried to equate this somehow with an intention to cover the person's activities. However, I use CCleaner just to purge my caches of garbage from time to time in order to preserve SSD space. I must conclude then that the presence of cleaners does not equate to proof of intent for a specific purpose.

This poses a more basic question Is the lack of evidence collected an indication of guilt by data destruction or is it an indication of innocence by something obviously not there?

A smart forensic examiner would try to substantiate either claim by looking at some other source- deleted files, registries and databases, networked computers, connected drives, USBSTOR data, etc. and find some proof either way. If the history or logs are deleted, there's often something else to turn to– temporary files, file carving, non-mainstream software, backups, time stamps, timelines, program behaviors for removing logs, and the like.

With a few more details about how and when, knowing there is unrecoverable deleted data might show enough intent that the investigation can be expanded.

Eric

 
Posted : 22/03/2014 9:43 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

http//www.theguardian.com/world/2014/mar/24/mh370-investigators-review-missing-plane-pilots-flight-simulator-records

The software, currently a focus for investigators, would have allowed him to practice landing at more than 33,000 airports, on aircraft carriers, oil rigs, frigates, which pitch and roll with the waves, and helipads atop buildings.

Given the large amount of cheap memory loaded onto modern computers, it's unlikely Zaharie would have had to erase his flight data for technical reasons – so it remains unclear why some of the data was erased on February 3.

"Today storage capacity is not a problem for a computer running simulators," said Fernando Nunez Correas, a simulation software developer using some of the same components as Zaharie.

Erasing data may have been part of a regular maintenance routine or done to help improve the simulator's performance, flight simulator users say.

For NO apparent reason 😯 , "Experts say …." wink
http//www.dedoimedo.com/computers/experts.html

jaclaz

 
Posted : 24/03/2014 4:43 pm
Share: