money. I read about it in the newspaper a couple of weeks ago.â
âTwo weeks almost to the day. Tough to keep the lid on a multimillion-dollar swindle,â Sam said, unlocking the door and switching on the light. Sitting on a table inside the small windowless room were six desktop computers, one monitor, a laser printer and a single server. Cables and USB plugs were piled neatly on one edge of the table. âTheyâre all yours.â
Jamie didnât answer. He sat in the solitary swivel chair and attached the power cords to the first system and hooked it into the monitor and printer. Windows XP appeared on the screen, and once the operating system had finished loading, he got to work.
The hard drives inside the Pentium-based systems are simply a stack of discs, separated from each other by scant millimeters. While they spin at ten thousand revolutions a minute, an arm similar to that on a record player records files on the disc. These files are recorded to the disc in clusters, which might be located anywhere on the drive. The system then indexes the clusters so it can locate them later when the user requests that file. If the last portion of a file being saved doesnât take up all the space in a cluster, some slack space is left over. To a forensic specialist, that slack space is like gold, waiting to be mined.
Jamie knew that while the File Allocation Table, or FAT as itâs often referred to, keeps track of exactly where the clusters are found on the drive, it ignores the slack space. He also knew that wiping a drive clean or overwriting files does not actually delete the previous data from the drive, but simply writes new data overtop of the old. While overwriting the data on a hard drive appears to erase it, that is not the way it works. Portions of the data still exist, a detail most users donât realize. That happens because the computer automatically archives the files while the user is working on them. It writes that information to the slack space on the drive. Those two simple details, archiving files and writing them to the slack space, are unknown to ninety-nine percent of computer users. That is where a forensic specialist can trip the criminal up every time. Jamie Holland knew how to exploit those details.
Jamie had encryption-cracking software with him, but that process was long and arduous. In fact, depending on the encryption level, cracking the code on the files was almost impossible. Rather than scanning the surface of the disc for remnants of encrypted files, he dug into the slack space, looking for chunks of the same files that had been dumped before being encrypted. He found them. He downloaded piece after piece, amazed at the incompetence of whoever had erased the hard drives. They had run three separate overwrites, the first a series of zeros, the second a series of ones, and the final overwrite a random selection of numbers from two to nine. All well and good, but not good enough.
The data began to materialize. Hidden inside the chunks of data were numerous references to Mexico, the Mexican banking system and a series of numbers. He had no idea if they were account numbers, but given the scope of the con, he suspected they were. The guys running the scam needed somewhere to dump the money. He spent the better part of four hours on the computers, then shut the power off and went in search of Sam Morel. Jamie found him hunched over his computer. Morel looked up as Jamie entered.
âWell?â he asked, leaning back in his chair and rubbing his eyes.
âItâs definitely NewPro. I found their name on lots of documents. There was quite a bit of data left on the discs,â Jamie said, handing Morel a CD and about fifteen pages of paper. Ninety-eight percent is boringâordering paper and files for the office and paying the telephone bills, but the other two percent is more than a little interesting.â
âWhat?â Morel asked leaning