SYTECH carry out Digital Forensic tasks of this nature for various UK based Agencies on a regular basis.
Newtown police officers on the street where Adam Lanza and his mother, Nancy Lanza, lived
Photo by Jared Wickerham/Getty Images
Last week, before committing one of the worst mass shootings in modern American history, Adam Lanza tried to destroy the hard drive on his computer. But whatever he was trying to hide might still be recoverable—and other options are available when it comes to uncovering his digital trail.
According to report published Wednesday by the Washington Post, the authorities are moving swiftly to try to salvage the damaged computer. Investigators reportedly believe before massacring 20 children and six adults at Sandy Hook Elementary School in Newtown, Conn., Lanza took a screwdriver or hammer to the hard drive. This creates a hurdle for the cops trying to gain an insight into what was going on inside Lanza’s head in the lead up to his terrible shooting frenzy. But depending on the scale of the damage, it is likely that forensic experts will be able to recover at least some of Lanza’s data. It is a complex, timely, and costly process that can involve piecing together crucial broken parts of the drive like a jigsaw. However, as the Post notes:
Extraordinary recoveries have occurred. When the space shuttle Columbia disintegrated on reentry, investigators were able to recover hard drives that had fallen to Earth. “The data was almost 100 percent recoverable,” [Rob] Lee, the lead for digital forensic and incident response at the Sans Institute, a leading cybersecurity and training organization.
The authorities will also be able to glean information about Lanza from other electronic sources. Given that the 20-year-old killer was reportedly a member of a technology club and likely spent a great deal of time at his computer, he surely had at least one email account. Assuming they can identify that account, investigating officers will be able to obtain a warrant to retrieve a record of Lanza’s email activity, which may offer a useful glimpse into his life and mindset. And if Lanza tried to cover that base by deleting his Gmail or Hotmail account, he probably didn’t realize that deleted emails usually remain backed up on centralized servers, at least for a few weeks.
The officers will probably also try to make contact with Lanza’s Internet provider to attempt to get access to any data showing Lanza’s online behavior. Although ISPs in the United States do not retain data as part of a mandatory retention regime as is the case in Europe, many of the major providers do retain some data about their customers’ usage (often for billing purposes). This doesn’t necessarily mean the cops will be able to obtain a list of websites he was visiting, but they should be able to get hold of his IP address, which could in turn be used to link him to posts or comments made on forums or websites—so long as he didn’t use an anonymizing service like Tor.
If Lanza had a cell phone, some useful data might come from records stored by his telco. Most of the major cell providers retain data showing who you have called and when, and they also retain location data—sometimes for as long as two years—which could be used to try to trace Lanza’s movements in the weeks and months before the shooting. His bank transactions may yield useful intelligence, too.
But Lanza’s hard drive will remain the most crucial piece of the puzzle—which is likely why he tried to destroy it. The hard drive will contain vital information, such as website logs, documents accessed, notes written, images saved. Such data, if it can be salvaged, will help police understand whatever led to the massacre—offering a unique glimpse into Lanza’s troubled psyche by unlocking the secrets he intended to take to his grave.
Adam Lanzas hard drive might be destroyed. But we can still follow his electronic trail..