Digging for computer dirt

Collecting obsolete tape drives used to be an eccentric hobby. But now that corporate lawsuits can hinge on unearthing ancient digital data, stocking up on funky hardware is good business.

Published April 22, 2002 7:30PM (EDT)

Remember the KayPro computer? The Osborne? The DEC MicroVax? The Vydec dedicated word processor with the 8-inch disk? Lee Tydlaska does. In fact, he not only remembers obsolete technologies, he collects them. What's more, he actually uses them to make money.

Tydlaska calls his collection a "museum," and that makes this 51-year-old former San Diego sheriff a curator of sorts. As sometimes happens with curators, over the years Tydlaska has begun to strangely resemble his prized collection. As he'll be the first to admit, he's old, he's peculiar, he's a bit outdated, and there are lots of younger, sharper models on the market. But he likes what he does.

Tydlaska started his museum 32 years ago, as a hobby. He says he was fascinated by the way the industry kept changing so quickly. "I was hooked on the constant state of flux, even back in the dark ages of computers," he says. "Each technology was a good idea to start, but died a sudden death." About 10 years after he started his museum, Tydlaska realized that his eclectic collection could be more than just fascinating and fun -- it could be profitable. So he created a small business.

Today, his company, Computer Conversions, plays a small but key role in recovering electronic data -- or evidence -- from damaged or overwritten backup tapes. The company also does forensics work ("I have a lot of fun with divorce cases," Tydlaska chirps) and helps people move files from old formats to newer ones, but when the client is the FBI or Deloitte & Touche, they're usually interested in the company's special skills with backup tapes, especially rare formats. (Tydlaska loves them all, but then what's not to love about the DC6150 from Emerald Products or the Jumbo 120 from Colorado Memory?)

Computer Conversions is a six-person company. Only two employees are full-time, and Tydlaska dubs one part-timer "VP of Janitorial Services." The business is run out of a five-bedroom house in El Cajon, a sleepy but pleasant suburb just east of San Diego. Tydlaska at one point had 12 employees and a high-rent office, but he decided that managing people wasn't much fun. Besides, "All my business is primarily through the mail," he says.

Computer Conversions has modest revenues. For most of the past five years, says Tydlaska, the company has brought in around a million dollars in revenue annually. Last year, like nearly everyone else, the company took a hit, falling to around $660,000. "The industry is tight now," Tydlaska says. "But we are seeing some large lawsuits."

Tydlaska may not have planned it, but his company has evolved into an important niche (or sub-niche) player in the increasingly lucrative field of "computer forensics." Textbook definition: "the science of capturing, processing, and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a court of law." It hardly needs saying why this craft has grown in importance, but if one word sums it up, it's "Enron-itis."

Never mind all the paper shredding in that case; the real smoking gun will be made of ones and zeros. In a corporate world where everything is increasingly digitized, but in which equipment is also increasingly obsolete, both the industry of computer forensics and people with arcane knowledge like Lee Tydlaska are ever more important.

Tydlaska is prone to gloating about his sometimes invaluable skill. "People go into audit a company and they need to see its 'hysterical data,' as I like to call it -- 'hysterical' because of the prices they pay me to see it. They say, 'But there's nothing wrong with the tape! If I had the equipment I could restore the data myself.' And I say, you're right! If you had it, you could! But you can't buy it, and you can't reproduce it, so it's either worth my exorbitant fee or not. I mean, let the IRS believe you've got the data!"

It's not always the big accounting firms and corporate lawyers that come to Tydlaska. Sometimes it's just an individual who wants to transfer data from a five-and-a-quarter floppy to a three-and-a-half-inch disk. Tydlaska charges $15. ("I know it sounds silly," he says, "but it takes all of 15 seconds to do it.") Or Tydlaska might serve as an expert witness on data storage. ("Where else can you work two or three hours a day for a thousand dollars?") Or he might do a little computer forensics work himself ("You never want to see me walking into an office building at 8 o'clock at night.")

It's Tydlaska's arcane knowledge and vast collection of back-up tape equipment, however, that brings even other e-detectives to his door.

David Stenhouse, director of operations at Computer Forensics Inc., which specializes in the discovery of electronic evidence, is, like Tydlaska, both gumshoe and packrat: "We try to save old tape drives, old manuals, old software," he says, "because you might have to use it. I routinely go through half-price bookstores and look for old software manuals, just in case."

Sometimes, though, even Stenhouse is stumped by a particularly obscure tape format, which is when he turns to Tydlaska. Not that there isn't a little professional pride involved. "We've only contacted Lee as the result of a rare or old tape format," Stenhouse clarifies. "Most of the time we can do the work on tapes in our Seattle lab."

Tydlaska says only five or six companies in the world have his level of expertise in backup tapes. "I'm No. 4 or 5," he says. No. 1, he believes, is Gordon Stevenson, who runs Vogon International in England. "He's a certified genius," says Tydlaska. "I'm a very dim candle compared to him." In the No. 2 slot he places Ontrack Data International, a publicly traded data recovery specialist headquartered in Eden Prairie, Minnesota. Ontrack has seen rapid growth in its data-collection division. Revenues went from $4,554,000 in 1999 to $8,027,000 last year. It's now being acquired by New York-based security firm Kroll for $140 million.

Kirsten Nimsger, an Ontrack attorney who consults with corporations and law firms, says the Enron case has accelerated the awareness of computer forensics. "The whole situation involving that company definitely brought the eyes of the public onto the importance of electronic communication and electronic evidence."

But Enron is not the only recent case that's increased public awareness of computer evidence. Microsoft was hammered by internal e-mails suggesting it knowingly leveraged its operating system monopoly against Netscape. And e-detectives, in a blaze of publicity, searched Chandra Levy's computer for clues to her whereabouts. Daniel Pearl's executioners were tracked down using Hotmail headers in their not-so-anonymous ransom notes. The attorney general of New York unveiled e-mails suggesting that Merrill Lynch analysts and its investment bank are not adequately separate.

"Awareness of computer security as a whole is kind of on the upswing," says Laura Koetzle, an analyst with Forrester Research. "As mainstream companies get more interested in computer security and realize that they don't know very much about it, there's more of a market for it."

Koetzle notes that corporate information technology workers don't generally have much computer forensics experience. "There's a real dearth of people who know how to do this stuff, and some of the people responsible for information security at large companies are seriously underprepared for the job."

This lack of preparation has led to greater demand for computer forensics training. "There's definitely been a pickup of interest," says Rob Lee, an instructor at the SANS Institute. A series of courses at SANS instructs students, from both corporate information technology departments and law enforcement, on how to make evidentiary copies of hard drives (never alter the original evidence, for starters) and wield tools like Guidance Software's EnCase, a user-friendly program that lets them see, categorize, and search for supposedly deleted data. (Guidance offers such courses, too.)

When it comes to litigation, companies often hire computer forensics firms. But not every investigation involves a lawsuit. "The internal investigations are a big concern for organizations," says Lee. "Most computer security incidents are still not reported to the authorities." Companies are generally too worried about tarnishing their image in front of stockholders, partners, and customers.

Lee sees more companies becoming proactive about computer forensics: "There's a trend saying that because we know there's a lot of internal incidents, you could have a high success of investigating them and thus have a direct benefit as well as overall reduction of cost."

But, says Stenhouse, "all the training in the world is not going to do you any good until you get out there on your own and do your own interpretation of the data. If you can't interpret it, if you can't explain how the data got to that location, or why it's there, or what exactly it means, then you're not doing your client any good."

Which is why companies and corporate law firms, he says, are inclined to hire e-detectives with real-life law enforcement experience. Stenhouse, for example, worked in the Secret Service, and before that was a trooper with the Washington State Patrol. "Within the past few years, most of the people who've gotten into this business have been former law enforcement," he says. "Those are the people who have been formally trained, who have the most experience in evidence preparation."

According to Forrester's Koetzle, demand for such experience will grow as companies become increasingly willing to come out of the closet with information-security incidents. She cites a recently published survey conducted by the Computer Security Institute and the San Francisco branch of the FBI that reports that 34 percent of survey respondents reported intrusions to law enforcement last year -- up from just 16 percent in 1996.

"If companies are willing to go into a lawsuit about an information security incident, they're going to need the services of folks who are skilled in evidence preparation," she observes.

Market figures for the computer forensics field are hard to come by, she says, mainly because of all the secrecy involved. But if there's a rising number of accounting scandals, corporate lawsuits and investigations by government agencies, it can only be good news for computer forensics experts.

Nimsger reasons that since the portion of communications that are created electronically is ever larger, and only a small percentage of it is printed out, the vast majority of evidence is going to exist electronically. Thus, she concludes, "every investigation and every piece of litigation in America should consider electronic evidence."

The fact that not all investigations do -- yet -- suggests growth potential for the field. Old habits die hard, and there are a lot of old attorneys. The task of "educating" them about computer forensics falls to the likes of Scott Stevens, director of business development for New Technologies Inc. "You get the litigator who's been doing things one way for 30 years and tell him, 'Don't worry about the documents on the floor. We'll find five copies on the computer, and not just the final draft but all the previous ones.' You tell him that going and getting this stuff is actually pretty straightforward, that we've got it down pretty much to a science. But the young partners relate much better to this."

Once an attorney loses a case due to electronic evidence, however, he learns fast, says Stevens. "We've won over a lot of clients by having them on the other side first," he chuckles.

Ignoring electronic evidence is becoming increasingly hard for lawyers to do. "People are creating exhibits at a breakneck pace," says Nimsger. E-mail in particular is proving to be a gold mine for litigators, as in the Microsoft case. Nimsger relates a less well-known case involving the diet drug Fen-Phen.

"There was a product liability case brought by the family of a woman who died taking the drug, and the plaintiff's attorney in that case uncovered an e-mail from somebody in the accounting office of the drug manufacturer that read, 'Do I have to look forward to spending my waning days writing checks for fat people with some silly lung problems?' It was first of all a horrible thing to say and to memorialize in writing, but clearly it was evidence against the manufacturer when the case was reckless indifference for human life."

"We've seen e-mail that's just fantastic stuff for the investigation," says Stevens. "People say things in e-mail they won't say anywhere else. It sticks around in ways that they don't understand."

Electronic data can be gotten rid of, certainly, but it's not as simple as emptying the trash, which merely moves the data to unallocated portions of the hard drive. Unless that data is overwritten as the hard drive fills up, it could sit there for years. Wiping programs, also called scrubbing utilities, will overwrite deleted data with meaningless ones and zeros, but computer forensics specialists can still detect when the data was "wiped." This could lead to problems -- like a forced settlement -- if a wiping program was used after the date at which a court order dictated the cessation of document destruction.

A scrubber will, however, usually put data beyond the reach of investigators.

"The human aspect of that, though," says Stevens, "is that generally speaking the people who are doing these things -- stealing trade secrets, committing crimes -- are far too arrogant to think they'd ever get caught. And from a practical standpoint, they don't have the time to scrub their machines every time they do something wrong. So these tracks stick around."

"Part of the difficulty of getting rid of data," says Kevin Bluml, a forensics engineer at Ontrack, "is that there's so many places it can hide." E-mails, for example, bounce between multiple servers and computers, all of which are regularly backed up, so any message is bound to leave a trail.

Bluml's job is to find incriminating data, wherever it may reside. "We see everything from floppy disks to small tapes to the old-style 24-inch reel tapes you see in the movies," he says. "Then you've got CDs, optical discs, PDAs ... Anything that could store data, we could end up seeing."

Occasionally a new piece of hardware comes along that initially stumps investigators. Stenhouse mentions one of the newer Thumb Drives. "There's one that requires a thumbprint onto the Thumb Drive itself. They have a pad where you actually have to put your thumb on it when you plug it in. Well, right now if you gave me one I would have to ponder how to forensically gather the data off it."

Lee Tydlaska has been pondering Thumb Drives, too. "In the porn area, where are they gonna store their pictures? Well, they can store them on these and not even have to have it in their computers. They're easily destroyed and easily overlooked."

That's the gumshoe in him talking.

But there's another side of him pondering the Thumb Drive, and indeed all kinds of new storage technologies: the museum curator. One day, he knows, all this newfangled stuff will be forgotten.

Just not by him.

By Steve Mollman

Steve Mollman writes about technology for publications around the world.

MORE FROM Steve Mollman

Related Topics ------------------------------------------