The current sedition trial of RPK is a fairly interesting. I think that it is the first high profile case that involves a serious crime and computers. I find it interesting because computer forensics is being introduced as evidence. However, things did not turn out quite as the prosecution expected as the prosecution witness seems to have testified that no evidence was found in the RPK’s computers.
According to this article from TheStar: ” A computer forensics investigator told the Sessions Court here that data on a notebook computer seized from Malaysia Today editor Raja Petra Raja Kamarudin had been deleted. ASP Wa’ie Isqal Kria Abdullah, 38, said this was why there were no records of the computer accessing the Malaysia Today website between April 11 and April 26 this year.”
The reason that I find this interesting is because it reveals a great deal about the procedures employed and the capabilities of our computer forensic investigators. It is quite common for bloggers to compose and publish their blog entries directly using a web interface. As a result, there should not be any documents held in their harddisk except potentially in a browser cache, which is wiped over periodically.
So, the typical procedure when investigating any crime that involves an online website is to actually seize the servers that hold the website content. Granted, this will be a little more difficult to do if the servers are located in an overseas jurisdiction. Although all their servers are now located overseas, I do seem to recall that Malaysia-Today had some servers located in Malaysia in the recent past.
Now, assuming that RPK is an old man and actually likes to use an offline word processing tool to compose his entries before actually uploading them onto the server, there may be some files stored on his computer. As a precaution, RPK may have deleted these files after he was done with them. However, even Hollywood knows (one of the rare times that they are actually right) that files that are deleted, can still be recovered, unless of course the files never existed in the first place.
Another interesting thing to note about the investigation was that the investigating officer had limited his search of the computer to only specific folders, in accordance to the terms of reference for his investigation. One would think that files can be hidden anywhere on a computer and not necessarily in the “My Documents” folder. So, that is why the DPP has requested that the search be expanded to the rest of the harddisk.
Personally, I think that it was a good thing that the investigation officer did not go on any fishing expedition. This reflects a sense of professionalism on the part of the investigating officer to follow the rules when looking for evidence and not to just blindly toss things about. However, it also reveals to me the lack of technical knowledge on the parts of the investigators, which does not bode well.
If the police can be stopped by a simple file deletion, I shudder to think how they would actually go about extracting evidence from encrypted volumes. Any technology inclined person worth his salt would have his harddisks encrypted even just for privacy reasons. So, I seriously wonder about the police’s ability to investigate really serious commercial crimes.
Sybreon Ones Nought 