To understand how technologic changes have influenced the way law enforcement has approached digital forensics, it helps to understand the connection between horses’ rear ends and space shuttles.
“One of the things that we do in computer forensics, is we have to make connections—why does not this work?” said Stephen Flatley on July 25 at Fordham’s Lincoln Center campus.
Flatley, a senior forensic examiner at the FBI, explained that the booster rockets that were designed to carry the space shuttle into orbit were built in Utah. Because they had to be transported by train to the launch pad in Florida, they could only be as wide as the tunnels those tracks traveled through. Those tunnels were in turn built around the width of the tracks, which was derived from the width between carriages wheels, which were designed to accommodate the rear ends of two horses hitched up side by side.
“So the tunnel was only was so big because the tracks were only so wide because the horse’s ass is only so big,” he said to laughter at a panel presentation called “From Herding Cats to Device Encryption, a Look Back at 10 years of the International Conference on Cyber Security,” held on the third day of the International Conference on Cyber Security.
The horse-space shuttle story is helpful for understanding the ways that past decisions can impact current realities, he said. Up until 2005, he noted, computer hard drives could handle no more than two terabytes, because a key aspect of the Windows Operating System known as BIOS (Basic Input/Output System) was designed when the predominant file system was FAT32. FAT32 was never designed to handle that much information. But in 2005, Apple’s operating system began to catch up with Windows, and since it used a different system called EFI ( Extensible Firmware Interface), it did not suffer from this limitation. Modern PC’s no longer use FAT32 either, and today hard drives as large as 14 terabytes are available.
Flatley noted that when he first started in 2005, a suspect might have a single laptop the FBI needed to examine. Years later, a suspect might have multiple thumb drives, a cell phone, a laptop, and a desktop. Now? They might have everything they need on a single top-of-the-line iPhone, which has 512 gigabytes of storage. But while storage has increased, data transfer speeds have not.
“That makes our lives a lot more hanging around, just watching the progress bar, which is all well and good if you’re in a lab, and there’s a lot of coffee nearby. But if you’re out in some guy’s living room, or you’re in a parking lot somewhere, or at a baggage terminal at JFK, do you want to spend an hour there while you copy a one terabyte drive? Not really,” he said.
“We used to go out on a search, kick in some dentist’s office door at six in the morning, copy all the machines, and be home by 10:30, 11 in the morning. Now, we go out there and say look, ‘We can sit here for the next two days and have a conversation with you, or we can grab all this stuff, and bring it back to the lab, and bring it back in a day or two.’ They say, go ahead, take it.”