FBI hopes hard drive will shine light on Conn. shooter's motive

Its possible that the drive will be unreadable

The FBI is reportedly examining a hard drive found in the bedroom of Connecticut school shooter Adam Lanza in the hopes that they can glean insight into the 20-year-old's activities before the Friday rampage that left 28 people -- including Lanza himself -- dead.

Although police have refused to publicly confirm that they're using forensics technology to retrieve information from the drive, published reports cited police officials who said a drive, broken into pieces, was found outside of Lanza's computer.

According to those sources, FBI forensics experts will examine the drive to try to figure out who Lanza corresponded with before the massacre and how else he may have used the computer.

Lanza, who lived in his mother's Newtown, Conn. home, shot his mother in the head with a rifle early Friday, according to police. He then went to Sandy Hook Elementary School with his mother's AR-15 .223 caliber rifle, two semi-automatic handguns and enough ammunition to kill everyone in the school, police said. Lanza killed 20 students, all of them 6 or 7 years old, and six faculty members before police arrived. He committed suicide at the school by shooting himself.

Little is known about Lanza's personal life. According to media reports, his mother was a private person who rarely talked about her son.

"They're going to try to find a reason why...he went from fanaticizing about this to doing it," said Marc Rogers, chair of the Cyber Forensics Program in the Department of Computer and Information Technology at Purdue University. "Were there any early indications that he was getting ready to act these fantasies out? In some cases there are and in some there aren't."

Lanza's rampage was likely done for "maximum media impact," Rogers said, so investigators will also be looking for a manifesto or some other statement the 20-year-old may have left on his computer or communicated to someone electronically.

Michael Kessler, CEO of forensics data recovery firm Kessler International, said that if Lanza knew enough to remove the hard drive from his computer and break it, it's unlikely investigators will be able to retrieve data from it.

"Obviously, they [law enforcement] have a lot of resources to do it. And, if the drive's platters aren't smashed they can put them into another drive and read them," he said. "But if he [Lanza] broke the platters, the likelihood of data recovery is slim to none."

According to Brian Cane, a consultant with ECO Data Recovery in Florida, the recovery effort will hinge on how technically savvy Lanza was - whether or not he knew to break, scratch or drill holes in his drive platters.

Looking a little like a vinyl record player, hard drives have platters and they also have actuator arms with read/write heads. The platters spin at anywhere from 5400 to 7200 rpms in most consumer drives and the read/write heads write to and read back data in platter drive sectors. Think of sectors like songs on an LP, but with vastly more data.

Modern read/write heads hover over platters at a distance equal to about one-tenth the thickness of a human hair. Therefore, any pit or scratch in a drives platter's surface has the potential to damage the read/write head and render the drive useless, according to Cane.

"It's like taking a jet airplane on the ground and at full speed going over a pot hole. You're going to do damage to the head by going over the pot hole," he said. "And, every time you go across that part of the platter, you're going to chew up the heads."

If Lanza were technically proficient, Cane said, he could have also overwritten his drive, which means the zeros would have becomes ones and ones would have become zeros, essentially wiping the drive of any retrievable data.

Rogers disagreed that if a drive's platters are broken, scratched or punctured data cannot be retrieved. As long as the some areas of the platter's surface are intact, there are electromagnetic devices that can read the data and transfer it to a new hard drive, he said.

Many of the devices for reading damaged drives come from Soviet-era Russia, when intelligence agencies were attempting to recover top secret information from electronic media that had been intentionally damaged.

"As long as it can read the magnetic flux even on a portion of the drive, there is a possibility to recover that data," Rogers said.

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at  @lucasmearian or subscribe to Lucas's RSS feed . His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

Copyright © 2012 IDG Communications, Inc.

Shop Tech Products at Amazon