Go to the Globe and Mail homepage

Jump to main navigationJump to main content

Mayor Rob Ford speaks briefly to the media at the entrance to his office at City Hall in Toronto on Oct. 31, 2013. (PETER POWER/THE GLOBE AND MAIL)
Mayor Rob Ford speaks briefly to the media at the entrance to his office at City Hall in Toronto on Oct. 31, 2013. (PETER POWER/THE GLOBE AND MAIL)

How Toronto police found the Rob Ford video Add to ...

Retrieving the most talked about video in Toronto likely took patience, skill and more than a little blind luck.

On Thursday, Toronto Police Chief Bill Blair revealed that Toronto Police retrieved a hard drive as part of “Project Traveller,” a large-scale investigation related to drugs and gangs. On that drive, Chief Blair said, investigators found a video file, the contents of which were consistent with previous media reports that alleged the video showed Toronto Mayor Rob Ford smoking what appears to be a crack pipe.

More Related to this Story

Chief Blair added that the file had been deleted prior to the seizure of the hard drive, but that police had uncovered it anyway.

The revelation shines a light on an often overlooked aspect of modern computers – they do an extremely poor job of wiping out information, even when a user wants that information gone.

In almost all cases, a file deleted from an ordinary computer is never truly deleted. Instead, the computer’s operating system effectively marks the hard drive space where the file used to reside as free for use, and transfers the data to a kind of low-level garbage dump that is largely inaccessible by regular users.

There, a deleted file might reside in whole or in parts for days, weeks or years – in many ways, the likelihood that a deleted file will still be retrievable at a future date is partially a function of luck. In some cases, the file will be fairly easy to retrieve because it has not been overwritten with new data.

Still, even if the deleted data still exists somewhere on the hard drive, retrieving it in one piece is sometimes exceedingly difficult. In many cases, the file can be split up into myriad parts, forcing an investigator to meticulously search for each piece. That process can take months.

“It’s not easy,” said Daniel Tobok, President of Digital Wyzdom, a computer forensics firm recently acquired by Telus. “It’s like putting together a jigsaw puzzle, especially with audio and video files.”

There are ways for security-conscious users to ensure their data is truly impossible (or at least, very difficult) to retrieve. For example, a user can install and run software that not only deletes a file, but overwrites the space where it used to exist with a series of random zeros and ones.

In this case, since the police were able to retrieve the file, it is unlikely the owner of the hard drive took such precautions, Mr. Tobok said.

But even if a file is not fully deleted, finding it is also made difficult because there are usually no clear pointers to the data. As such, the process of retrieving deleted information is normally almost impossible if the investigator doesn’t have a good sense of exactly what that data is.

“It’s not easy to find those types of files unless you know what you’re looking for,” Mr. Tobok said.

Follow on Twitter: @omarelakkad

In the know

Most popular video »

Highlights

More from The Globe and Mail

Most Popular Stories