Preserving shuttle data will be key to finding cause
- — 04 February, 2003 10:20
While it is unlikely that any data on board the space shuttle Columbia survived the fire of re-entry and the fall to earth on Saturday, a computer forensics specialist in Seattle said on Monday that a lot of information transmitted from the spacecraft will be vital to NASA's investigation of what went wrong.
Within an hour or so of the crash, NASA announced that it had locked down computer systems in order to preserve data. That's the first step in preserving data that will be key to any investigation, said David Stenhouse, director of operations at Computer Forensics Inc.
In cases where he has worked at preserving data critical to investigations, Stenhouse said, the computers of key people are essentially frozen and all backup tapes stored. "You have to make sure that no one changes anything on their computer system," said Stenhouse, who worked for the Secret Service before joining Computer Forensics.
After the computer is secure, it can't be altered in any way, meaning it can be started only with a boot disk. That disk will keep the computer from writing data back to its own drive and will allow for a copy of the hard drive to be made. After the copy is made, the computer goes into storage and isn't touched again.
"You want the best evidence, [and] you want it untouched," Stenhouse said.
The backup copy can be pored over, taken apart and analyzed, and investigators will always have the original, preserved and untouched.
Stenhouse said the same would be true for any electronic component that might have survived the crash. If the shuttle's computer systems were working properly and were recording activity just before the breakup began, those systems must be handled very carefully. However, he doubted that anything could have made it to the ground intact. "I am not sure any of that stuff could have survived," Stenhouse said. "That's a long fall."
Another aspect of the investigation will be to find out what NASA officials were thinking prior to the crash. Stenhouse, noting news reports of internal memos in which engineers voiced concern that the shuttle was damaged on takeoff, said, "Those memos were written on a computer."
The computers of all key personnel should be secured and copies or "mirrors" made of the hard drives. In addition, all backup tapes for e-mail and networks should be secured. By studying data on a person's computer, investigators can often get a good idea of what officials were thinking and why, he said.