The man who said he had fixed a bomb around a girl's neck handed his name to police ... on a flash drive The man who claimed to have attached a bomb collar to an Australian high school student two weeks ago thought it would be a good idea to leave a ransom note on a USB stick looped around her neck. What he probably didn’t realize is that he also left his name, hidden deep in the device’s memory.Court documents unsealed Tuesday describe the harrowing Aug. 3 incident, which began when a man broke into Madeline Pulver’s bedroom wearing a striped balaclava and wielding a black aluminum baseball bat. He told her to sit down and chained a black box around her neck.He also draped a purple lanyard over the terrified girl with a note saying that the black box was a bomb. The note included ransom instructions for Pulver’s family, telling them to e-mail a Google address — dirkstraun1840@gmail.com — for further instructions. Also on the lanyard was a 4GB USB stick that contained a digital version of the note, saved as a pdf file.The next 10 hours were a gruelling ordeal for the girl before a Sydney police bomb squad was able to determined that the threat was a hoax. But a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: “Paul P.” On Monday, U.S. authorities arrested Paul “Doug” Peters, 50, in La Grange, Kentucky, seeking to extradite him to Australia to face kidnapping and breaking-and-entering charges. It’s not clear why Peters attempted such a bizarre crime, but U.S. prosecutors say he once worked for a company linked to Pulver’s family. The girl’s father, Bill Pulver, is the CEO of voice recognition software company Appen Butler Hill.Police collected footage from surveillance cameras in a library where a computer was used to access the Gmail account. The footage, along with the USB drive and circumstantial evidence, such as purchases made around the time of the incident, link Peters to the crime, prosecutors say. Even if the collar bomber had known his name was on the USB drive, it would have been very hard to remove it, according to Frank McClain, an independent computer forensics expert.As computer geeks and investigators know, when users delete a file from a computer the file isn’t deleted immediately from the hard drive. Instead, the computer takes note that the area of the disk where the file is stored is now available to be written over. So investigators can often recover at least snippets of data from files that are supposed to have been deleted.With flash drives things are more complex, thanks to mechanisms built into the drives to prolong their lifespan. Because flash memory cells stop working after they’ve been overwritten too many times, flash devices use tricks called “wear leveling” to even out how the memory cells are used. A side effect of wear levelling is that it is “almost impossible” to completely erase data from a flash device, McClain said.That can come in handy for people trying to recover photos or other files they’ve accidentally deleted, and there are many tools, some of them free, to help recover their data.The collar bomber’s first mistake was thinking he could delete something completely from his USB stick. But he also erred by not altering the metadata in his Word document. When Word saves a document, it automatically saves data, such as the user’s login name, as part of the file. Office 2007 users can see this metadata by hitting the Office button, then “Prepare” and “Properties.”Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe