Many computer users, including some who should know better, are unaware that deleted files can be
recovered — undeleted — and can yield information which can be used against the
person who deleted them. This information can be as common as a deleted email message or as
important as sensitive business records or government transactions. Those who are less technically
astute may assume that if a file doesn't show up in a directory (or folder), it's gone forever. Few
people know that deleted files are not erased; the data is just hidden, and the files can be undeleted.
Still fewer users know how to undelete files, either to recover from accidental deletion or to "go fishing"
for interesting data. It is unlikely that your little sister can undelete your files, but there
are several US government agencies which — if properly motivated — could perform
some amazing feats with your old computer.
Apparently there are many security-conscious individuals -- even some who own paper shredders -- who don't know
or don't care about residual information from their deleted computer files. But there have been many
public figures in recent history who have learned about this issue the hard way. That's how U.S. Senate
investigators got evidence on Col. Oliver
North.1 E-mail
messages that North believed to be deleted were found and used against him in
litigation.2 A
total of 758 e-mail messages were sent, involving him in the Iran-Contra affair, and every one of them was
recovered.3 Ironically,
this problem becomes more difficult if you
make backup copies
of everything on your computer, as you should. And of course, if information escapes onto
the internet, it's free to wander around forever.
"Computer forensics" is the term for recovering other people's deleted or "lost" data. This can be
done as a favor to you, when your computer has crashed, (where the word "favor" means a commercially available
service which costs a lot of money), or it can be done by a law enforcement agency when your computer has been
seized as evidence. In the latter case, you can be sure that anything embarrassing that is found on your
computer can and will be used against you, whether or not it pertains to your alleged criminal conduct.
Files and subdirectories can be hidden, too, although this was easier to accomplish under
MS-DOS than it is with Windows.
Usually the originator of a hidden file (or subdirectory) is the
only one who knows that it exists. However, merely hiding a file offers no
protection once the file has somehow been discovered. Hiding a file makes no
difference after the file has been deleted, since all deleted files are hidden, to some extent.
Encryption can be used to protect files whether they are deleted or
not. Encryption products are available in various strengths, for
particular levels of security, but that is another topic altogether.
Simple deletion of a file is adequate if your only goal is to reduce
clutter and make more space available on the disk drive (or floppy),
and this is the quick and easy thing to do if the deleted files are of
no interest to anyone else. However, before you sell or give away
an old computer, you should seriously consider wiping the entire hard drive,
especially if the hard drive has ever contained sensitive information
from your business or personal life. Just putting an old computer in
the trash dumpster behind your place of business can result in the
compromise of all your "company confidential" files, trade secrets,
and proprietary data.
Recovery of a file through software is impossible after the file has been
subjected to a single overwrite with other data, and recovery through more
elaborate techniques is generally thought to be impossible after ten or twelve
passes with random data rewriting the same sector of the disk. So it's
safe to say that wiping a file one time is enough to destroy it, for almost all
practical purposes. Your disgruntled employees, nosy family members, and
small-town private eyes won't be able to recover a wiped file.
The primary hazard associated with the use of file wipers is that you may accidentally
erase a file that you wish you hadn't. If that happens, give it up. Your
file is gone. If you use file-wiping power tools, be sure you know what
you are doing, because it is possible to do a lot of permanent damage.
In theory at least, after a file has been wiped, examination of the disk with an electron
microscope can still reveal the previous contents of the wiped area, because the
obliterating bytes are not written in exactly the same tracks as the original data and
there is still a little of the original data left around the edges. For this reason,
government-grade wiping involves multiple passes, typically writing ones and zeros on
alternate passes, and perhaps finishing by writing random bits.
Even after wiping a disk, if you are protecting data from a foreign
government (or your own government), you may have lingering doubts about
the destruction of your most sensitive files. Let's say, for example,
that you are an orchid grower in Houston, and you suspect that
a heavy-handed investigation by
the Fish and Wildlife Service is about to get underway, and your computer could be used
as evidence against you. You might want to consider physical destruction of your
computer's hard drive, or the shredding of a floppy disk.
Please note that the information on this page is provided for educational, entertainment and
information purposes only, and is not intended to facilitate any unlawful activity. As
a condition of your use of this web site, you warrant to us that you will not
use this web site for any purpose that is unlawful or prohibited by the terms,
conditions, and notices in our
all-inclusive Disclaimer. The
entire risk arising out of your use of this web page is assumed by you. Regardless
of any appearance to the contrary, we do not warrant, guarantee, or make any
representation regarding the correctness, accuracy, timeliness, veracity,
appropriateness or suitability of the information on this page. As I always say,
any actions you take based on whatever you saw, or think you saw, on this site are
entirely your own responsibility.
Mass erasure of magnetic media (tape or disks) is called bulk erasing or degaussing. People who work in
radio and TV stations often bulk erase tapes before reusing them. Once in a while, the bulk eraser is
also used to obliterate the contents of floppy disks, DAT tapes, or other media. Computer hard drives
can be erased this way as well; however, the magnetic forces in an industrial-strength bulk eraser are so
strong that the platters and other components of a hard drive are likely to be mechanically damaged in the
process, so this is recommended only for drives that are about to go into the trash.
Do not degauss ZIP disks if you have any intention of reusing them. ZIP
disks are shipped with a magnetic servo pattern recorded on the disk. Bulk erasing
or degaussing a ZIP disk will make it unusable. A ZIP disk cannot be reformatted
after it has been bulk
erased.* ZIP
disks are rapidly becoming unpopular, since CD-ROM and DVD-ROM drives are now
affordable. (Before you purchase a ZIP drive, you might want to read
this also.) Depending
on the make and model, it may also be true that hard drives are not reusable
after bulk erasing them with an electromagnet, because degaussing wipes out
the low level formatting (track and sector markings) of the
drive.*
In the case of floppy disks, the magnetic medium is easily extracted from
the shell of the disk, and it slides easily into a paper shredder. In an
emergency, if you are away from your shredder, you could remove the
magnetic film from a floppy disk, stuff it into an empty aluminum beverage
can, crush the can, and drop it into the trash. Preferably in someone
else's trash can. This technique works well for small scraps of paper, too.
A few words about "jump drives"
The recent development and popularity of removable solid-state storage devices, called "Jump drives", "Thumb
drives", "Flash drives", "Keychain drives", and so on, have opened up another aspect of the
emergency disposal problem. As in the case of floppy disk media (when extracted from the shell),
most solid-state USB drives can be stuffed quickly into a soda can and dropped in the trash, if you
really don't want to be caught with the drive and its contents, or if you just want to dispose of the
device without someone else exploiting it. The drives are already quite inexpensive, and if they keep
getting cheaper, they could be considered disposable. Keep in mind that a trash can is often the safest
place to store something for a few minutes: Trash cans aren't emptied more than once a day, at least
where I work.
The widespread use of "jump drives" creates a new and very large privacy risk: If you use such
a device at work, someone could "borrow" your jump drive while you're away from your desk, explore it,
copy it and return it -- without your knowledge!
Please remember -- regardless of what you may have read in the preceding paragraphs -- the management of
akdart.com does not condone or endorse industrial espionage or unprofessional conduct in the workplace.
Hard drives are a little tougher to destroy than floppies, and obviously more expensive
to replace. A good method of destruction might involve a few blows from a
sledgehammer, an hour or more in a very hot fire, or – if you like chemistry – an
acid bath. Perhaps even a "cement overcoat" and a trip to the nearest lake or really
deep river. It pays to be creative.
The reason for all this extra care in disposing of hard drives is that there are people whose
hobbies include dumpster
diving in search of things like old computers. Remember, even if the hard
drive's electronics are destroyed, data remains on the disk platters until they are also
physically destroyed.
As you may recall, a U.S. Navy EP-3 military surveillance plane was forced
down by the Chinese in April of 2001, and according to news reports, the crew
hastily zeroized the
disk drives on the plane before the crew and the plane were taken into
custody. Evidently they did a good job, because the Chinese government let the
matter drop a few days later. As far as I can determine, the plane is still
in the hands of the Chinese
government.*
Slack space is another problem, if there has ever been anything on your computer's hard drive that
you don't want anyone to discover. When a large file is deleted from a disk drive, and then a smaller
file is stored in the same place on the disk drive, the contents of the large file – except for
the part covered by the smaller and newer file – still remains on the disk and can be
recovered. If the newer file is really small, and sometimes files are only a few bytes,
the chances of recovering almost all the contents of the large file are very good. Disk space
is allocated in clusters of as much as 32k-bytes. As long as the newer and smaller file is
not deleted, the information in the slack space will stay on the disk. This is a rich
source of information – in bits and pieces – for "investigators"
with various motives.
Good file wiping programs usually include provisions for wiping slack space on individual files, as well as
clearing out all the unused space on a disk drive.
For more routine civilian purposes, all this deleting and file wiping may seem like a lot of trouble.
But if your old computer has ever held sensitive files that could ruin your reputation, hamstring
your business, or send you to prison if the files fell into the wrong hands, it is worth the effort to make
sure the files are really gone. In many countries around the world, there are those for
whom the stakes are even higher.
It would be difficult to list all the products that are available to wipe out
computer files as they are deleted. By listing only a few, like
Data Destroyer,
and Cyberscrub,
and obsolete products like good old
Norton WipeInfo
(for DOS), you might get the idea that I have tried them all, or
that I am endorsing one product instead of another. Of course that is not the case; the
information on this page is provided for information only. The large number of products
available for this task shows that permanent file deletion is a non-trivial problem.
However, I would like to mention an article called Covering tracks on your
hard drive, which explains what a swap file wiper is and why you need one. It
was written by Craig Christensen, author of two programs called
Mutilate File Wiper and
Mutilate Swapfile Wiper. I
used both of Craig's programs frequently, when I was primarily running Windows 98, even
though I'm not paranoid and I have nothing to hide. (Really!) These days I'm using a
Power Mac G5 with OS X, so I recently purchased a product
called ShredIt X.
Please note that the links below are provided as a courtesy, and no representation is made
regarding these products or the information provided about them (regardless of the
statements immediately above). If you have questions, complaints or claims related to these
programs, you must direct them to the appropriate software vendor.
Other file-wiping or data recovery products:
This is not a comprehensive list of such products, but most of these products are available
as freeware. The ones that carry a price tag are usually affordable and (as far as I
can tell) worth the investment. Of course, there are exceptions.
Any mention of commercial products or reference to commercial organizations is for
information only; it does not imply recommendation or endorsement by akdart.com nor does it imply
that the products mentioned are necessarily the best available for the purpose. Unless
specifically stated below, I have not tested any of these products or services.
These links are listed in no particular order. Notice that some of these products pertain to the
recovery of lost data, while others are for those who want to prevent data recovery.
Sure Delete offers two utilities that work to
permanently delete data from a hard drive. When you need to shred sensitive information, Sure Delete ensures that it's
done right. Rather than simply deleting file references on your computer, the program actually destroys the data
itself. Sure Delete goes much further than the Windows Recycle Bin, and ultimately makes the data irretrievable.
Best of all, the process is virtually effortless.
Hard Drive Eraser is powerful and compact software that allows you to
destroy all data on hard and floppy drives completely, excluding any possibility of future recovery of deleted files
and folders. It's a hard drive and partition eraser utility.
Darik's Boot and Nuke (DBAN) is a self-contained boot
floppy that securely wipes the hard disks of most computers. DBAN is appropriate for bulk or emergency data
destruction.
How do I remove sensitive
information from a disk? It's a wise precaution to remove sensitive data from computer disks before the
disks are either transferred from one area to another or discarded. The process is referred to as disk sanitizing,
cleaning, purging, or wiping. The method you choose to sanitize a disk should depend on the security requirements
of your organization.
MediaWiper: You could give away your
complete personal identity on a single carelessly discarded diskette. Most financial programs will back up data to
removable media such as diskettes, memory cards, and more. Removable media often has the habit of getting misplaced
or discarded. Identity thieves know this and make it an easy target.
Disk Wipe completely and permanently overwrites
and destroys all existing data on a hard disk, overwriting every physical byte of the disk. Once Disk Wipe has been
run, all data from every sector will have been eliminated.
Drive Cleanser: Getting rid of an
old PC, upgrading to a new hard drive, returning a leased computer, or redeploying a PC within your company? It is
truly imperative to completely destroy all data from the old hard disk.
cyberCide: Whether your data is sent to the recycle bin or
your entire drive is formatted and repartitioned, the chance of unauthorized discovery is very real and poses issues of risk
and liability. Securely wipe hard drives and overwrite, delete and destroy privileged data with cyberCide.
Declasfy: Drive wiping with Declasfy can serve
many purposes where information security is a concern. For example: preparing drives for internal reuse;
securing private information prior to retirement or donation of a drive; securing private information for compliance with
HIPAA and other regulatory requirements. The program is designed to "wipe" hard disks to meet Department of Defense
standards from the Rainbow series concerning declassification (wiping) of hard disks and cleansing of floppy disks.
Stellar Wipe Safe file Eraser: We are generally asked
what we have to do for securely deleting the data. The answer is very simple — Use wiping software.
Drive wipe or file wipe software are the applications which are capable to completely remove all of the data and making it
beyond the data recovery possibilities. Like data recovery, email recovery and file repair software, Stellar also
provides terrific data wiping software.
R-Wipe & Clean is a complete solution to wipe useless files and keep your
computer privacy. Irretrievably deletes private records of your on- and off-line activities, such as temporary
internet files, history, cookies, autocomplete forms and passwords, swap files, recently opened documents list, Explorer
MRUs, temporary files, etc., traces from more than 300 third-party applications, and free up your disk space. The
utility wipes files and unused disk space using either fast or secure erase algorithms.
QuickWiper is a Windows security program. If you are worried
about coworkers going to recover files, remember — simple deletion is not secure enough because anybody can
recover your sensitive files. QuickWiper lets you to delete files with simplicity and ease. You can choose a
fast single pass, or the most secure NSA erasure algorithm.
Disk Redactor is a WIPE utility that lets you
securely erase any old (deleted) files and prevent them from being recovered. All your private sensitive insecurely
erased information will be wiped from free unused space on your drives to ensure complete data destruction. This is
necessary because when you delete a file, it is not gone forever, and any file removed from the Recycle Bin can be easily
recovered!
FileSalvage:
Extremely powerful data recovery tools designed to restore files that have been accidentally deleted, have become
unreadable due to media faults, or were stored on a drive before it was re-initialized or formatted. It is
device and file system independent, allowing the users to recover files from a normal Mac OS hard drive, USB key,
Linux disk, Windows drive, FLASH card, scratched CD, and almost any other media or file system that can be
recognized in Mac OS X.
MacForensicsLab:
A complete suite of forensics and analysis tools in one cohesive software package. Combining the power
of many individual functions into one application in order to provide a single solution for law enforcement
professionals and digital forensic investigators.
TestDisk is a powerful free data recovery
software! It was primarily designed to help recover lost partitions and/or make non-booting disks
bootable again when these symptoms are caused by faulty software, certain types of viruses or human error
(such as accidentally deleting your Partition Table).
ShredIt X: Whether you deal with confidential
data on an ongoing basis or just want to protect yourself from identity theft when disposing of a computer,
ShredIt has the features you want, for the computer you use.
The Editor says...
I purchased a copy of Shredit X in January, 2007, and so far it appears to be quite good.
I'm using it on a Power Mac G5, and most of the time I just use it to scrub my USB jump drive.
CardRaider:
"The easiest and most affordable way to recover lost photos from your digital camera, memory card or thumb
drive. CardRaider's familiar Mac OS X interface makes it simple to detect and unerase lost
pictures."
[Yes, but sometimes you might want those pictures to get lost. CardRaider apparently also
includes a mechanism to "permanently erase photos so they can no longer be recovered."]
Digital Shredder: Anonymizer
Digital Shredder is the easiest way to keep your PC clean and running smoothly. It erases
cookies, cached files and history archives that are left on your computer every time you surf.
Stellar Data Recovery:
Hard drive data recovery software, disk recovery and data recovery tools.
Autoclave: Hard
drive sterilization on a bootable floppy. (Great idea, if you have a floppy drive.)
BCWipe is designed to securely delete
files from the disk. Standard file deletion leaves the contents of
the "deleted" file on your disk. Unless it has been overwritten by files
subsequently saved, it can be easily recovered using standard disk utilities. BCWipe
is fully integrated into the Windows Shell and efficiently shreds data in files
so that they can not be recovered by any means.
Drive Scrubber: With
DriveScrubber, you can completely wipe all the contents of a drive, or you can just wipe a drive's free
space. Wiping everything from the hard drive is ideal before you reassign your PC. Wiping
the free space is ideal for regular computer maintenance; this process erases all remnants of deleted
data, while keeping the existing files and operating system intact.
Kill Disk: KillDisk - Hard Drive Eraser is powerful and
compact software that allows you to destroy all data on hard and floppy drives completely, excluding any
possibility of future recovery of deleted files and folders. It's a hard drive and partition eraser
utility.
Eraser is an advanced
security tool (for Windows), which allows you to completely remove sensitive data from
your hard drive by overwriting it several times with carefully selected patterns. Works
with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is FREE software and
its source code is released under GNU General Public License.
R-Tools Technology Inc. has tools for Data Recovery,
File Undelete, File Encryption, E-Mail Recovery, Disk Cleaning, etc.
Undelete 5.0.
Pandora Recovery: Find and recover deleted files of any type.
FreeUndelete 2.0.
Active Uneraser.
R-Studio Data Recovery Software.
Smart Undelete.
Disk Internals: Numerous
other tools to get back lost or deleted files.
SIM Recovery Pro: You can now recover
data and text messages from cellular phones using the SIM (Subscriber Identity Module) Recovery Pro. Using
this device allows you to save, edit and delete your phone book and short messages. Aside from recovery and
retrieve, even of deleted data, an added advantage is to back the information up on your computer.
SIM Recovery Pro capabilities:
Allows user to find deleted text. Allows user to view up to last 10 numbers dialed. Transfer data
from one SIM card to another. Edit SIM card information on your computer. Back up phone numbers and
SMS messages.
Cell Phone Spy Data Extractor:
Save, edit and delete your phone book and short messages (SMS) stored on your SIM card using the Recovery PRO
software and SIM Recovery Pro Reader with your computer and ANY standard SIM card from a standard cell phone
which supports removable SIM cards.
PS/2 Mini Key Logger:
The Mini Key Logger 64K is the world's smallest Key Logger. It's only 4cm long and records over 64,000
keystrokes including e-mail, chat, IM, Web Site Addresses and other computer activity. Find out which
Web Sites your employees are visiting while working on your computer. This Key Logger is perfect for
home or professional use.
Pro Data Doctor: File recovery software for Windows,
USB drives, removable media, digital cameras, iPods and SIM cards.
GetDataBack Data Recovery Software: Runtime Software's data
recovery software will help you rescue your lost or inaccessible files from any imaginable data recovery
disaster. Data Recovery is possible more often than you might think — even without having to
send your hard drive to a data recovery service.
My Hard Drive Died! When you absolutely,
positively need your data back!
More Software Products and
information about data recovery.
More secure deletion
tools.
Professional recovery services:
In extreme cases, you could ship a damaged drive to a lab for data recovery. For example,
ESS Data Recovery Labs
Drive Savers
First Advantage Data Recovery Services
ECO Data Recovery
Vantage Data Recovery
Data Recovery Group
CBL Data Recovery Technologies Inc.
Professional data destruction services:
Enterprise Boot and Nuke: You
have data to destroy on dozens (if not hundreds or thousands) of hard-drives and you're looking for a way to
get it done quickly, economically, and effectively. In addition, you need accurate reports for legal
compliance. Techway Services has three proven solutions to meet your needs. ... All of Techway Services
solutions employ our class-leading, proprietary software EBAN, which is U.S. Department of Defense 5220.22M
compliant.
Other privacy protection products:
Here is a list of Useful Products. A
number of useful software programs that can help you manage and protect your privacy online.
Disk Investigator (Freeware) helps
you to discover all that is hidden on your computer hard disk. It can also help you to recover lost
data. Display the true drive contents by bypassing the operating system and directly reading the raw
drive sectors. View and search raw directories, files, clusters, and system sectors. Verify the
effectiveness of file and disk wiping programs. Undelete previously deleted files.
The Secure Erase Command:
How to REALLY erase a hard drive: HDerase.exe
accesses an ATA disk drive's internal Secure Erase commands to wipe a disk clean. ... Secure Erase is
built into all ATA-compliant disks drives since 2001. This functionality is recognized by the US
Government's National Institute of Standards and Technologies (NIST) as equivalent to magnetically wiping a
drive (degaussing) or physically destroying it. NIST also rates the secure erase commands as more secure
than external host-based drive wiping utilities such as Boot and Nuke. Secure Erase complies with HIPAA,
Personal Information Protection and Electronic Documents Act (PIPEDA), the Gramm-Leach-Bliley Act (GLBA), and
California Senate Bill 1386 for data destruction.
Secure Erase: data security you already own.
Secure Erase is built into virtually all P/SATA drives built since 2001, when it became part of the ATA
standard. It is virtually unknown however, because many BIOSes block the command and some even lock the
drive to keep the data safe from Murphy's-law-abiding citizens. Not to mention evil virus writers.
There's even a Secure Erase Newsletter.
Tutorial on Disk Drive Data Sanitization:
Complete eradication of user data off drives can be accomplished by running data Secure Erasure utilities such as
the freeware "HDDerase". It executes the Federally-approved (NIST 800-88) Secure Erase command in the
ATA ANSI standard, which is implemented in all recent ATA drives greater than 15-20 GB. A similar command
in the SCSI ANSI standard is optional and not yet implemented in drives tested. Normal Secure Erase takes
30-60 minutes to complete. Some ATA drives also implement the standard Enhanced Secure Erase command that
takes only milliseconds to complete.
Additional related information:
How small does the disk chunk have to be?
Quoting an article about drive destruction, Fred Cohen disagreed with the adequacy of Canada's tax agency cutting disk
drives into pieces "no bigger than the width of a pencil", saying the pieces "will have to be small enough to make the
content on one chunk of no utility. At the density of a HDD, a pencil width holds quite a bit of data."
The Editor says...
This item refers to an earlier article, here.
How To Recover deleted files: If you
have deleted files from your hard drive, don't panic! As long as you use the right unerase software, your deleted
files can be recovered very easily. Success is more or less guaranteed if you act as soon as you realize that the
files are missing. Even if your files have been overwritten or corrupted, if the disk they were stored on has been
formatted or repartitioned, or if you don't know how they were lost, it's still likely that you can recover them.
Deleted File recovery software:
Most of the time we come across a situation of data loss where data may be inaccessible, missing or deleted. Data
might be lost due to a system crash or accidental deletion. It may be a relief knowing there is a good possibility
of getting your deleted files back if you act quickly and logically.
Undelete Your Files: Here's How To Do It. The
undelete process is something that happens to most people that work on a computer regularly...and who doesn't these
days? Get distracted for even a few seconds, and you can accidentally delete a file. The key thing to remember
is: In most cases, you can undelete files, but the determining factor is whether other data has overwritten the
deleted file you are trying to recover. Using a utility or hiring an expert is the only way to find out.
File deletion and file undelete strategies for FAT based
file systems: If a file is deleted on the FAT file system the first character of a file name in the directory
entry is replaced by a special character (E5h) causing the operating system (e.g.. Windows, DOS) to ignore the file.
Also, all clusters allocated to the file are marked 'available' in the File Allocation Table (FAT for short).
Deleted Files Software.
Reviews of several file recovery programs.
How to Recover Deleted
Files — A Few Useful Tips. Everyone has accidentally deleted an important document or file and
needed to know how to recover deleted files. It is important not to panic as most deleted files can be recovered.
If you act immediately after the deletion occurs you have a very high probability of retrieving your files. Files can
even be recovered from corrupted files or sections of the hard drive that has been overwritten.
Why Undelete Utilities
Fail: The more work you do on your computer after you accidentally delete a file,
the lower the odds that the undelete utility can get your data back safely. But how exactly
are you going to purchase and download that undelete file utility? Downloading a file
obviously creates new data on your disk, and could overwrite your undeleted data. But
just browsing the web to locate a utility causes new temporary files to be created —
another threat to your data.
Antiforensic
Tools: It's important to protect your company's data. But how do you know whether what you think
you've erased is actually unrecoverable? … Forensic tools are fast becoming a staple of civil lawsuits between
corporations and in disciplinary proceedings against employees. These days, it seems, whenever there's a
chance that somebody has deleted a file to hide evidence of wrongdoing, some forensics expert is standing by to
recover that file for a fee.
A Critical Evaluation
of the Treatment of Deleted Files in Microsoft Windows Operation Systems: A perceived security
risk is associated with the file management system's policy of allowing deleted data to remain intact.
Some argue that lingering traces associated with deleted files should not exist. An alternative view
perceives usefulness from the ability to retrieve accidentally deleted data. This view is also held
from within the forensic computer science field. This presents a dilemma for software designers
seeking to provide operating systems that meet the security desires of society.
The
Persistence of Deleted File Information: Computers delete files frequently. Sometimes
this happens on explicit request by a user. Often, information is deleted implicitly when an application
discards some temporary file for its own internal use. Examples of such implicit file-deletion activity
are text editor temporary files, files with intermediate results from program compilers, and files in Web
browser caches. As you use a computer system, you unwittingly leave behind a trail of deleted
information. Computer systems have minds of their own, too, leaving their own trails of deletion as
a side effect of activity that happens in the background.
Excellent:
Secure File Deletion, Fact or
Fiction? From a user's standpoint, applications create files that are stored on the
hard drive or removable media. When the user no longer needs a particular file, the user deletes
it and moves on. As far as the user is concerned, any information contained in that file is gone
forever, unable to be recovered by the user. However, because of the way operating systems and
applications work, that file may be recoverable and if that file is not recoverable, the data it
contained may be found in other files.
Deleting Sensitive Information: Why
Hitting Delete Isn't Enough. A quick look through some of the Windows folders will show a
myriad of temporary files, each file storing session information, a snapshot of what is happening on the
PC at a particular moment in time. Applications such as Word will auto save temporary versions of
a document at regular intervals to save users the heartache of losing that important paper due to a sudden
loss of power to the PC. ... Unfortunately just tracking down all the necessary files and assigning them to
the trashcan is only akin to placing a veil over the data, it still very much exists.
How To: Recover deleted files.
When a file is deleted from your computer, it is not really deleted. It is simply removed from the list
of files in the folder. If you're using Windows, and deleted the file using Windows Explorer, the file
will normally have been moved to the Recycle Bin. While it is in the Recycle Bin, the file can easily be
restored in its entirety, with no problem at all.
Recovering Deleted Files After You Have Emptied the Recycle
Bin: When first learning Windows 95, I relied very heavily on the extra layer of Recycle Bin
recovery built into Norton Utilities. … So I understand how data loss can occur, and the unhappy place
it can leave you. Pre-FAT32, the old UNDELETE utility in DOS also was a life-saver a time or two but,
once Win95B and FAT32 came into play, that one was history.
Recovering deleted files: The
Recycle Bin may be a marvel — one which most of us take for granted — but it does have its limits.
For starters, the Recycle Bin does not catch every file you delete. All files deleted from the desktop
or Windows Explorer end up there, as do files deleted from within compliant programs. Files deleted
at the DOS prompt, though, bypass the Recycle Bin….
Secure Deletion of Data from Magnetic
and Solid-State Memory. With the use of increasingly sophisticated encryption systems, an attacker
wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack
is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers
some of the methods available to recover erased data and presents schemes to make this recovery significantly
more difficult. [Includes a long list of interesting references.]
Bringing
Data Back From the Dead: Sometimes, a failing hard drive will screech like nails on a
chalkboard. Other times, its death will be eerily quiet. Either way, years of
work — documents, digital photos and music, save games, e-mail archives and your
address book — can be gone in an instant.
Data from
Columbia disk drives survived the shuttle accident. "When we got it, it was two hunks of metal stuck together.
We couldn't even tell it was a hard drive. It was burned and the edges were melted," said Edwards, an engineer at
Kroll Ontrack Inc., outside Minneapolis. "It looked pretty bad at first glance, but we always give it a shot."
Hard-Drive Diplomacy:
The confirmation by an international forensics team that laptops and hard drives captured by Colombia originated in a camp of FARC
terrorists ought to open a new era in relations between the democratic world and Hugo Chávez's Venezuelan government. … The
computers and drives contain a staggering 610 gigabytes of data, according to Interpol, including 983 encrypted files opened by
its team.
File wiping on
journaling file systems. Many modern operating systems ... have the ability to use a journaling
file system that makes complete erasure of data unlikely. Journaling file systems are used to increase
the integrity of data in case of failures. To accomplish this, the file systems keep metadata and logs
in various places known to the file system; most file systems can also journal all data, but turn this
functionality off by default. The metadata and logs will not be securely wiped with a file
wiping tool.
Why a normal delete is not sufficient:
A normal "delete" command does not actually delete files at all. But even with more advanced "file wiping"
utilities, some data may remain that is very useful for a forensic investigator. In particular, the magnetic
properties of a hard disk can be exploited to recover data.
Deleting and wiping files: Another
difficulty occurs with so-called journaling filesystems (JFS) or log-structured file-system (LFS). Such
filesystems store the data in a different way so that the data can always be recovered after a crash.
Attempting to wipe a file using traditional means will not be successful with such filesystems.
Wiping swap files: On many
multi-tasking systems, a swap file is used to emulate RAM. The swapfile contains data from programs that
are currently running. This data may include personal files as well as passwords. To avoid leaking
this data, wiping the swapfile is a good idea. However, this is difficult because the swapfile is
constantly being used. Special programs are available for this purpose.
It's now a crime to delete files:
International Airport Centers sues former employee, claiming use of a secure file deletion utility violated
federal hacking laws.
The spies among
us. American high-tech industries are a key target. Every year, economic espionage costs
American businesses billions of dollars. Spies recruit company insiders, form joint ventures, and even
engage in "dumpster diving" for discarded proprietary data.
Securing Your Deleted Files. I
know more than one person who rarely, if ever, empties their Recycle Bin. … If you don't feel that
security is an issue because you don't have any personal or sensitive information on your machine to
delete, there is another reason for keeping your Recycle Bin emptied. Space. Those files you hold
in your Recycle Bin needlessly take up space on your hard drive. … Our second security issue comes
to light the moment you click the command to "Empty Recycle Bin." You may be under the impression
that those files are now gone for good and cannot be recovered by anyone. This is not true.
Can your PC be subpoenaed?. As
people commit an ever-growing pile of information to computers, their hard drives are becoming a digital mother
lode for lawyers. The issue moved into the spotlight when Kenneth Starr's prosecutors scavenged Monica
Lewinsky's computers and published what they found, including e-mail messages to friends and unsent drafts
of letters.
Junta hunts dissidents on UN
computers. Burma's ruling junta is attempting to seize United Nations computers containing information on
opposition activists in the latest stage of its brutal crackdown on pro-democracy demonstrations, The Times has learnt.
UN staff were thrown into panic over the weekend after Burmese police and diplomats entered its offices in Rangoon and
demanded hard drives from its computers.
Angry Employee Deletes All of Company's
Data. When Marie Lupe Cooley, 41, of Jacksonville, Fla., saw a help-wanted ad in the
newspaper for a position that looked suspiciously like her current job -- and with her boss's
phone number listed -- she assumed she was about to be fired. So, police say, she went to
the architectural office where she works late Sunday night and erased 7 years' worth of
drawings and blueprints, estimated to be worth $2.5 million.
Magnum, P.C.?
New Texas Law Limits Computer Repair To Licensed Private Investigators Under the new law enacted in 2007,
Texas has put computer repair shops on notice that they had better watch their backs any time they work on a
computer. If a computer repair technician without a government-issued private investigator's license
takes any actions that the government deems to be an "investigation," he may be subject to criminal penalties
of up to one year in jail and a $4,000 fine, as well as civil penalties of up to $10,000. The definition
of "investigation" is very broad and encompasses many common computer repair tasks.
Computer Forensics
Gear: Deleted files can be recovered with software tools such as Norton Utilities,
DIBS, or PowerQuest Corp.'s Lost & Found. After the files are located, they should be listed and
reviewed for relevance to the investigation. EnCase, DIBS, and NTI's FileList are well-suited
for this purpose. … Evidence in all of the slack space on the entire hard drive or other
storage media can be retrieved quickly with tools such as NTI's GetSlack and Filter_I software
utilities. GetSlack grabs all slack space and places it into a single file.
File Scavenger goes well beyond simple undelete
action. It has successfully restored items even after the drive was formatted and in another case,
where the operating system was overwritten from a recovery disk
image.
(Review)
Restoration
v2.5.14. Restoration can rescue your accidentally deleted files and permanently
delete the files you want good-and-gone. It can live on a floppy, so it leaves no trace
of its activities.
Delete, Baby, Delete. During
the controversy over the Iran-contra affair, in 1986, Lieutenant Colonel Oliver North attempted to erase all
the relevant e-mail messages on his computer; he repeatedly pressed the DELETE button, thinking that he was
thereby expunging the messages. "Wow, were we wrong!" he later observed. North didn't know that
pressing DELETE doesn't result in complete deletion. He also didn't know about the existence of a
backup data-storage system.
Scrub
your disk. A list of freeware programs to wipe files.
Personal Info Fills Junked Hard
Drives: Over two years, Simson Garfinkel and Abhi Shelat bought 158 used hard drives at
secondhand computer stores and on eBay. Of the 129 drives that functioned, 69 still had recoverable
files on them and 49 contained "significant personal information" — medical correspondence, love
letters, pornography and 5,000 credit card numbers.
Don't be Smug in Thinking Personal Data has
been Erased. Whether you recycle your old computer, sell it, give it away or take it to the
dump, you may also be giving away personal information, even if you think you erased everything on your hard
drive. Two MIT graduate students bought 158 used disk drives on the secondary market and found many
"had not been properly sanitized."
Gathering the E-Evidence:
"The best way to get rid of computer data is to take the hard drive and pound it with a hammer and throw it in a
furnace," said John Patzakis, president of Guidance Software, which makes forensic software that helps police find
hidden files.
No Thanks for the
Memories: Personal computers have a way of hanging on to "deleted" data that may surprise
you — and could get you into a heap of trouble if you're not careful.
Remembrance
of Things Past: Data is not physical, not something that you can lock away
today and hope you'll be able to access in 10 or 20 years. Large collections of data are
almost impossible to safely maintain—especially over long periods. At the same time,
data is just as difficult to dispose of properly. [PDF format]
Researchers
Find a Way to Steal Encrypted Data. A group led by a Princeton University computer
security researcher has developed a simple method to steal encrypted information stored on computer
hard disks. The technique, which could undermine security software protecting critical data on
computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust
remover.
Data
Detectives: Specialists in uncovering lost or hidden data are fast becoming
strategic legal weapons.
Enron can't shred electrons. Even
the act of deleting documents can in itself be revealing. Not only can computer forensic investigators
recover documents, they can tell when and how they were deleted. In some cases, they can even determine
whether a deletion was an innocent act -- part of company policy -- or if there was a more devious motive.
Still more remarkable, using an electron microscope, computer forensic teams can read information from the individual
magnetic spots on the surface of a hard disk that has been intentionally erased. This costly technique,
originally a tool of the intelligence world, has been used successfully in big legal cases.
Securely Deleting Files: If
and when you ever dispose computer equipment or disks that have contained sensitive information, be sure to
take precautions to ensure that all information is not only deleted, but it is completely destroyed.
Simply deleting a file is not sufficient to prevent a clever user from undeleting the file and recovering
sensitive information. Some highly sophisticated techniques are available that may be able to recover
information from a disk even after it has been overwritten. If your information is highly sensitive you
may need to take additional steps such as physically destroying the disk or degaussing the drives.
Cookies — Exploitations
and Invasion of Privacy. Over the years, cookies have garnered a bad
reputation as being able to scan PC hard drives, take over systems by stealing valuable
information such as passwords, and passing viruses. These myths are untrue, but
cookies have been used to collect information on browsing habits, browser specifications,
system information, and web-based spending and viewing habits.
Why a normal delete is not
sufficient: It is in the nature of a computer, to always be updating one file or another.
Every time a file is updated or "saved", new copies are created and written wherever there is sufficient
space. Applications can create huge numbers of such files. When a file is eventually deleted, only
the last image is accounted for. All other images appearing as free disk space, unseen, unsuspected.
That is until a disk is viewed with the appropriate software; then is all is revealed. Even when
partially overwritten, these files can make interesting reading!
The Unintentional Disclosure of Digital
Data: A perspective of how much data is worth, an overview of how data is written to magnetic media,
why data erasure (deletion) is insufficient to avoid data recovery, how the data may be resurrected, and
identification of known and unknown perpetrators.
Annual list of top 10 data
disasters. The list was compiled by data recovery firm OnTrack which handles
more than 100,000 requests a year for help to piece together information from damaged
computer hardware.
Firms become digital
detectives. Digital data can be fragile and businesses must exercise
care if they are to avoid damaging or even deleting potentially useful information.
Gone for good? "In
some aspect an e-mail can exist indefinitely," says Mr Dearsley. "Subject lines, times and dates
can all be pieced together. I have retrieved some that have been years old."
Odd mishaps cause computer
grief. Data recovery experts are the technological doctors and nurses of desktop
or laptop hard drives. Using increasingly sophisticated techniques, "lost" files or
information can be rescued and rebuilt into a usable format. This can happen in a matters
of hours through remote access, but in more serious cases computer patients may have to be
admitted to the lab.
Is It Really Gone? (A Look at Data
Deletion). When the delete command is used it doesn't actually touch the data recorded on the
media. It only removes the index entry and pointers to the actual data so that it appears as if the
file has been removed.
Recovering Deleted Files After You Have Emptied the Recycle
Bin. The first rule is: Stop using that computer immediately! … Use another computer
to get the recovery tool you will need. This is also one of the places where well-planned partitioning of
your hard drive has a huge advantage.
Did
You Really Erase Those Files? Make sure your trash disappears permanently.
Deleted Files - Still There: With
the right software, it is relatively easy to recover deleted files from your hard drive. Some file recovery
software can even work over a network connection.
And You
Thought DELETE Meant DELETE! A High Level Overview of File Deletion.
Protecting
your sources: The provisions of the new Terrorism Act and of the Regulation
of Investigatory Powers (RIP) Act 2000 give the authorities wide-ranging powers to seize
computer files and to imprison you if you fail to produce "plain text" for any that are
protected by "encryption".
There is also some discussion of this in "Erased
Disk used against Brazilian President", part
of Risks, Volume 13, Issue 87.
The Use And Retention
Of Emails: Some Legal Lessons From The Field. Corporate counsel often instruct corporate
employees about the dangers of writing down every errant thought about the company's products and conduct.
But that instruction may have particular urgency for electronic communication. Because of the spontaneous
and reflexive nature of electronic communication – the words do not remain on a printed page to be
contemplated, and perhaps revised – many users often treat e-mail, and similar transmissions,
casually, not carefully.
The "E" in E-mail Often Stands for
Evidence: "It's like the gift that keeps on giving," said Tom Greene, a deputy attorney general
in California, one of the states suing Microsoft Corp. in an antitrust case built largely on computer
messages. "People are so chatty in e-mail."
'Embarrassed' Suspect
Sues Microsoft After FBI Finds Sex Videos On His PC. A man awaiting trial for alleged gun crimes
is suing Microsoft for privacy violations after FBI agents seized his home computer during a raid and found
files containing sexually explicit videos of him and his girlfriend and evidence that he frequented
pornographic Web sites. Michael Alan Crooker, currently in jail in Connecticut, says security features
advertised by Microsoft and its business partners should have kept federal agents from accessing the files on
his PC.
FBI raids
Houston shipping company. FBI agents searched two buildings and loaded dozens of boxes into a
truck Wednesday [10/10/2007] as part of what has been called "international" antitrust investigation involving
several companies. One is Eagle Global Logistics, based in Houston. Some of the agents were from
the Greater Houston Computer Forensics Laboratory. They've been looking at computer hard drives.
The FBI isn't talking on the record about what it's looking for and neither is the Justice Department.
Privacy and Your E-mail Box: Realize
that e-mail is forever. Witness the pain suffered by Microsoft recently when internal e-mail hit the
courts. Remember Oliver North? [He's the] Poster-boy for e-mail messages surviving the delete key
and rising up to slap you with court subpoenas.
E-mail and the courts: This appears to be a
compendium of legal cases in which e-mails play a significant role. It includes several cases where
deleting e-mail has cost companies large amounts of money, even when the e-mails were not recovered.
Smoking E-Mails: KPMG's
tax shelters weren't too bright. Its internal memos on the shelters were really dim-witted.
Federal Court Turns When E-mails
Contradict Deposition Testimony. As electronic discovery becomes more commonly used,
e-mails are proving to be a gold mine of information in corporate legal disputes.
The legal
implications of self-destructing e-mail. According to an article by Laurie Varendorff,
an Australian records management expert, Microsoft and IBM have developed software that enables creators
of e-mail messages to have tremendous control over their messages, even after they have been sent.
Experts try to resurrect SAIF
files. Experts in computer forensics often can resurrect computer files that seemed to disappear,
but the deleted e-mail of former SAIF Corp. President Katherine Keene might remain a mystery.
Gravel-pit lawsuit
triggers e-mail hunt. King County [Washington] officials, responding to a lawsuit from the
owner of a Maury Island gravel pit, hired a consulting firm to help search for deleted e-mails on the
computers of County Executive Ron Sims and other officials.
Somewhat related: Hidden Text in Computer
Documents. During the manhunt for the DC sniper, a letter was left for
the police by the sniper that included specific names and telephone numbers. Perhaps
in order to persuade the panicking public that the police were in fact doing something, they
allowed the letter to be published — in redacted form — on the Washington Post's
Web site. Unfortunately, they implemented the redactions by the completely pointless
method of placing black rectangles over the sensitive text in the PDF. A simple script
was able to remove these boxes and recover the full PDF.
Second hand camera contains
top secret MI6 terrorist records and pics. A second-hand camera sold on eBay by a top
MI6 agent held secret records used in the fight against al-Qaeda terrorists. Names, snaps,
fingerprints and suspects' academic records were found in the memory of the digital device. Alongside
them were photos of rocket launchers and missiles which spooks believe Iran is supplying to Osama Bin Laden's
henchmen in Iraq.
More about Recovering
lost camera images.
iPhone 2.0 adds secure wipe.
AppleInsider is reporting that iphone software v2.0 will add a secure wipe feature. The screenshot ... shows
the text "this will take about an hour" added to the normal erase feature. This time is used to overwrite
data to the disk multiple times. The need for secure phone erasure came to light after a researcher was
able to recover personal information from a refurbished iphone using forensic tools. Since then, a few
people have published techniques for obliterating personal data using either the gui or the more thorough
command line method.
Top 10 Ways to Lock Down Your
Data. With the right software tools and a little Advanced Common Sense, you can secure your
data so that even if someone did get onto your computer or into your email, they'd find nothing but headaches
and woe.
England's NHS loses patient data.
Bad news: A National Health Service employee lost a flash drive containing personal information of up
to 6,360 patients. Good news: The data on the flash drive was encrypted. Bad news: The
password was written on a sticky-note attached to the drive.
Security and SOX.
Nearly everyone who works with a computer has gotten some version of the 'Password Memo'. The Password
Memo lays out lots of rules for passwords — i.e., they must be at least eight characters long; they
must include numbers, upper and lower case, and punctuation; they shouldn't be your user name, names of family
members or pets; they shouldn't be (or even include) dictionary words; and they should never be reused.
Oh, and you should never ever write them down and you should plan on coming up with a new one every thirty
days.
Clinton-era
hard drive missing from archives. A massive amount of sensitive, national security-related
information from the Clinton administration has gone missing from the national archives. The Inspector
General of the National Archives and Records Administration (NARA) told congressional committee staffers
Tuesday [5/19/2009] that a hard drive containing over a terabyte of information — the equivalent of
millions of books — went missing from the NARA facility in College Park, Md., sometime between
October 2008 and March 2009.
U.S. National Archives offers reward
for missing hard drive. The U.S. National Archives on Wednesday [5/20/2009] said it is offering
a $50,000 reward for information leading to the recovery of a missing hard drive that contains personal
information of former Clinton administration staff and visitors. The small portable hard drive was
being kept as a backup, the National Archives explained in a question-and-answer document on its Web site.
It held copies of about 113 four-millimeter tape cartridges of "snapshots" of hard-drive contents of employees
who left the Executive Office of the President.
Somewhat off-topic...
Video: Don't shout at your disk drives.
The vibration causes latency problems.
Back
to The Privacy Page.
Back to The Home Page.
|
|
