Many computer users, including some who should know better, are unaware that deleted files can be
recovered — undeleted — and can yield information which can be used against the
person who deleted them. This information can be as common as a deleted email message or as
important as sensitive business records or government transactions. Most people assume that
if a file doesn't show up in a directory (or folder), it's gone forever. Few people know that
deleted files are not erased; the data is just hidden, and the files can be undeleted. Still
fewer people know how to undelete files, either to recover from accidental deletion or to "go fishing"
for interesting data. It is unlikely that your little sister can undelete your files, but there
are several US government agencies which — if properly motivated — could perform
some amazing feats with your old computer.
Apparently there are many security-conscious people -- even some who own paper shredders -- who don't know
or don't care about residual information from their deleted computer files. But there have been many
people in recent history who have learned about this issue the hard way. That's how U.S. Senate
investigators got evidence on Col. Oliver
North.1 E-mail
messages that North believed to be deleted were found and used against him in
litigation.2 A
total of 758 e-mail messages were sent, involving him in the Iran-Contra affair, and every one of them was
recovered.3 Ironically,
this problem becomes more difficult if you
make backup copies
of everything on your computer, as you should.
"Computer forensics" is the term for recovering other people's deleted
or "lost" data. This can be done as a favor to you, when your computer
has crashed, (where the word "favor" means a commercially available service which costs
a lot of money), or it can be done by a law enforcement agency when your computer
has been seized as evidence. In the latter case, you can be sure that
anything embarrassing that is found on your computer can and will be used
against you, whether or not it pertains to your alleged criminal conduct.
Files and subdirectories can be hidden, too, although this was easier to accomplish under
MS-DOS than it is with Windows.
Usually the originator of a hidden file (or subdirectory) is the
only one who knows that it exists. However, merely hiding a file offers no
protection once the file has somehow been discovered. Hiding a file makes no
difference after the file has been deleted, since all deleted files are hidden, to some extent.
Encryption can be used to protect files whether they are deleted or
not. Encryption products are available in various strengths, for
particular levels of security, but that is another topic altogether.
Simple deletion of a file is adequate if your only goal is to reduce
clutter and make more space available on the disk drive (or floppy),
and this is the quick and easy thing to do if the deleted files are of
no interest to anyone else. However, before you sell or give away
an old computer, you should seriously consider wiping the entire hard drive,
especially if the hard drive has ever contained sensitive information
from your business or personal life. Just putting an old computer in
the trash dumpster behind your place of business can result in the
compromise of all your "company confidential" files, trade secrets,
and proprietary data.
Recovery of a file through software is impossible after the file has been
subjected to a single overwrite with other data, and recovery through more
elaborate techniques is generally thought to be impossible after ten or twelve
passes with random data rewriting the same sector of the disk. So it's
safe to say that wiping a file one time is enough to destroy it, for almost all
practical purposes. Your disgruntled employees, nosy family members, and
small-town private eyes won't be able to recover a wiped file.
The primary hazard associated with the use of file wipers is that you may accidentally
erase a file that you wish you hadn't. If that happens, give it up. Your
file is gone. If you use file-wiping power tools, be sure you know what
you are doing, because it is possible to do a lot of permanent damage.
In theory at least, after a file has been wiped, examination of the disk with an electron
microscope can still reveal the previous contents of the wiped area, because the
obliterating bytes are not written in exactly the same tracks as the original data and
there is still a little of the original data left around the edges. For this reason,
government-grade wiping involves multiple passes, typically writing ones and zeros on
alternate passes, and perhaps finishing by writing random bits.
Even after wiping a disk, if you are protecting data from a foreign
government (or your own government), you may have lingering doubts about
the destruction of your most sensitive files. Let's say, for example,
that you are an orchid grower in Houston, and you suspect that
a heavy-handed investigation by
the Fish and Wildlife Service is about to get underway, and your computer could be used
as evidence against you. You might want to consider physical destruction of your
computer's hard drive, or the shredding of a floppy disk.
Please note that the information on this page is provided for educational, entertainment and
information purposes only, and is not intended to facilitate any unlawful activity. As
a condition of your use of this web site, you warrant to us that you will not
use this web site for any purpose that is unlawful or prohibited by the terms,
conditions, and notices in our
all-inclusive Disclaimer. The
entire risk arising out of your use of this web page is assumed by you. Regardless
of any appearance to the contrary, we do not warrant, guarantee, or make any
representation regarding the correctness, accuracy, timeliness, veracity,
appropriateness or suitability of the information on this page. As I always say,
any actions you take based on whatever you saw, or think you saw, on this site are
entirely your own responsibility.
Mass erasure of magnetic media (tape or disks) is called bulk erasing or
degaussing. People who work in radio and TV stations often bulk erase
tapes before reusing them. Once in a while, the bulk eraser is also
used to obliterate the contents of floppy disks, DAT tapes, or other
media. Computer hard drives can be erased this way as well; however,
the magnetic forces in an industrial-strength bulk eraser are so strong that the platters and
other components of a hard drive are likely to be mechanically damaged in the process,
so this is recommended only for drives that are about to go into the trash.
Do not degauss ZIP disks if you have any intention of reusing them. ZIP
disks are shipped with a magnetic servo pattern recorded on the disk. Bulk erasing
or degaussing a ZIP disk will make it unusable. A ZIP disk cannot be reformatted
after it has been bulk
erased.* ZIP
disks are rapidly becoming unpopular, since CD-ROM and DVD-ROM drives are now
affordable. (Before you purchase a ZIP drive, you might want to read
this also.) Depending
on the make and model, it may also be true that hard drives are not reusable
after bulk erasing them with an electromagnet, because degaussing wipes out
the low level formatting (track and sector markings) of the
drive.*
In the case of floppy disks, the magnetic medium is easily extracted from
the shell of the disk, and it slides easily into a paper shredder. In an
emergency, if you are away from your shredder, you could remove the
magnetic film from a floppy disk, stuff it into an empty aluminum beverage
can, crush the can, and drop it into the trash. Preferably in someone
else's trash can. This technique works well for small scraps of paper, too.
A few words about "jump drives"
The recent development and popularity of removable solid-state storage devices, called "Jump drives", "Thumb
drives", "Flash drives", "Keychain drives", and so on, have opened up another aspect of the
emergency disposal problem. As in the case of floppy disk media (when extracted from the shell),
most solid-state USB drives can be stuffed quickly into a soda can and dropped in the trash, if you
really don't want to be caught with the drive and its contents, or if you just want to dispose of the
device without someone else exploiting it. The drives are already quite inexpensive, and if they keep
getting cheaper, they could be considered disposable. Keep in mind that a trash can is often the safest
place to store something for a few minutes: Trash cans aren't emptied more than once a day, at least
where I work.
The widespread use of "jump drives" creates a new and very large privacy risk: If you use such
a device at work, someone could "borrow" your jump drive while you're away from your desk, explore it,
copy it and return it -- without your knowledge!
Please remember -- regardless of what you may have read in the preceding paragraphs -- the management of
akdart.com does not condone or endorse industrial espionage or unprofessional conduct in the workplace.
Hard drives are a little tougher to destroy than floppies, and obviously more expensive
to replace. A good method of destruction might involve a few blows from a
sledgehammer, an hour or more in a very hot fire, or – if you like chemistry – an
acid bath. Perhaps even a "cement overcoat" and a trip to the nearest lake or really
deep river. It pays to be creative.
The reason for all this extra care in disposing of hard drives is that there are people whose
hobbies include dumpster
diving in search of things like old computers. Remember, even if the hard
drive's electronics are destroyed, data remains on the disk platters until they are also
physically destroyed.
As you may recall, a U.S. Navy EP-3 military surveillance plane was forced
down by the Chinese in April of 2001, and according to news reports, the crew
hastily zeroized the
disk drives on the plane before the crew and the plane were taken into
custody. Evidently they did a good job, because the Chinese government let the
matter drop a few days later. As far as I can determine, the plane is still
in the hands of the Chinese
government.*
Slack space is another problem, if there has ever been anything on your computer's hard drive that
you don't want anyone to discover. When a large file is deleted from a disk drive, and then a smaller
file is stored in the same place on the disk drive, the contents of the large file – except for
the part covered by the smaller and newer file – still remains on the disk and can be
recovered. If the newer file is really small, and sometimes files are only a few bytes,
the chances of recovering almost all the contents of the large file are very good. Disk space
is allocated in clusters of as much as 32k-bytes. As long as the newer and smaller file is
not deleted, the information in the slack space will stay on the disk. This is a rich
source of information – in bits and pieces – for "investigators"
with various motives.
Good file wiping programs usually include provisions for wiping slack space on individual files, as well as
clearing out all the unused space on a disk drive.
For more routine civilian purposes, all this deleting and file wiping may seem like a lot of trouble.
But if your old computer has ever held sensitive files that could ruin your reputation, hamstring
your business, or send you to prison if the files fell into the wrong hands, it is worth the effort to make
sure the files are really gone. In many countries around the world, there are people for
whom the stakes are even higher.
It would be difficult to list all the products that are available to wipe out
computer files as they are deleted. By listing only a few, like
Data Destroyer,
and Cyberscrub,
and obsolete products like good old
Norton WipeInfo
(for DOS), you might get the idea that I have tried them all, or
that I am endorsing one product instead of another. Of course that is not the case; the
information on this page is provided for information only. The large number of products
available for this task shows that permanent file deletion is a non-trivial problem.
However, I would like to mention an article called Covering tracks on your
hard drive, which explains what a swap file wiper is and why you need one. It
was written by Craig Christensen, author of two programs called
Mutilate File Wiper and
Mutilate Swapfile Wiper. I
used both of Craig's programs frequently, when I was primarily running Windows 98, even
though I'm not paranoid and I have nothing to hide. (Really!) These days I'm using a
Power Mac G5 with OS X, so I recently purchased a product
called ShredIt X.
Please note that the links below are provided as a courtesy, and no representation is made
regarding these products or the information provided about them (regardless of the
statements immediately above). If you have questions, complaints or claims related to these
programs, you must direct them to the appropriate software vendor.
Other file-wiping or data recovery products:
This is not a comprehensive list of such products, but most of these products are available
as freeware. The ones that carry a price tag are usually affordable and (as far as I
can tell) worth the investment. Of course, there are exceptions.
These links are listed in no particular order. Notice that some of these products pertain to the
recovery of lost data, while others are for people who want to prevent data recovery.
FileSalvage:
Extremely powerful data recovery tools designed to restore files that have been accidentally deleted, have become
unreadable due to media faults, or were stored on a drive before it was re-initialized or formatted. It is
device and file system independent, allowing the users to recover files from a normal Mac OS hard drive, USB key,
Linux disk, Windows drive, FLASH card, scratched CD, and almost any other media or file system that can be
recognized in Mac OS X.
MacForensicsLab:
A complete suite of forensics and analysis tools in one cohesive software package. Combining the power
of many individual functions into one application in order to provide a single solution for law enforcement
professionals and digital forensic investigators.
TestDisk is a powerful free data recovery
software! It was primarily designed to help recover lost partitions and/or make non-booting disks
bootable again when these symptoms are caused by faulty software, certain types of viruses or human error
(such as accidentally deleting your Partition Table).
ShredIt X: Whether you deal with confidential
data on an ongoing basis or just want to protect yourself from identity theft when disposing of a computer,
ShredIt has the features you want, for the computer you use.
The Editor says...
I purchased a copy of Shredit X today [1/27/2007] and so far it appears to be quite good.
CardRaider:
"The easiest and most affordable way to recover lost photos from your digital camera, memory card or thumb
drive. CardRaider's familiar Mac OS X interface makes it simple to detect and unerase lost
pictures."
[Yes, but sometimes people want those pictures to get lost. CardRaider apparently also includes a
mechanism to "permanently erase photos so they can no longer be recovered."]
Digital Shredder: Anonymizer
Digital Shredder is the easiest way to keep your PC clean and running smoothly. It erases
cookies, cached files and history archives that are left on your computer every time you surf.
Sure Delete offers
two utilities that work to permanently delete data from a hard drive. When you
need to shred sensitive information, Sure Delete ensures that it's done right.
Autoclave: Hard
drive sterilization on a bootable floppy. (Great idea, if you have a floppy drive.)
BCWipe is designed to securely delete
files from the disk. Standard file deletion leaves the contents of
the "deleted" file on your disk. Unless it has been overwritten by files
subsequently saved, it can be easily recovered using standard disk utilities. BCWipe
is fully integrated into the Windows Shell and efficiently shreds data in files
so that they can not be recovered by any means.
Drive Scrubber: With
DriveScrubber, you can completely wipe all the contents of a drive, or you can just wipe a drive's free
space. Wiping everything from the hard drive is ideal before you reassign your PC. Wiping
the free space is ideal for regular computer maintenance; this process erases all remnants of deleted
data, while keeping the existing files and operating system intact.
Kill Disk: KillDisk - Hard Drive Eraser is powerful and
compact software that allows you to destroy all data on hard and floppy drives completely, excluding any
possibility of future recovery of deleted files and folders. It's a hard drive and partition eraser
utility.
Eraser is an advanced
security tool (for Windows), which allows you to completely remove sensitive data from
your hard drive by overwriting it several times with carefully selected patterns. Works
with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is FREE software and
its source code is released under GNU General Public License.
R-Tools Technology Inc. has tools for Data Recovery,
File Undelete, File Encryption, E-Mail Recovery, Disk Cleaning, etc.
Undelete 5.0.
Pandora Recovery: Find and recover deleted files of any type.
FreeUndelete 2.0.
Active Uneraser.
R-Studio Data Recovery Software.
Smart Undelete.
Disk Internals: Numerous
other tools to get back lost or deleted files.
SIM Recovery Pro: You can now recover
data and text messages from cellular phones using the SIM (Subscriber Identity Module) Recovery Pro. Using
this device allows you to save, edit and delete your phone book and short messages. Aside from recovery and
retrieve, even of deleted data, an added advantage is to back the information up on your computer.
SIM Recovery Pro capabilities:
Allows user to find deleted text. Allows user to view up to last 10 numbers dialed. Transfer data
from one SIM card to another. Edit SIM card information on your computer. Back up phone numbers and
SMS messages.
Cell Phone Spy Data Extractor:
Save, edit and delete your phone book and short messages (SMS) stored on your SIM card using the Recovery PRO
software and SIM Recovery Pro Reader with your computer and ANY standard SIM card from a standard cell phone
which supports removable SIM cards.
PS/2 Mini Key Logger:
The Mini Key Logger 64K is the world's smallest Key Logger. It's only 4cm long and records over 64,000
keystrokes including e-mail, chat, IM, Web Site Addresses and other computer activity. Find out which
Web Sites your employees are visiting while working on your computer. This Key Logger is perfect for
home or professional use.
Pro Data Doctor: File recovery software for Windows,
USB drives, removable media, digital cameras, iPods and SIM cards.
GetDataBack Data Recovery Software: Runtime Software's data
recovery software will help you rescue your lost or inaccessible files from any imaginable data recovery
disaster. Data Recovery is possible more often than you might think — even without having to
send your hard drive to a data recovery service.
My Hard Drive Died! When you absolutely,
positively need your data back!
More Software Products and
information about data recovery.
More secure deletion
tools.
Professional recovery services:
In extreme cases, you could ship a damaged drive to a lab for data recovery. For example,
ESS Data Recovery Labs
Drive Savers
First Advantage Data Recovery Services
ECO Data Recovery
Vantage Data Recovery
Data Recovery Group
CBL Data Recovery Technologies Inc.
Professional data destruction services:
Enterprise Boot and Nuke: You
have data to destroy on dozens (if not hundreds or thousands) of hard-drives and you're looking for a way to
get it done quickly, economically, and effectively. In addition, you need accurate reports for legal
compliance. Techway Services has three proven solutions to meet your needs. ... All of Techway Services
solutions employ our class-leading, proprietary software EBAN, which is U.S. Department of Defense 5220.22M
compliant.
Other privacy protection products:
Here is a list of Useful Products. A
number of useful software programs that can help you manage and protect your privacy online.
Disk Investigator (Freeware) helps
you to discover all that is hidden on your computer hard disk. It can also help you to recover lost
data. Display the true drive contents by bypassing the operating system and directly reading the raw
drive sectors. View and search raw directories, files, clusters, and system sectors. Verify the
effectiveness of file and disk wiping programs. Undelete previously deleted files.
The Secure Erase Command:
How to REALLY erase a hard drive: HDerase.exe
accesses an ATA disk drive's internal Secure Erase commands to wipe a disk clean. ... Secure Erase is
built into all ATA-compliant disks drives since 2001. This functionality is recognized by the US
Government's National Institute of Standards and Technologies (NIST) as equivalent to magnetically wiping a
drive (degaussing) or physically destroying it. NIST also rates the secure erase commands as more secure
than external host-based drive wiping utilities such as Boot and Nuke. Secure Erase complies with HIPAA,
Personal Information Protection and Electronic Documents Act (PIPEDA), the Gramm-Leach-Bliley Act (GLBA), and
California Senate Bill 1386 for data destruction.
Secure Erase: data security you already own.
Secure Erase is built into virtually all P/SATA drives built since 2001, when it became part of the ATA
standard. It is virtually unknown however, because many BIOSes block the command and some even lock the
drive to keep the data safe from Murphy's-law-abiding citizens. Not to mention evil virus writers.
There's even a Secure Erase Newsletter.
Tutorial on Disk Drive Data Sanitization:
Complete eradication of user data off drives can be accomplished by running data Secure Erasure utilities such as
the freeware "HDDerase". It executes the Federally-approved (NIST 800-88) Secure Erase command in the
ATA ANSI standard, which is implemented in all recent ATA drives greater than 15-20 GB. A similar command
in the SCSI ANSI standard is optional and not yet implemented in drives tested. Normal Secure Erase takes
30-60 minutes to complete. Some ATA drives also implement the standard Enhanced Secure Erase command that
takes only milliseconds to complete.
Additional related information:
Why Undelete Utilities
Fail: The more work you do on your computer after you accidentally delete a file,
the lower the odds that the undelete utility can get your data back safely. But how exactly
are you going to purchase and download that undelete file utility? Downloading a file
obviously creates new data on your disk, and could overwrite your undeleted data. But
just browsing the web to locate a utility causes new temporary files to be created —
another threat to your data.
How To: Recover deleted files.
When a file is deleted from your computer, it is not really deleted. It is simply removed from the list
of files in the folder. If you're using Windows, and deleted the file using Windows Explorer, the file
will normally have been moved to the Recycle Bin. While it is in the Recycle Bin, the file can easily be
restored in its entirety, with no problem at all.
Recovering Deleted Files After You Have Emptied the Recycle
Bin: When first learning Windows 95, I relied very heavily on the extra layer of Recycle Bin
recovery built into Norton Utilities. … So I understand how data loss can occur, and the unhappy place
it can leave you. Pre-FAT32, the old UNDELETE utility in DOS also was a life-saver a time or two but,
once Win95B and FAT32 came into play, that one was history.
Recovering deleted files: The
Recycle Bin may be a marvel — one which most of us take for granted — but it does have its limits.
For starters, the Recycle Bin does not catch every file you delete. All files deleted from the desktop
or Windows Explorer end up there, as do files deleted from within compliant programs. Files deleted
at the DOS prompt, though, bypass the Recycle Bin….
Secure Deletion of Data from Magnetic
and Solid-State Memory. With the use of increasingly sophisticated encryption systems, an attacker
wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack
is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers
some of the methods available to recover erased data and presents schemes to make this recovery significantly
more difficult. [Includes a long list of interesting references.]
Bringing
Data Back From the Dead: Sometimes, a failing hard drive will screech like nails on a
chalkboard. Other times, its death will be eerily quiet. Either way, years of
work — documents, digital photos and music, save games, e-mail archives and your
address book — can be gone in an instant.
File wiping on
journaling file systems. Many modern operating systems ... have the ability to use a journaling
file system that makes complete erasure of data unlikely. Journaling file systems are used to increase
the integrity of data in case of failures. To accomplish this, the file systems keep metadata and logs
in various places known to the file system; most file systems can also journal all data, but turn this
functionality off by default. The metadata and logs will not be securely wiped with a file
wiping tool.
Why a normal delete is not sufficient:
A normal "delete" command does not actually delete files at all. But even with more advanced "file wiping"
utilities, some data may remain that is very useful for a forensic investigator. In particular, the magnetic
properties of a hard disk can be exploited to recover data.
Deleting and wiping files: Another
difficulty occurs with so-called journaling filesystems (JFS) or log-structured file-system (LFS). Such
filesystems store the data in a different way so that the data can always be recovered after a crash.
Attempting to wipe a file using traditional means will not be successful with such filesystems.
Wiping swap files: On many
multi-tasking systems, a swap file is used to emulate RAM. The swapfile contains data from programs that
are currently running. This data may include personal files as well as passwords. To avoid leaking
this data, wiping the swapfile is a good idea. However, this is difficult because the swapfile is
constantly being used. Special programs are available for this purpose.
It's now a crime to delete files:
International Airport Centers sues former employee, claiming use of a secure file deletion utility violated
federal hacking laws.
The spies among
us. American high-tech industries are a key target. Every year, economic espionage costs
American businesses billions of dollars. Spies recruit company insiders, form joint ventures, and even
engage in "dumpster diving" for discarded proprietary data.
Securing Your Deleted Files. I
know more than one person who rarely, if ever, empties their Recycle Bin. … If you don't feel that
security is an issue because you don't have any personal or sensitive information on your machine to
delete, there is another reason for keeping your Recycle Bin emptied. Space. Those files you hold
in your Recycle Bin needlessly take up space on your hard drive. … Our second security issue comes
to light the moment you click the command to "Empty Recycle Bin." You may be under the impression
that those files are now gone for good and cannot be recovered by anyone. This is not true.
Can your PC be subpoenaed?. As
people commit an ever-growing pile of information to computers, their hard drives are becoming a digital mother
lode for lawyers. The issue moved into the spotlight when Kenneth Starr's prosecutors scavenged Monica
Lewinsky's computers and published what they found, including e-mail messages to friends and unsent drafts
of letters.
Junta hunts dissidents on UN
computers. Burma's ruling junta is attempting to seize United Nations computers containing information on
opposition activists in the latest stage of its brutal crackdown on pro-democracy demonstrations, The Times has learnt.
UN staff were thrown into panic over the weekend after Burmese police and diplomats entered its offices in Rangoon and
demanded hard drives from its computers.
Angry Employee Deletes All of Company's
Data. When Marie Lupe Cooley, 41, of Jacksonville, Fla., saw a help-wanted ad in the
newspaper for a position that looked suspiciously like her current job -- and with her boss's
phone number listed -- she assumed she was about to be fired. So, police say, she went to
the architectural office where she works late Sunday night and erased 7 years' worth of
drawings and blueprints, estimated to be worth $2.5 million.
Computer Forensics
Gear: Deleted files can be recovered with software tools such as Norton Utilities,
DIBS, or PowerQuest Corp.'s Lost & Found. After the files are located, they should be listed and
reviewed for relevance to the investigation. EnCase, DIBS, and NTI's FileList are well-suited
for this purpose. … Evidence in all of the slack space on the entire hard drive or other
storage media can be retrieved quickly with tools such as NTI's GetSlack and Filter_I software
utilities. GetSlack grabs all slack space and places it into a single file.
File Scavenger goes well beyond simple undelete
action. It has successfully restored items even after the drive was formatted and in another case,
where the operating system was overwritten from a recovery disk
image.
(Review)
Restoration
v2.5.14. Restoration can rescue your accidentally deleted files and permanently
delete the files you want good-and-gone. It can live on a floppy, so it leaves no trace
of its activities.
Delete, Baby,
Delete. During the controversy over the Iran-contra affair, in 1986,
Lieutenant Colonel Oliver North attempted to erase all the relevant e-mail messages on his
computer; he repeatedly pressed the DELETE button, thinking that he was thereby expunging
the messages. "Wow, were we wrong!" he later observed. North didn't know that
pressing DELETE doesn't result in complete deletion. He also didn't know about
the existence of a backup data-storage system.
Scrub
your disk. A list of freeware programs to wipe files.
Personal
Info Fills Junked Hard Drives: Over two years, Simson Garfinkel
and Abhi Shelat bought 158 used hard drives at secondhand computer stores and
on eBay. Of the 129 drives that functioned, 69 still had recoverable files on
them and 49 contained "significant personal information" — medical correspondence,
love letters, pornography and 5,000 credit card numbers.
Don't be Smug in Thinking Personal Data has
been Erased. Whether you recycle your old computer, sell it, give it away or take it to the
dump, you may also be giving away personal information, even if you think you erased everything on your hard
drive. Two MIT graduate students bought 158 used disk drives on the secondary market and found many
"had not been properly sanitized."
Gathering
the E-Evidence: "The best way to get rid of computer data is to take the
hard drive and pound it with a hammer and throw it in a furnace," said John Patzakis,
president of Guidance Software, which makes forensic software that helps police find
hidden files.
No
Thanks for the Memories: Personal computers have a way of hanging on
to "deleted" data that may surprise you — and could get you into a heap of trouble
if you're not careful.
Remembrance
of Things Past: Data is not physical, not something that you can lock away
today and hope you'll be able to access in 10 or 20 years. Large collections of data are
almost impossible to safely maintain—especially over long periods. At the same time,
data is just as difficult to dispose of properly. [PDF format]
Researchers
Find a Way to Steal Encrypted Data. A group led by a Princeton University computer
security researcher has developed a simple method to steal encrypted information stored on computer
hard disks. The technique, which could undermine security software protecting critical data on
computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust
remover.
Data
Detectives: Specialists in uncovering lost or hidden data are fast becoming
strategic legal weapons.
Enron can't shred
electrons. Even the act of deleting documents can in itself be
revealing. Not only can computer forensic investigators recover documents,
they can tell when and how they were deleted. In some cases, they can even
determine whether a deletion was an innocent act -- part of company policy -- or if
there was a more devious motive. Still more remarkable, using an electron
microscope, computer forensic teams can read information from the individual
magnetic spots on the surface of a hard disk that has been intentionally erased. This
costly technique, originally a tool of the intelligence world, has been used successfully
in big legal cases.
Securely
Deleting Files: If and when you ever dispose computer equipment or
disks that have contained sensitive information, be sure to take precautions to
ensure that all information is not only deleted, but it is completely destroyed. Simply
deleting a file is not sufficient to prevent a clever user from undeleting the file and
recovering sensitive information. Some highly sophisticated techniques are
available that may be able to recover information from a disk even after it has
been overwritten. If your information is highly sensitive you may need to
take additional steps such as physically destroying the disk or degaussing the drives.
Cookies – Exploitations
and Invasion of Privacy. Over the years, cookies have garnered a bad
reputation as being able to scan PC hard drives, take over systems by stealing valuable
information such as passwords, and passing viruses. These myths are untrue, but
cookies have been used to collect information on browsing habits, browser specifications,
system information, and web-based spending and viewing habits.
Why a
normal delete is not sufficient: It is in the nature of a computer,
to always be updating one file or another. Every time a file is updated
or "saved", new copies are created and written wherever there is sufficient
space. Applications can create huge numbers of such files. When a file
is eventually deleted, only the last image is accounted for. All other
images appearing as free disk space, unseen, unsuspected. That is until
a disk is viewed with the appropriate software; then is all is revealed. Even
when partially overwritten, these files can make interesting reading!
The
Unintentional Disclosure of Digital Data: A perspective
of how much data is worth, an overview of how data is written to magnetic media,
why data erasure (deletion) is insufficient to avoid data recovery, how the
data may be resurrected, and identification of known and unknown perpetrators.
Annual list of top 10 data
disasters. The list was compiled by data recovery firm OnTrack which handles
more than 100,000 requests a year for help to piece together information from damaged
computer hardware.
Firms become digital
detectives. Digital data can be fragile and businesses must exercise
care if they are to avoid damaging or even deleting potentially useful information.
Gone for good? "In
some aspect an e-mail can exist indefinitely," says Mr Dearsley. "Subject lines, times and dates
can all be pieced together. I have retrieved some that have been years old."
Odd mishaps cause computer
grief. Data recovery experts are the technological doctors and nurses of desktop
or laptop hard drives. Using increasingly sophisticated techniques, "lost" files or
information can be rescued and rebuilt into a usable format. This can happen in a matters
of hours through remote access, but in more serious cases computer patients may have to be
admitted to the lab.
Is It
Really Gone? (A Look at Data Deletion). When the delete
command is used it doesn't actually touch the data recorded on the
media. It only removes the index entry and pointers to the actual data so that it
appears as if the file has been removed.
Recovering Deleted Files After You Have Emptied the Recycle
Bin. The first rule is: Stop using that computer immediately! … Use another computer
to get the recovery tool you will need. This is also one of the places where well-planned partitioning of
your hard drive has a huge advantage.
Did
You Really Erase Those Files? Make sure your trash disappears permanently.
Deleted
Files - Still There: With the right software, it is relatively easy
to recover deleted files from your hard drive. Some file recovery software can even
work over a network connection.
And You
Thought DELETE Meant DELETE! A High Level Overview of File Deletion.
Protecting
your sources: The provisions of the new Terrorism Act and of the Regulation
of Investigatory Powers (RIP) Act 2000 give the authorities wide-ranging powers to seize
computer files and to imprison you if you fail to produce "plain text" for any that are
protected by "encryption".
There is also some discussion of this in "Erased
Disk used against Brazilian President", part
of Risks, Volume 13, Issue 87.
The Use And Retention
Of Emails: Some Legal Lessons From The Field. Corporate counsel often instruct corporate
employees about the dangers of writing down every errant thought about the company's products and conduct.
But that instruction may have particular urgency for electronic communication. Because of the spontaneous
and reflexive nature of electronic communication – the words do not remain on a printed page to be
contemplated, and perhaps revised – many users often treat e-mail, and similar transmissions,
casually, not carefully.
The "E" in E-mail Often Stands for
Evidence: "It's like the gift that keeps on giving," said Tom Greene, a deputy attorney general
in California, one of the states suing Microsoft Corp. in an antitrust case built largely on computer
messages. "People are so chatty in e-mail."
'Embarrassed' Suspect
Sues Microsoft After FBI Finds Sex Videos On His PC. A man awaiting trial for alleged gun crimes
is suing Microsoft for privacy violations after FBI agents seized his home computer during a raid and found
files containing sexually explicit videos of him and his girlfriend and evidence that he frequented
pornographic Web sites. Michael Alan Crooker, currently in jail in Connecticut, says security features
advertised by Microsoft and its business partners should have kept federal agents from accessing the files on
his PC.
FBI raids
Houston shipping company. FBI agents searched two buildings and loaded dozens of boxes into a
truck Wednesday [10/10/2007] as part of what has been called "international" antitrust investigation involving
several companies. One is Eagle Global Logistics, based in Houston. Some of the agents were from
the Greater Houston Computer Forensics Laboratory. They've been looking at computer hard drives.
The FBI isn't talking on the record about what it's looking for and neither is the Justice Department.
Privacy and Your E-mail Box: Realize
that e-mail is forever. Witness the pain suffered by Microsoft recently when internal e-mail hit the
courts. Remember Oliver North? [He's the] Poster-boy for e-mail messages surviving the delete key
and rising up to slap you with court subpoenas.
E-mail and the courts: This appears to be a
compendium of legal cases in which e-mails play a significant role. It includes several cases where
deleting e-mail has cost companies large amounts of money, even when the e-mails were not recovered.
Smoking E-Mails: KPMG's
tax shelters weren't too bright. Its internal memos on the shelters were really dim-witted.
Federal Court Turns When E-mails
Contradict Deposition Testimony. As electronic discovery becomes more commonly used,
e-mails are proving to be a gold mine of information in corporate legal disputes.
The legal
implications of self-destructing e-mail. According to an article by Laurie Varendorff,
an Australian records management expert, Microsoft and IBM have developed software that enables creators
of e-mail messages to have tremendous control over their messages, even after they have been sent.
Experts try to resurrect SAIF
files. Experts in computer forensics often can resurrect computer files that seemed to disappear,
but the deleted e-mail of former SAIF Corp. President Katherine Keene might remain a mystery.
Gravel-pit lawsuit
triggers e-mail hunt. King County [Washington] officials, responding to a lawsuit from the
owner of a Maury Island gravel pit, hired a consulting firm to help search for deleted e-mails on the
computers of County Executive Ron Sims and other officials.
Somewhat related: Hidden Text in Computer
Documents. During the manhunt for the DC sniper, a letter was left for
the police by the sniper that included specific names and telephone numbers. Perhaps
in order to persuade the panicking public that the police were in fact doing something, they
allowed the letter to be published — in redacted form — on the Washington Post's
Web site. Unfortunately, they implemented the redactions by the completely pointless
method of placing black rectangles over the sensitive text in the PDF. A simple script
was able to remove these boxes and recover the full PDF.
You may also be interested in Recovering
lost camera images.
Back
to The Privacy Page.
Back to The Home Page.
|
|
