Computer Forensics: Why Your Erased Data is at Risk

In today's world, its not just enough to delete valuable data.

Photo by Janne Moren

It was a cold, rainy day in Atlanta as I pulled up to a house near my residence. I had noticed that someone had placed an old computer next to the road to be hauled off in the trash. I asked the owner if I could have the computer. He didn’t mind, it didn’t even work. I could have taken it unnoticed, but I am not a criminal.

Hours later, I took the casing off of this old Dell and started fiddling with the hard drive. The power source was obviously burnt out, and the hard drive probably had some issues if you tried to boot it, no problem. I simply connected the hard drive to my equipment and began making a forensics copy. Over the next few days I recovered thousands of files from the computer, including a file labeled “financial information” that included bank account numbers and other relevant data.

I was also able to recover a social security number and many other personal details from the forensics copy. Was the homeowner the subject of an investigation? No, and fortunately for him I was not stealing identities.

Leaving personal or business information on your computer can have an extremely detrimental affect on your life. The best way to prevent this from happening, is to protect your data and never give the bad guys access to your information.

Why Your Deleted File Is Not Actually Deleted

A computer has limited resources, so in order to preserve those resources your CPU does not actually delete files. The operating system basicly erases it’s location from the table of contents. The file still exists, but the space it occupies is now made available for other applications to save data to it.

Until the operating system actually places data into that sector, the file or information still exists and can be recovered using forensics software or a WinHex. WinHex allows users to read the hexadecimal code that represents the binary data.

Even when a file is saved in that sector, the original data may not be completely erased. If a file takes all 512 bytes of a sector, and the next file only uses 256 bytes of the sector, the remaining 256 bytes of data still exist and can be easily reconstructed.

Erasing Your Data

The Department of Defense has developed specific protocals to erase computer data that has been made available to the public. It is important that the tool you use actually meet these basic specifications.

There are several commercial applications that get the job done, but I prefer to use free software called eraser. Eraser forces Windows to overwrite the data in specific patterns.

Based on the level of security needed, you can select the number of passes Windows performs using different algorithims so that the data cannot be reconstructed. Eraser allows for up to 32 passes by different algorithims making the data completely impossible to reconstruct.

Most of the time, I use the seven pass option, which based on my experience provides enough security to stop forensic software from finding the data.

Eraser allows you to erase all areas of your unused hard drives as well as delete specific files or folders. Make sure to right click the software and “run as administrator” so the software has the system permissions to access the unused sections of the hard drive.

Encrypting your data with PGP

I always erase sensitive data using Eraser or some similar commercial utility. However, sometimes that process can be overlooked. If a file is encrypted before it is deleted, it will stay encrypted. Of course, sensitive data should be encrypted while your using it anyway.

But if a hacker or forensics expert gets a hold of your file, they will quickly abondon the project. If you set up PGP correctly, the NSA can’t even crack it.

So, by applying a two level security protocal, you can completely protect your personal and business data:

  1. Use PGP or other high level encryption to protect sensitive data
  2. Don’t just delete files, erase them completely using specialized software that meets DoD requirements

Or get RSS feed

Author: Jason Capshaw

Jason Capshaw is an Atlanta Private Investigator that conducts forensics investigations. He also manages the PSI Spy Store.

This entry was posted on Tuesday, April 19th, 2011 at 6:32 pm and modified by WebMaster View on Saturday, March 22nd, 2014 at 5:51 pm. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.