So, you think you can get rid of the skeletons on your computer by deleting them? You might want to rethink that.
Getting rid of files on your computer isn’t as easy as running paper documents through a shredder. If you shred some paper documents (and you actually use a GOOD shredder so that someone can’t just tape all the documents back together) the information IS pretty much gone. There may be a pile of shreddings, which is definitely evidence that you shredded something, but that’s about it. Documents on a computer present a serious double-edged sword – maybe even quadruple-edged (I don’t know – I was never good with math).
Easy As 1, 2….uhhh
Assuming you are running Windows, when you delete a file, it actually gets put in the Recycle Bin, which is really just another folder. I don’t even need to do anything special to retrieve it. Plus, it’s sitting right there in the Recycle Bin, which is evidence you tried to get rid of it. Busted.
If the Recycle Bin gets full, or you “Empty” it, the file gets deleted, but as I explained in my first post, “Is It Ever Really Deleted?,” the actual data is still sitting on your hard drive and can be recovered. In addition, every time a file is placed in the Recycle Bin, something called an “INFO” record is created. This is a hidden file that contains all the information about the file you just deleted, including when you deleted it. So, let’s say you’re told on Monday that you need to turn in your laptop at the end of the week. On Tuesday, you delete all the files you don’t want anyone to see. When I get the laptop, I run a report looking at INFO files on your computer and create a graph of deletion activity that looks like this:
Whoops – looks like someone had a little “shredding party.” Busted.
How about wiping the drive? Most wipe programs use a specific pattern of 0’s and/or 1’s to overwrite data. This pattern can be recognized by an examiner and has been used in court to indicate destruction of evidence. Busted.
So, you decide to delete the partition or format the drive. That should do it, right? Wrong. An examiner can recover deleted or formatted partitions. Busted.
Ok, you decide to wipe the drive and completely reinstall Windows so everything looks “normal.” I don’t even have the space to describe how many places Windows records exactly when it was installed. So, again, you’re told on Monday that you need to turn your computer in at the end of the week. On Tuesday, you format the drive and reinstall Windows. Because the install date is recorded, it now shows that you effectively attempted to destroy everything on the drive AFTER you were told to hand over your computer. Busted.
FINE! You take your computer and throw it into the Grand Canyon. That should be safe, right? Well, beyond the obvious and inconvenient fact that the computer is now “missing,” the drive might still be readable. The “Black Boxes” on airplanes store information on hard drives just like those in your computer, and information from plane crashes is routinely recovered. Even if the disk is physically damaged, the data may still be retrievable. So, if someone finds your computer at the bottom of the Grand Canyon, you’re probably busted. Plus now you’re cited for littering in a national park and disparaged in youth hostels all over the World.
A Tangled Web
In most of these cases, not only does the original evidence still exist, but you’ve now further incriminated yourself by trying to destroy that evidence. Of course, this assumes that you have a duty to preserve the data, but that duty is created the instant that litigation or an investigation can be “reasonably anticipated” – not a difficult standard to meet.
In a civil case, if a judge believes a party has destroyed evidence (called “spoliation”) he can impose sanctions upon that party. He can even assume the evidence would have proven that party guilty and deliver a summary judgment ending the case without going to trial.
One Last Nasty Twist
What if you delete stuff that was completely innocuous? You were able to destroy the data but you left evidence of that destruction. Then you get sued. The judge or jury assumes that what you deleted would have been incriminating and finds against you. MAJOR bummer.
So, getting rid of computer skeletons isn’t easy. Is there a way to do it? Maybe, but I’m not telling. All I can say is this: I love it when an attorney calls me with a new case and says he thinks the person may have deleted the relevant data – my client’s chances of a favorable outcome have probably just gone up.
This is the last post in the series about deleted data. In my next post, I’ll change gears a little bit and talk about all the items in your life that can hold data – you might be surprised how many there are.