Prologue
Welcome to my blog. Here I will try to raise topics and issues interesting to not just computer geeks, but to lawyers, accountants, managers, and even the “average person” (assuming one exists). I hope you find the content valuable and the discussion engaging. Today we will start with one of the most common topics in computer forensics – deleted data. Thank you for visiting.
Is It Ever Really Deleted?
Probably more than 90% of the time, the first thing a person says after they find out I am computer forensic examiner is, “It’s never really deleted, is it?” News stories, television shows and movies have made the collection of evidence from computers part of our mainstream culture. Only a few years ago, few people thought about the information stored on their computers, or how much the computer can tell about a person’s actions. But by now, most people have heard at least one or two stories of someone up to no good who was betrayed by their own computer.
I once worked on a case that involved three computers used by three different employees of a company. The employees had left over three years before I examined the computers, and they had been in use that entire time by other employees. Still, I was able to recover over 8,000 pages of web-based email from these employees. Based largely on those email, my client won a summary judgment – an expedient and profitable end to a potentially difficult case.
So, how do I answer the question, “It’s never really deleted, is it?” In a casual social setting, I say “No,” but the real answer is more complicated.
Why Isn’t Deleted Data Deleted?
There are a number of things that help an examiner like me recover data thought to have been deleted. First, when you delete a file, the data in that file is not actually deleted in the sense that most people would think (assuming we’re talking about a Windows-based file system). If you think of a hard drive like a book, there is a “table of contents” where a list of all the files on the drive and their location is kept. Then there are the files or “chapters” where the actual data is stored. When you delete a file, the entry for that file is taken out of the “table of contents,” and the space on the drive where the data is being stored is marked as “available” by Windows, but the data is not overwritten at that time. It stays there until Windows decides to use that space again. When is that? Maybe an hour. Maybe a day. Or, as the case I just mentioned illustrates, it could be years.
Second, especially when it comes to Microsoft Office, for each document, usually multiple copies exist on the drive. To help explain, let’s assume you create a Word document called “Stuff to Keep Secret.docx.” Obviously, there is the original file, but there are also probably a few other copies:
1) Temp Files – Word creates temporary files as you work on your document to track changes. These files can also be used to recover a document in the case of a computer crash.
2) Windows Swap File – Windows uses a portion of your computer’s hard drive for a “swap” file, called pagefile.sys, to swap information in and out of RAM (working memory). Most likely, at least one copy of your document exists in this file.
3) AutoRecover/AutoSave Files – Depending on which version of Word you use, it has a preferences setting that will automatically save a “backup” of your file at a time interval you can specify.
4) RAM – A copy of your document is stored in RAM as you work on it. Tools have been developed to allow CF examiners to examine the contents of a computer’s RAM.
5) Print Files – If you print your document, print files containing your document’s data are created before the job is sent to the printer.
6) Backups – if you backup your files and this document is included in that backup, several more copies may exist depending on your backup scheme.
7) Email – If you email your document (let’s say you use Outlook), a copy of your document is stored in your Outlook email file. There’s also at least one copy on each recipient’s computer, not to mention numerous Internet servers between you and your recipient(s). If one of your recipients forwards your document…well, just forget it – everyone now has a copy.
In fact, even if you never actually “Save” your document, multiple copies probably exist on your computer. Let’s say you open Word and type, “Put all the money in a brown paper bag.” You print your document and then close Word without saving. Possibly five or more copies of your document, like those mentioned above, are sitting on your computer.
Finally, EVEN if you delete your document and it gets overwritten, it may not get COMPLETELY overwritten. Let’s say you write a 100-page manifesto about how baloney sandwiches are bringing about the downfall of society. The first 99 pages are just your ramblings about the evils of baloney, but on page 100 you detail your plans to steal and destroy all the baloney from the grocery stores in your town. You close your file and then go steal and destroy the baloney. The police are now looking for you – you’re on the evening news. You decide you should delete your manifesto and, by chance, Windows DOES overwrite most of your document, but it doesn’t need all the space used by your file, so it only overwrites the first 99 pages. The last page – the incriminating one – is still sitting there on your drive for an examiner to discover.
You’re now starting to get an idea of how persistent data can be. So, is it ever really deleted? Probably not. Unless, of course, the file you are trying to recover is incredibly important and was accidentally deleted by your 4-year-old. In that case, yes, it’s definitely gone forever.
Tune-in next week – I’ll be talking about whether the government is using electron microscopes to read your email.
[...] the manifesto on the evils of baloney sandwiches? Let’s say I’ve decided it’s time to stop writing and take [...]