(405) 919-9901

I recently had the opportunity to perform some basic computer forensic analysis for some clients who wanted to know if their computers had been used for “illicit” purposes.  One client, the owner of a popular hairdressing salon, needed to know if her employees were using a company computer to visit pornographic websites while she was out of the office.  The other client, an attorney, wanted to know if a certain machine had been used to download pornography that could have possibly been viewed by children using this “family” computer.
The first job was relatively simple.  Even though you can delete the temporary “cache” files of an Internet browser, a history of visited websites is still retained in an unremovable “.dat” file.  A little special processing and fiddling about, and, voila, I had a list of accessed websites.  Indeed, many were porno websites.

The second job was a bit more difficult, as someone had tried to cover their tracks.  There were no clues in any of the normal places.  At the very least, someone had “deleted” files, and then emptied the “recycle bin.”  I was also told that the computers hard drive might have been reformatted, in an attempt to “erase” files.  Again, after employing some special and unusual measures, I was able to recover thousands of hard-core porno pictures from what appeared on the surface to be a “clean” computer.  Someone was in big trouble.

Keep privacy in mind before you sell or give away your old computer.  A study done by students at MIT, examining 158 used hard drives purchased on eBay, found that 74% of the drives contained readable data, even though 36% of the drives had been reformatted.  Discovered were emails, medical records, financial data, and 3,722 credit card numbers, not including one hard drive that came from an ATM machine, which contained bank account numbers and 2,868 credit card numbers.

True erasure of computer files is very difficult.  Conventional “deleting” of files does not work, nor does repartitioning or reformatting, as a file is not truly erased until the physical space that it occupied on the hard drive is overwritten with new data, and even that is not foolproof.  Many popular “erasing” programs will make multiple “wipes” of a drives contents, allegedly done to “government” standards, which will usually stop all but the most determined investigator.  However, drive wiping, and even attempts to physically damage the drive can be thwarted, as techniques based on magnetic force microscopy can still recover data from the drives internal magnetic “platters,” even if they are broken into pieces.  Government hard drives containing national security secrets are often smelted.

AccessData sells a program for $40 that will “permanently erase” files from your hard drive.  They also sell, for $1,095, a program aimed at law enforcement and security professionals that allows you to “automatically recover deleted files and partitions.”  Remember the old saying, “you get what you pay for?”