by Dave Moore, 05/24/2020
Often I am asked to perform some basic computer forensic analysis for clients who want to know if their computers have been used for “illicit” purposes.
One client, the owner of a popular hairdressing salon, needed to know if her employees were using a company computer to visit pornographic websites while she was out of the office. Another client, an attorney, wanted to know if a certain machine had been used to download pornography that could have possibly been viewed by children using this “family” computer.
The first job was relatively simple. Even though you can delete the temporary “cache” stored by an Internet browser, along with its stash of browser “cookies,” a history of visited websites can still be retained in an otherwise unfindable location. A little special processing and fiddling about, and, voila, I had a list of accessed websites. Indeed, many were porno websites.
The second job was a bit more difficult, as someone had tried to cover their tracks. There were no clues in any of the normal places. It seemed someone had deleted files, and then emptied the recycle bin. I was also told that the computers hard drive might have been reformatted, in an attempt to “erase” files.
It seems the suspect was unaware there is a difference between deleting a file, and erasing a file. After employing some special and unusual measures, I was able to recover thousands of hard-core porno pictures from what appeared on the surface to be a “clean” computer. Someone was in big trouble.
Keep privacy in mind before you sell or give away your old computer. A study done by students at MIT, examining 158 used hard drives purchased on eBay, found that 74% of the drives contained readable data, even though 36% of the drives had been reformatted. Discovered were emails, medical records, financial data, and 3,722 credit card numbers. One hard drive came from an ATM machine, which contained bank account numbers and 2,868 credit card numbers.
True erasure of computer files is not what many people think it is. Many times, conventional deleting of files does not work, nor does repartitioning or reformatting, as a file is not truly erased until the physical space that it occupied on the hard drive is overwritten with new data, and even that is not foolproof. Many popular “erasing” programs will make multiple “wipes” of a drives contents, allegedly done to government standards, which will usually stop all but the most determined investigator.
However, drive wiping, and even attempts to physically damage the drive can often be thwarted by high-end forensics experts working for certain three-letter government agencies. That is why decommissioned government hard drives containing classified material are often taken to metal foundries, where high-temperature kilns melt them down to slag.
There are free programs out there that assist users in actual erasure of hard drives, “Darik’s Boot and Nuke” being one of the most popular. On the other hand, AccessData sells its Forensic Toolkit (FTK) to law enforcement and security professionals, allowing them to decrypt files, crack passwords and recover deleted files. The FTK starts at around $4,000 for a permanent license, and goes up depending on options. Maybe sometimes you really do get what you pay for.
Dave Moore has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd., he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.com