Deleted files can be recovered

Related topic:  Lois Lerner's very convenient computer crash.

Many computer users, including some who should know better, are unaware that deleted files can be recovered — undeleted — and can yield information which can be used against the person who deleted them.  This information can be as common as a deleted email message or as important as sensitive business records or government transactions.  Those who are less technically astute may assume that if a file doesn't show up in a directory (or folder), it's gone forever.  Few people know that deleted files are not erased; the data is just hidden, and the files can be undeleted.  Still fewer users know how to undelete files, either to recover from accidental deletion or to "go fishing" for interesting data.  It is unlikely that your little sister can undelete your files, but there are several US government agencies which — if properly motivated — could perform some amazing feats with your old computer.

Apparently there are many security-conscious individuals -- even some who own paper shredders -- who don't know or don't care about residual information from their deleted computer files.  But there have been many public figures in recent history who have learned about this issue the hard way.  That's how U.S. Senate investigators got evidence on Col. Oliver North.1  E-mail messages that North believed to be deleted were found and used against him in litigation.2  A total of 758 e-mail messages were sent, involving him in the Iran-Contra affair, and every one of them was recovered.3  Ironically, this problem becomes more difficult if you make backup copies of everything on your computer, as you should.  And of course, if information escapes onto the internet, it's free to wander around forever.

"Computer forensics" is the term for recovering other people's deleted or "lost" data.  This can be done as a favor to you, when your computer has crashed, (where the word "favor" means a commercially available service which costs a lot of money), or it can be done by a law enforcement agency when your computer has been seized as evidence.  In the latter case, you can be sure that anything embarrassing that is found on your computer can and will be used against you, whether or not it pertains to your alleged criminal conduct.

Files and subdirectories can be hidden, too, although this was easier to accomplish under MS-DOS than it is with Windows.  Usually the originator of a hidden file (or subdirectory) is the only one who knows that it exists.  However, merely hiding a file offers no protection once the file has somehow been discovered.  Hiding a file makes no difference after the file has been deleted, since all deleted files are hidden, to some extent.

If you use an Apple computer running OS X, and you store files on a removable USB device, also known as a jump drive or a thumb drive (see below), you might be somewhat surprised to see all the hidden files you're creating in the course of your everyday work.  Take that removable device to a computer running Windows NT, Windows 7 or a newer version of Windows, and you'll see those files easily.

Encryption can be used to protect files whether they are deleted or not.  Encryption products are available in various strengths, for particular levels of security, but that is another topic altogether.

Simple deletion of a file is adequate if your only goal is to reduce clutter and make more space available on the disk drive (or floppy), and this is the quick and easy thing to do if the deleted files are of no interest to anyone else.  However, before you sell or give away an old computer, you should seriously consider wiping the entire hard drive, especially if the hard drive has ever contained sensitive information from your business or personal life.  Just putting an old computer in the trash dumpster behind your place of business can result in the compromise of all your "company confidential" files, trade secrets, and proprietary data.

Recovery of a file through software is impossible after the file has been subjected to a single overwrite with other data; however, the original file must be overwritten by something with the same or larger file size (see "Slack Space" below).  Recovery through more elaborate techniques is generally thought to be impossible after ten or twelve passes with random data rewriting the same sector of the disk.  So it's safe to say that wiping a file one time is enough to destroy it, for almost all practical purposes.  Your disgruntled employees, nosy family members, and small-town private eyes won't be able to recover a wiped file.

The primary hazard associated with the use of file wipers is that you may accidentally erase a file that you wish you hadn't.  If that happens, give it up.  Your file is gone.  If you use file-wiping power tools, be sure you know what you are doing, because it is possible to do a lot of permanent damage.

In theory at least, after a file has been wiped, examination of the disk with an electron microscope can still reveal the previous contents of the wiped area, because the obliterating bytes are not written in exactly the same tracks as the original data and there is still a little of the original data left around the edges.  For this reason, government-grade wiping involves multiple passes, typically writing ones and zeros on alternate passes, and perhaps finishing by writing random bits.

Even after wiping a disk, if you are protecting data from a foreign government (or your own government), you may have lingering doubts about the destruction of your most sensitive files.  Let's say, for example, that you are an orchid grower in Houston, and you suspect that a heavy-handed investigation by the Fish and Wildlife Service is about to get underway, and your computer could be used as evidence against you.  You might want to consider physical destruction of your computer's hard drive, or the shredding of a floppy disk.

Please note that the information on this page is provided for educational, entertainment and information purposes only, and is not intended to facilitate any unlawful activity.  As a condition of your use of this web site, you warrant to us that you will not use this web site for any purpose that is unlawful or prohibited by the terms, conditions, and notices in our all-inclusive Disclaimer.  The entire risk arising out of your use of this web page is assumed by you.  Regardless of any appearance to the contrary, we do not warrant, guarantee, or make any representation regarding the correctness, accuracy, timeliness, veracity, appropriateness or suitability of the information on this page.  As I always say, any actions you take based on whatever you saw, or think you saw, on this site are entirely your own responsibility.

This material came from akdart.com, Copyright 2011. Mass erasure of magnetic media (tape or disks) is called bulk erasing or degaussing.  People who work in radio and TV stations often bulk erase tapes before reusing them.  Once in a while, the bulk eraser is also used to obliterate the contents of floppy disks, DAT tapes, or other media.  Computer hard drives can be erased this way as well; however, the magnetic forces in an industrial-strength bulk eraser are so strong that the platters and other components of a hard drive are likely to be mechanically damaged in the process, so this is recommended only for drives that are about to go into the trash.

Do not degauss ZIP disks if you have any intention of reusing them.  ZIP disks are shipped with a magnetic servo pattern recorded on the disk.  Bulk erasing or degaussing a ZIP disk will make it unusable.  A ZIP disk cannot be reformatted after it has been bulk erased.*  ZIP disks are rapidly becoming unpopular, since CD-ROM and DVD-ROM drives are now affordable.  (Before you purchase a ZIP drive, you might want to read this also.)  Depending on the make and model, it may also be true that hard drives are not reusable after bulk erasing them with an electromagnet, because degaussing wipes out the low level formatting (track and sector markings) of the drive.*

In the case of floppy disks, the magnetic medium is easily extracted from the shell of the disk, and it slides easily into a paper shredder.  In an emergency, if you are away from your shredder, you could remove the magnetic film from a floppy disk, stuff it into an empty aluminum beverage can, crush the can, and drop it into the trash.  Preferably in someone else's trash can.  This technique works well for small scraps of paper, too.



A few words about "jump drives"

The recent development and popularity of removable solid-state storage devices, called "Jump drives", "Thumb drives", "Flash drives", "Keychain drives", and so on, have opened up another aspect of the emergency disposal problem.  As in the case of floppy disk media (when extracted from the shell), most solid-state USB drives can be stuffed quickly into a soda can and dropped in the trash, if you really don't want to be caught with the drive and its contents, or if you just want to dispose of the device without someone else exploiting it.  The drives are already quite inexpensive, and if they keep getting cheaper, they could be considered disposable.  Keep in mind that a trash can is often the safest place to store something for a few minutes:  Trash cans aren't emptied more than once a day, at least where I work.

The widespread use of "jump drives" creates a new and very large privacy risk:  If you use such a device at work, someone could "borrow" your jump drive while you're away from your desk, explore it, copy it and return it -- without your knowledge!

Please remember -- regardless of what you may have read in the preceding paragraphs -- the management of akdart.com does not condone or endorse industrial espionage or unprofessional conduct in the workplace.



Hard drives are a little tougher to destroy than floppies, and obviously more expensive to replace.  A good method of destruction might involve a few blows from a sledgehammer, an hour or more in a very hot fire, or — if you like chemistry — an acid bath.  Perhaps even a "cement overcoat" and a trip to the nearest lake or really deep river.  It pays to be creative.

There is a reason for all this extra care in disposing of hard drives:  There are people whose hobbies include dumpster diving in search of things like old computers.  Remember, even if the hard drive's electronics are destroyed, data remains on the disk platters until they are also physically destroyed.  I have actually seen an old disk drive in the trash (at work) from which the platters had been removed, so I'm not the only one who is cautious.

As you may recall, a U.S. Navy EP-3 military surveillance plane was forced down by the Chinese in April of 2001, and according to news reports, the crew hastily zeroized the disk drives on the plane before the crew and the plane were taken into custody.  Evidently they did a good job, because the Chinese government let the matter drop a few days later.  As far as I can determine, the plane is still in the hands of the Chinese government.*

Slack space is another problem, if there has ever been anything on your computer's hard drive that you don't want anyone to discover.  When a large file is deleted from a disk drive, and then a smaller file is stored in the same place on the disk drive, the contents of the large file – except for the part covered by the smaller and newer file – still remains on the disk and can be recovered.  If the newer file is really small, and sometimes files are only a few bytes, the chances of recovering almost all the contents of the large file are very good.  Disk space is allocated in clusters of as much as 32k-bytes.  As long as the newer and smaller file is not deleted, the information in the slack space will stay on the disk.  This is a rich source of information – in bits and pieces – for "investigators" with various motives.

Good file wiping programs usually include provisions for wiping slack space on individual files, as well as clearing out all the unused space on a disk drive.

For more routine civilian purposes, all this deleting and file wiping may seem like a lot of trouble.  But if your old computer has ever held sensitive files that could ruin your reputation, crush your business, or send you to prison if the files fell into the wrong hands, it is worth the effort to make sure the files are really gone.  In many countries around the world, there are those for whom the stakes are even higher.



It would be difficult to list all the products that are available to wipe out computer files as they are deleted.  By listing only a few, like Data Destroyer, and Cyberscrub, and obsolete products like good old Norton WipeInfo (for DOS), you might get the idea that I have tried them all, or that I am endorsing one product instead of another.  Of course that is not the case; the information on this page is provided for information only.  The large number of products available for this task shows that permanent file deletion is a non-trivial problem.

However, I would like to mention an article called Covering tracks on your hard drive, which explains what a swap file wiper is and why you need one.  It was written by Craig Christensen, author of two programs called Mutilate File Wiper  and  Mutilate Swapfile Wiper.  I used both of Craig's programs frequently, when I was primarily running Windows 98, even though I'm not paranoid and I have nothing to hide.  (Really!)  These days I'm using a Power Mac G5 with OS X, so I recently purchased a product called ShredIt X.

Please note that the links below are provided as a courtesy, and no representation is made regarding these products or the information provided about them (regardless of the statements immediately above).  If you have questions, complaints or claims related to these programs, you must direct them to the appropriate software vendor.

This is an original compilation, Copyright © 2022 by Andrew K. Dart

Other file-wiping or data recovery products:

This is not a comprehensive list of such products, but most of these products are available as freeware.  The ones that carry a price tag are usually affordable and (as far as I can tell) worth the investment.  Of course, there are exceptions.

Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by akdart.com nor does it imply that the products mentioned are necessarily the best available for the purpose.  Unless specifically stated below, I have not tested any of these products or services.

These links are listed in no particular order.  Notice that some of these products pertain to the recovery of lost data, while others are for those who want to prevent data recovery.

Computer Specialist Who Deleted Clinton Emails May Have Asked Reddit for Tips.  An army of Reddit users believes it has found evidence that former Hillary Clinton computer specialist Paul Combetta solicited free advice regarding Clinton's private email server from users of the popular web forum.  A collaborative investigation showed a reddit user with the username stonetear requested help in relation to retaining and purging email messages after 60 days, and requested advice on how to remove a "VERY VIP" individual's email address from archived content.  The requests match neatly with publicly known dates related to Clinton's use of a private email server while secretary of state.

Sure Delete  offers two utilities that work to permanently delete data from a hard drive.  When you need to shred sensitive information, Sure Delete ensures that it's done right.  Rather than simply deleting file references on your computer, the program actually destroys the data itself.  Sure Delete goes much further than the Windows Recycle Bin, and ultimately makes the data irretrievable.  Best of all, the process is virtually effortless.

Webroot® Window Washer®.  "Window Washer is internet privacy software that cleans all aspects of your browser activity, including Internet history, address bar, cache, cookies, and more."

Hard Drive Eraser  is powerful and compact software that allows you to destroy all data on hard and floppy drives completely, excluding any possibility of future recovery of deleted files and folders.  It's a hard drive and partition eraser utility.

Darik's Boot and Nuke (DBAN)  is a self-contained boot floppy that securely wipes the hard disks of most computers.  DBAN is appropriate for bulk or emergency data destruction.

How do I remove sensitive information from a disk?  It's a wise precaution to remove sensitive data from computer disks before the disks are either transferred from one area to another or discarded.  The process is referred to as disk sanitizing, cleaning, purging, or wiping.  The method you choose to sanitize a disk should depend on the security requirements of your organization.

MediaWiper:  You could give away your complete personal identity on a single carelessly discarded diskette.  Most financial programs will back up data to removable media such as diskettes, memory cards, and more.  Removable media often has the habit of getting misplaced or discarded.  Identity thieves know this and make it an easy target.

Disk Wipe  completely and permanently overwrites and destroys all existing data on a hard disk, overwriting every physical byte of the disk.  Once Disk Wipe has been run, all data from every sector will have been eliminated.

Drive Cleanser:  Getting rid of an old PC, upgrading to a new hard drive, returning a leased computer, or redeploying a PC within your company?  It is truly imperative to completely destroy all data from the old hard disk.

cyberCide:  Whether your data is sent to the recycle bin or your entire drive is formatted and repartitioned, the chance of unauthorized discovery is very real and poses issues of risk and liability.  Securely wipe hard drives and overwrite, delete and destroy privileged data with cyberCide.

Declasfy:  Drive wiping with Declasfy can serve many purposes where information security is a concern.  For example:  preparing drives for internal reuse; securing private information prior to retirement or donation of a drive; securing private information for compliance with HIPAA and other regulatory requirements.  The program is designed to "wipe" hard disks to meet Department of Defense standards from the Rainbow series concerning declassification (wiping) of hard disks and cleansing of floppy disks.

R-Wipe & Clean  is a complete solution to wipe useless files and keep your computer privacy.  Irretrievably deletes private records of your on- and off-line activities, such as temporary internet files, history, cookies, autocomplete forms and passwords, swap files, recently opened documents list, Explorer MRUs, temporary files, etc., traces from more than 300 third-party applications, and free up your disk space.  The utility wipes files and unused disk space using either fast or secure erase algorithms.

QuickWiper  is a Windows security program.  If you are worried about coworkers going to recover files, remember — simple deletion is not secure enough because anybody can recover your sensitive files.  QuickWiper lets you to delete files with simplicity and ease.  You can choose a fast single pass, or the most secure NSA erasure algorithm.

Disk Redactor  is a WIPE utility that lets you securely erase any old (deleted) files and prevent them from being recovered.  All your private sensitive insecurely erased information will be wiped from free unused space on your drives to ensure complete data destruction.  This is necessary because when you delete a file, it is not gone forever, and any file removed from the Recycle Bin can be easily recovered!

(See HTML <!-- comments -->)

FileSalvage:  Extremely powerful data recovery tools designed to restore files that have been accidentally deleted, have become unreadable due to media faults, or were stored on a drive before it was re-initialized or formatted.  It is device and file system independent, allowing the users to recover files from a normal Mac OS hard drive, USB key, Linux disk, Windows drive, FLASH card, scratched CD, and almost any other media or file system that can be recognized in Mac OS X.

MacForensicsLab:  A complete suite of forensics and analysis tools in one cohesive software package.  Combining the power of many individual functions into one application in order to provide a single solution for law enforcement professionals and digital forensic investigators.

TestDisk  is a powerful free data recovery software!  It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting your Partition Table).

ShredIt X:  Whether you deal with confidential data on an ongoing basis or just want to protect yourself from identity theft when disposing of a computer, ShredIt has the features you want, for the computer you use.

The Editor says...
I purchased a copy of Shredit X in January, 2007, and so far it appears to be quite good.  I'm using it on a Power Mac G5, and most of the time I just use it to scrub my USB jump drive.

CardRaider:  "The easiest and most affordable way to recover lost photos from your digital camera, memory card or thumb drive.  CardRaider's familiar Mac OS X interface makes it simple to detect and unerase lost pictures."

[Yes, but sometimes you might want those pictures to get lost.  CardRaider apparently also includes a mechanism to "permanently erase photos so they can no longer be recovered."]

Digital Shredder:  Anonymizer Digital Shredder is the easiest way to keep your PC clean and running smoothly.  It erases cookies, cached files and history archives that are left on your computer every time you surf.

Autoclave:  Hard drive sterilization on a bootable floppy.  (Great idea, if you have a floppy drive.)

BCWipe  is designed to securely delete files from the disk.  Standard file deletion leaves the contents of the "deleted" file on your disk.  Unless it has been overwritten by files subsequently saved, it can be easily recovered using standard disk utilities.  BCWipe is fully integrated into the Windows Shell and efficiently shreds data in files so that they can not be recovered by any means.

Drive Scrubber:  With DriveScrubber, you can completely wipe all the contents of a drive, or you can just wipe a drive's free space.  Wiping everything from the hard drive is ideal before you reassign your PC.  Wiping the free space is ideal for regular computer maintenance; this process erases all remnants of deleted data, while keeping the existing files and operating system intact.

Kill Disk:  KillDisk - Hard Drive Eraser is powerful and compact software that allows you to destroy all data on hard and floppy drives completely, excluding any possibility of future recovery of deleted files and folders.  It's a hard drive and partition eraser utility.

Eraser  is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.  Works with Windows 95, 98, ME, NT, 2000, XP and DOS.  Eraser is FREE software and its source code is released under GNU General Public License.

R-Tools Technology Inc.  has tools for Data Recovery, File Undelete, File Encryption, E-Mail Recovery, Disk Cleaning, etc.

Undelete 5.0.

Pandora Recovery:  Find and recover deleted files of any type.

FreeUndelete 2.0.

Active Uneraser.

R-Studio Data Recovery Software.

Smart Undelete.

Disk Internals:  Numerous other tools to get back lost or deleted files.

SIM Recovery Pro:  You can now recover data and text messages from cellular phones using the SIM (Subscriber Identity Module) Recovery Pro.  Using this device allows you to save, edit and delete your phone book and short messages.  Aside from recovery and retrieve, even of deleted data, an added advantage is to back the information up on your computer.

SIM Recovery Pro capabilities:  Allows user to find deleted text.  Allows user to view up to last 10 numbers dialed.  Transfer data from one SIM card to another.  Edit SIM card information on your computer.  Back up phone numbers and SMS messages.

Cell Phone Spy Data Extractor:  Save, edit and delete your phone book and short messages (SMS) stored on your SIM card using the Recovery PRO software and SIM Recovery Pro Reader with your computer and ANY standard SIM card from a standard cell phone which supports removable SIM cards.

PS/2 Mini Key Logger:  The Mini Key Logger 64K is the world's smallest Key Logger.  It's only 4cm long and records over 64,000 keystrokes including e-mail, chat, IM, Web Site Addresses and other computer activity.  Find out which Web Sites your employees are visiting while working on your computer.  This Key Logger is perfect for home or professional use.

Pro Data Doctor:  File recovery software for Windows, USB drives, removable media, digital cameras, iPods and SIM cards.

GetDataBack Data Recovery Software:  Runtime Software's data recovery software will help you rescue your lost or inaccessible files from any imaginable data recovery disaster. Data Recovery is possible more often than you might think — even without having to send your hard drive to a data recovery service.

My Hard Drive Died!  When you absolutely, positively need your data back!

More Software Products  and information about data recovery.

More secure deletion tools.


Professional recovery services:

In extreme cases, you could ship a damaged drive to a lab for data recovery.  For example,

Secure Data Recovery dot com

Data Recovery dot com

Drive Savers

First Advantage Data Recovery Services

ECO Data Recovery

Vantage Data Recovery

Data Recovery Group

CBL Data Recovery Technologies Inc.


Professional data destruction services:

Enterprise Boot and Nuke:  You have data to destroy on dozens (if not hundreds or thousands) of hard-drives and you're looking for a way to get it done quickly, economically, and effectively.  In addition, you need accurate reports for legal compliance.  Techway Services has three proven solutions to meet your needs. ... All of Techway Services solutions employ our class-leading, proprietary software EBAN, which is U.S. Department of Defense 5220.22M compliant.

Other privacy protection products:

Here is a list of Useful Products.  A number of useful software programs that can help you manage and protect your privacy online.

Disk Investigator  (Freeware) helps you to discover all that is hidden on your computer hard disk.  It can also help you to recover lost data.  Display the true drive contents by bypassing the operating system and directly reading the raw drive sectors.  View and search raw directories, files, clusters, and system sectors.  Verify the effectiveness of file and disk wiping programs.  Undelete previously deleted files.



The Secure Erase Command:

How to REALLY erase a hard drive:  HDerase.exe accesses an ATA disk drive's internal Secure Erase commands to wipe a disk clean. ... Secure Erase is built into all ATA-compliant disks drives since 2001.  This functionality is recognized by the US Government's National Institute of Standards and Technologies (NIST) as equivalent to magnetically wiping a drive (degaussing) or physically destroying it.  NIST also rates the secure erase commands as more secure than external host-based drive wiping utilities such as Boot and Nuke.  Secure Erase complies with HIPAA, Personal Information Protection and Electronic Documents Act (PIPEDA), the Gramm-Leach-Bliley Act (GLBA), and California Senate Bill 1386 for data destruction.

Secure Erase:  data security you already own.  Secure Erase is built into virtually all P/SATA drives built since 2001, when it became part of the ATA standard.  It is virtually unknown however, because many BIOSes block the command and some even lock the drive to keep the data safe from Murphy's-law-abiding citizens.  Not to mention evil virus writers.

There's even a Secure Erase Newsletter.

Tutorial on Disk Drive Data Sanitization:  Complete eradication of user data off drives can be accomplished by running data Secure Erasure utilities such as the freeware "HDDerase".  It executes the Federally-approved (NIST 800-88) Secure Erase command in the ATA ANSI standard, which is implemented in all recent ATA drives greater than 15-20 GB.  A similar command in the SCSI ANSI standard is optional and not yet implemented in drives tested.  Normal Secure Erase takes 30-60 minutes to complete.  Some ATA drives also implement the standard Enhanced Secure Erase command that takes only milliseconds to complete.




Hillary Clinton's use of file-wiping software:

Giuliani: Clinton acted 'with criminal intent'.  Former New York City Mayor Rudy Giuliani claimed Sunday that Democratic presidential nominee Hillary Clinton "acted intentionally and with criminal intent" in regard to the private email server she used while secretary of state.  Giuliani, a Donald Trump surrogate and former United States attorney for the Southern District of New York, said in a statement released by Trump's campaign that Clinton's "powerful evidence of criminal intent" was how she deleted 33,000 emails and erased them with "expensive BleachBit software" that he claims is "used by criminals seeking to hide evidence from law enforcement."

The Editor says...
Bleachbit is not expensive software; in fact, it seems to be surprisingly affordable if not free.

Hillary's Emails:  Soaked in Bleach.  [Scroll down]  When questioned about the contents of the emails that Hillary and her team deleted and that have never been turned over to investigators as mandated, the company line that she and her team have stuck to is that they were mostly related to Hillary's yoga classes (anybody else not buy that Hillary does yoga?) and Chelsea's wedding and other such banalities irrelevant to the state.  If that's true, then why the BleachBit?  Sure, the software makes it easy, but make no mistake:  using BleachBit is an extreme measure.

FBI may not have been able to detect software used to scrub Clinton servers.  The developer of the Bleachbit software told the Daily Caller that the FBI may not have been able to detect its use in scrubbing the private email server used by Hillary Clinton. [...] It seems probable that many of the 14,900 emails recovered by the FBI were from sources other than the server.

Industrial strength data-erasing software company BRAGS that Hillary Clinton used their product to 'wipe' her email server.  A software company that sells a brute-force data erasure program is boasting that its technology gave Hillary Clinton the power to 'wipe' her private homebrew email server before it fell into the hands of the FBI.  Application developer Andrew Ziem wrote in a Thursday night [8/25/2016] press release that his BleachBit software prevented the FBI from accessing emails that Clinton deleted.  'Last year when Clinton was asked about wiping her email server, she joked, "Like with a cloth or something?"  It turns out now that BleachBit was that cloth.'

Hillary Clinton BleachBits her past.  While Hillary Clinton was preparing to deliver a big speech portraying Donald Trump as a racist, a figure from Clinton's recent unhappy past — Rep.  Trey Gowdy, chairman of the House Select Committee on Benghazi — added a new word to the 25-year vocabulary of Clinton scandals:  BleachBit.  That is the name of a publicly-available utility used to delete material from a computer's hard disk.  And it's not just for casual, quickie deletes of junk mail.  It's for when a user really wants to destroy material on a computer so that no one will be able to recover it.  According to Gowdy, BleachBit is what Clinton and her legal team used, or at least part of what her team used, to destroy the 30,000 or so emails on her secret system that she deemed "personal" from her years as secretary of state.

Hillary Clinton Deleted Emails Using Program Intended To 'Prevent Recovery'.  Hillary Clinton's team of aides and lawyers deleted emails from her private server using a software program intended to "prevent recovery" and hide traces of deleted files.  South Carolina Rep.  Trey Gowdy revealed the information during an interview on Thursday [8/25/2016] on Fox News.  Citing notes that FBI investigators took during their probe of Clinton's private email server, Gowdy said that Clinton's team used open source software called BleachBit to remove tens of thousands of emails from her server.

Gowdy: Clinton used special tool to wipe email server.  [Congressman Trey] Gowdy (R-S.C.) said the use of BleachBit, computer software whose website advertises that it can "prevent recovery" of files, is further proof that Clinton had something to hide in deleting personal emails from the private email system she used during her tenure as secretary of state.  Clinton has long said that the deleted emails were all of a personal nature, relating largely to yoga and her daughter's wedding, but Gowdy said he did not know whether the Democratic nominee considered emails pertaining to the Clinton Foundation to be personal.

Clinton team used special program to scrub server, Gowdy says.  Hillary Clinton's team used more than just a "cloth" to scrub her private server — employing a special program known as BleachBit to delete her private emails and try to prevent their recovery, a senior Republican on the House oversight committee who has read the FBI's investigative file told Fox News. [...] The account is striking considering that Clinton, at a rare press conference last year in Las Vegas, seemed to claim ignorance when asked by Fox News whether she wiped her server.  "What, like with a cloth or something?" Clinton quipped, adding:  "I don't know how it works digitally at all."  Yet Gowdy said her team was using BleachBit, which is like an electronic shredder that permanently scrambles data.

Additional related information:

Primary Witness to Material in Hunter Biden Laptop Flees to Switzerland Fearing Retaliation and U.S. Government.  Jack Maxey was the first person to receive a full hard drive copy of the Hunter Biden laptop from Rudy Guliani.  Maxey has fled to Switzerland in order to complete a full forensic audit of the laptop content in a neutral jurisdiction.  In recent interviews Maxey has started to discuss the buried information that was contained in the deleted files from the laptop — the things Hunter Biden did not want anyone to see.  That deleted material, now retrieved and archived, is alleged to contain 450 gigabytes of images, pictures and videos that are very disturbing.  Maxey is stating he will share the contents of the original files and all of the retrieved deleted files with the public so that people can see the scale of depravity and Biden family corruption within the evidence.  Additionally, Maxey is revealing to The Daily Mail the background of how he gave the original material to media, the Senate and law enforcement, and yet no one took any action.
[Emphasis added by The Editor.]

Opposing viewpoint:
We might want to be wary about purported new info from Hunter's hard drive.  On April 7, I wrote a post about the fact that Jack Maxey, a man who once worked with Steve Bannon at the latter's War Room, was contending that he had successfully recovered 450 gigabytes of deleted documents and photos from Hunter Biden's infamous hard drive.  Maxey promised that he would soon be making this information available to the public.  However, Yaacov Apelbaum, a writer whose work a highly reputable friend of mine recommends, suggests that Maxey's assertions should be taken with a very large grain of salt.  In a post entitled "My Name is Jack Maxey, and I'm a Fabricator," Apelbaum describes a "fabricator" as "an intelligence agent or officer that generates disinformation, falsehoods, or bogus information often without access to authentic sources." [...] Most recently, as noted above, Maxey reported to the Daily Mail the news that he's recovered 80,000 images and videos from Hunter's hard drive, along with 120,000 archived emails, all totaling 450 GBs of data.  Abelbaum believes this isn't true and that it is, instead a way to discredit the actual data on Hunter's hard drive by "lac[ing] it with disinformation...."

Secure Communications:  Computer and Cell Phone Countermeasures.  Numerous products for those who are deeply concerned about their electronic privacy.

The Vegas Massacre Exposé: What Really Happened?  Vegas has video cameras everywhere.  After NYC terror attacks we had videos on TV within hours.  In this case, in hotels covered by hundreds of [cameras], 6 months later we've never seen one video of the killer walking through the hotel.  Why? [...] Police say they found child porn on Paddock's computer.  But it was announced after the shooting, Paddock's hard drive was gone.  Removed from his computer.  Nowhere to be found.  So how did police find child porn?  Not one journalist questioned this development.  No one ever asked, "Did the hard drive miraculous re-appear?" Police never said a thing.  First it was gone.  Then they found child porn.  Strange.  But if in fact child porn was found (on another computer removed from his home, or office) wouldn't it make sense to investigate the connection to ISIS and the Philippines, where child sex trafficking is a primary mode of funding for Islamic terror groups?

How police can find your deleted text messages.  Smartphone forensics experts can retrieve just about anything from any phone.  Police will often seize and analyze phones for evidence of things such as indecent photos and videos, what calls were placed when and to whom, browser history, calendar events and explanations of a suicide or murder.  All of that can be uncovered whether or not a user deleted it from their phone.

When the World Wears a Wire.  The text exchanges between FBI agent Peter Strzok and his associate Lisa Page have recently been in the news.  Most of the coverage has focused on its politically controversial content.  What they say about Hillary, Trump and Obama.  Relatively less has been written about how the texts were "lost" and then "recovered" by the DOJ in the first place.  That is a perhaps a more important story in itself, but one no one is anxious to talk about.  There are three known ways the text messages could have been recovered after they were deleted.
    [#1]  From the device itself;
    [#2]  From the retained records of the communications provider;
    [#3]  Pulled from the archives of the National Security Agency or some similar law enforcement organization.

Forensic Experts Retrieve 'Ghost Texts'.  The Inspector General has recovered the Samsung 5 cellphones of two embattled FBI agents at the center of ongoing Department of Justice and Congressional investigations.  The two agents are under scrutiny for their involvement in the Special Counsel's investigation into President Trump and alleged collusion with Russia during the 2016 election.  The DOJ's Inspector general is now retrieving some of the missing five months of crucial text messages exchanged between the pair of FBI agents using forensic experts to track 'ghost texts,' left behind even after they are deleted from the devices, former and current law enforcement officials told this reporter.

DOJ recovers missing text messages between anti-Trump FBI agents Strzok and Page.  The Department of Justice has recovered missing text messages between anti-Trump FBI officials Peter Strzok and Lisa Page, the DOJ's inspector general said Thursday [1/25/2018].  In a letter sent to congressional committees, Justice Department Inspector General Michael Horowitz said his office "succeeded in using forensic tools to recover text messages from FBI devices, including text messages between Mr. Strzok and Ms. Page that were sent or received between December 14, 2016 and May 17, 2017."  "Our effort to recover any additional text messages is ongoing," Horowitz said.

Report: DOJ Has Found and Is Recovering Missing FBI Text Messages.  According to a Fox News exclusive report the Department of Justice has found the missing text messages between Agent Peter Strzok and FBI Attorney Lisa Page, and is in the process of recovering them.

Photocopier Security.  A modern photocopier is basically a computer with a scanner and printer attached.  This computer has a hard drive, and scans of images are regularly stored on that drive.  This means that when a photocopier is thrown away, that hard drive is filled with pages that the machine copied over its lifetime.  As you might expect, some of those pages will contain sensitive information.

You know how that data breach happened?  Three words:  eBay, hard drives.  Users are unwittingly selling sensitive and unencrypted data alongside their devices through the likes of eBay and Craigslist.  Secure data erasure firm Blancco Technology Group (BTG) purchased 200 second-hand hard disk drives and solid state drives before conducting a forensic analysis to find out what data was recoverable.  Two-thirds (67 percent) contained personally identifiable information and 11 percent contained sensitive company information, it said.  The data found includes social security numbers, CVs, company emails, CRM records, spreadsheets containing sales projections and product inventories.  Blancco experts found company emails on nine per cent of the drives, followed by spreadsheets containing sales projections and product inventories (five percent) and CRM records (one percent).  Two in five of the drives (36 percent) showed evidence of an attempt to delete data (either by dragging files to the Recycle Bin or using the delete button).  Such data is easily recovered as is, with a little more difficulty, data from drives that have been reformatted.

Clinton Campaign Made Payments to Hard Drive and Document Destruction Company.  The Hillary Clinton campaign made multiple payments to a company that specializes in hard drive and document destruction, campaign finance records show.  The payments, which were recorded in February and March of 2016, went to the Nevada-based American Document Destruction, Inc., which claims expertise in destroying hard drives or "anything else that a hard drive can come from."  "Our hard drive destruction procedures take place either at your site or at our secure facility in Sparks, NV," the company's website states.  "This decision is yours to decide based on cost and convenience to you.  In either situation, the hard drive will be destroyed by a shredding."

How to Hack an Election.  When [Enrique] Peña Nieto won, [Andrés] Sepúlveda began destroying evidence.  He drilled holes in flash drives, hard drives, and cell phones, fried their circuits in a microwave, then broke them to shards with a hammer.  He shredded documents and flushed them down the toilet and erased servers in Russia and Ukraine rented anonymously with Bitcoins.  He was dismantling what he says was a secret history of one of the dirtiest Latin American campaigns in recent memory.  For eight years, Sepúlveda, now 31, says he traveled the continent rigging major political campaigns.  With a budget of $600,000, the Peña Nieto job was by far his most complex.  He led a team of hackers that stole campaign strategies, manipulated social media to create false waves of enthusiasm and derision, and installed spyware in opposition offices, all to help Peña Nieto, a right-of-center candidate, eke out a victory.

Hillary Clinton Email — Deleted or Not?  First, and this is important, emails (by definition) cannot be deleted. Either you receive an email or you send one.  Which means complete copies are sitting in the sender's sent folder and in your inbox, or complete copies are sitting in your sent folder and in the recipient's inbox.  In other words, there is a copy of every email you've ever sent or received somewhere that is not in your control, so deleting your copies will (again by definition) only solve half of your problem.  No matter which type of email system you use (POP3 or IMAP), there is also a copy sitting on the server.  So, in practice, emails don't really come in pairs; they always live in at least three places.

How to Securely Remove All Data From Your Mobile Phone.  Are you thinking about recycling or selling your old mobile phone?  It's a good idea; but there are some serious security concerns you need to be aware of first.  Whether you are recycling, selling, or giving your phone away, you need to make sure that all personal data is securely removed first.  Simply deleting the information on the phone will not remove the data securely enough.  Even factory resetting the phone may not do the job.  Time after time, security experts have shown that the data removed by deleting and factory resetting is still easily recoverable using simple software that anyone can get and use.  Easy-to-use tools such as PhotoRec can recover deleted personal information in just a few steps.  This writer personally used PhotoRec to recover all the files and folders on a 1TB hard drive after mistakenly deleting all partitions and formatting the wrong drive.  It took awhile because of the size of the drive, but eventually everything was recovered.

Why Hillary's Wiping Her E-mail Server Clean Matters More than It Might Seem.  Casual users of modern computers do not realize that, until a hard disk is deliberately and comprehensively wiped clean — "overwritten" in the correct parlance — it will retain a good amount of useful, accessible, intact information.  On almost every system available, what appears to the user's eye to have been "trashed" is in fact kept around unblemished until such time as the space it's taking up is needed for something else.  From the point of view of the person controlling the operating system, files that have been "erased" may indeed be inaccessible.  For a person who knows what he is doing, however, those files can often be easily retrieved.

Seven Misconceptions about E-mail.  [Misconception:] Emails can be deleted. Reality: By using utilities or by checking recipients' workstations, they can almost always be recovered.

Solid-State Drives Are a Game Changer for Deleted Files.  For years, people have been trying to cover their tracks by deleting incriminating files from their computers.  The recovery of this kind of evidence from magnetic drives has been the bread and butter of digital forensics for years, but those days may very well be coming to an end.  The traditional magnetic drives that we are accustomed to using are being replaced more and more by solid-state drives (SSDs).  Traditionally, magnetic drives afford examiners the ability to recover significant amounts of user-deleted data.  As we'll see, SSDs store data in a completely different way than their magnetic cousins, and, as a result, these drives don't afford forensic examiners the same opportunities when it comes to deleted file recovery and acquisition verification.

Serial Killers: The 6 Worst Hard Drive Destroyers.  There are four basic types of hard drive failures.  Software or firmware damage may cause the disk to become unreadable, resulting in the inability to interact properly with the computer.  Problems with the controller board on the hard disk may result in electronic failure.  Mechanical failure can occur when components on the disk become faulty.  And logical corruption may occur when there is a problem with the information on the disk.  Hard drive serial killers are the destructive forces that threaten to destroy your hard drive.  The six worst hard drive destroyers are simpler than you might think.

Data Was Deleted From Flight Simulator of Malaysia Airlines Flight 370 Pilot.  Malaysian investigators have found that some data from a flight simulator taken from the home of the missing Malaysia Airlines Flight 370's pilot was deleted.  "Some data has been deleted from the simulator.  Forensic efforts are on to retrieve the data," Hishammuddin Hussein, Malaysia's acting transport minister told reporters on Wednesday [3/19/2014].

Hard Drives Exposed.  We bought or salvaged ten used drives and found sensitive business and personal data on all but one.

Sensitive Data Left on Old Hard Drives.  Reports of sensitive data being left on old PCs are set to persist as companies continue to expose themselves to the potential risks of data getting into the wrong hands.  Many companies erroneously think that formatting a hard disk removes and destroys its data.  In fact this data, which can be highly confidential, can still be retrieved from these drives.

Computer's worth of data left on hard drives.  100 second-hand hard drives were bought.  24 of these still contained private information, 13 of them just plug it in and turn it on and it's there.  Four of the 24 were from high schools.
[Synopsis provided by the RISKS forum.]

Laptop could contain important bombing clues.  "Let's face it, there is everything in the universe potentially on that drive," [Jared] Stern told WTOP on Thursday [5/2/2013].  "For over 99 percent of the population, it is nearly impossible to cloak your historic activities on your computer completely.  You can do things and probably make a dent in it.  But the forensic tools available to investigators these days are so powerful, you would have to engage in full-volume encryption all day every day — you almost couldn't have a job."

Iranian computers targeted by new malicious data wiper program.  Iranian computers are being targeted by malware that wipes entire disk partitions clean, according to an advisory issued by that country's Computer Emergency Response Team Coordination Center.  Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I, along with any files stored on the Windows desktop of the user who is logged in when it's executed, according to security researchers who independently confirmed the findings.

Can I recover pictures I accidentally deleted on my camera?  Most likely you can recover pictures you deleted on your camera or USB thumb drive.  First thing is do not do anything else to the camera or USB drive.  Do not take any pictures or save any files.  There are a number of programs available that will let you recover files from the memory card or USB drive.  Most cost, but at least one is free.

Be careful about those computer 'deals'.  A series of "consent agreements" has been proposed for companies that rented computers to consumers — and delivered the units with installed software to capture private email messages, passwords for social media websites, details about financial transactions, Social Security numbers, medical records and "webcam pictures of children, partially undressed individuals and intimate activities at home."

Demand for photo-erasing iPhone app heats up sexting debate.  A free and increasingly popular iPhone app called Snapchat allows users to take a picture, send it and control how the message is visible — between 1 and 10 seconds.  After that, the picture disappears and if the recipient tries to use an iPhone feature that captures an image of whatever is on the screen, the sender is notified, The New York Times reports.

How small does the disk chunk have to be?  Quoting an article about drive destruction, Fred Cohen disagreed with the adequacy of Canada's tax agency cutting disk drives into pieces "no bigger than the width of a pencil", saying the pieces "will have to be small enough to make the content on one chunk of no utility.  At the density of a HDD, a pencil width holds quite a bit of data."

The Editor says...
This item refers to an earlier article, here. Data Recoverability.  In a data loss scenario the most important question is:  Are the files still recoverable?  This answer depends on what action needs to be taken, whether to pursue the data recovery or to develop strategies of coping with the data loss.  The situation is often very difficult to judge.  Sometimes it is not fully clear what caused the data loss in the first place.  Some technician might have already tried to solve the problem.  Also, the effect of common remedies, such as Microsoft's "Checkdisk", on the recoverability is quite unknown.

How To Recover deleted files:  If you have deleted files from your hard drive, don't panic!  As long as you use the right unerase software, your deleted files can be recovered very easily.  Success is more or less guaranteed if you act as soon as you realize that the files are missing.  Even if your files have been overwritten or corrupted, if the disk they were stored on has been formatted or repartitioned, or if you don't know how they were lost, it's still likely that you can recover them.

Deleted File recovery software:  Most of the time we come across a situation of data loss where data may be inaccessible, missing or deleted.  Data might be lost due to a system crash or accidental deletion.  It may be a relief knowing there is a good possibility of getting your deleted files back if you act quickly and logically.

Undelete Your Files: Here's How To Do It.  The undelete process is something that happens to most people that work on a computer regularly...and who doesn't these days?  Get distracted for even a few seconds, and you can accidentally delete a file.  The key thing to remember is:  In most cases, you can undelete files, but the determining factor is whether other data has overwritten the deleted file you are trying to recover. Using a utility or hiring an expert is the only way to find out.

File deletion and file undelete strategies for FAT based file systems:  If a file is deleted on the FAT file system the first character of a file name in the directory entry is replaced by a special character (E5h) causing the operating system (e.g.. Windows, DOS) to ignore the file.  Also, all clusters allocated to the file are marked 'available' in the File Allocation Table (FAT for short).

Deleted Files Software.  Reviews of several file recovery programs.

How to Recover Deleted Files — A Few Useful Tips.  Everyone has accidentally deleted an important document or file and needed to know how to recover deleted files.  It is important not to panic as most deleted files can be recovered.  If you act immediately after the deletion occurs you have a very high probability of retrieving your files.  Files can even be recovered from corrupted files or sections of the hard drive that has been overwritten.

Secure File Deletion:  Fact or Fiction?  When Microsoft Windows-based operating systems need additional random access memory, they utilize "virtual memory" by using the hard drive as a memory area.  In Windows, Windows 95 and Windows 98, this storage area is called the Swap File. ... What makes the Swap File such a dangerous source for losing proprietary information is that it is dynamic, and every time Windows is started, a new swap file is created.  Because of this, multiple swap files could still exist on a hard drive.

Secure Deletion of Data from Magnetic and Solid-State Memory.  With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information.  One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory.  This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult.

Evaluating Commercial Counter-Forensic Tools.  Digital forensic analysts may find their task complicated by any of more than a dozen commercial software packages designed to irretrievably erase files and records of computer activity.  These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent an area of continuing concern for forensic investigators.  In this paper, we review the performance of six counter-forensic tools and highlight operational shortfalls that could permit the recovery of significant evidentiary data.

Deleting Sensitive Information:  Why Hitting Delete Isn't Enough.  From failed .com pc liquidations to home users selling or giving away their machines most know that it isn't smart to leave personal information on the hard drive for the next owner to find and use as they see fit.  Client lists, payroll information and company secrets all constitute things that even a failed company owes its former employees and clients to keep confidential.  From the home side it can range from address books, to financial information.

Why Undelete Utilities Fail:  The more work you do on your computer after you accidentally delete a file, the lower the odds that the undelete utility can get your data back safely.  But how exactly are you going to purchase and download that undelete file utility?  Downloading a file obviously creates new data on your disk, and could overwrite your undeleted data.  But just browsing the web to locate a utility causes new temporary files to be created — another threat to your data.

Antiforensic Tools:  It's important to protect your company's data.  But how do you know whether what you think you've erased is actually unrecoverable? … Forensic tools are fast becoming a staple of civil lawsuits between corporations and in disciplinary proceedings against employees.  These days, it seems, whenever there's a chance that somebody has deleted a file to hide evidence of wrongdoing, some forensics expert is standing by to recover that file for a fee.

A Critical Evaluation of the Treatment of Deleted Files in Microsoft Windows Operation Systems:  A perceived security risk is associated with the file management system's policy of allowing deleted data to remain intact.  Some argue that lingering traces associated with deleted files should not exist.  An alternative view perceives usefulness from the ability to retrieve accidentally deleted data.  This view is also held from within the forensic computer science field.  This presents a dilemma for software designers seeking to provide operating systems that meet the security desires of society.

The Persistence of Deleted File Information:  Computers delete files frequently.  Sometimes this happens on explicit request by a user.  Often, information is deleted implicitly when an application discards some temporary file for its own internal use.  Examples of such implicit file-deletion activity are text editor temporary files, files with intermediate results from program compilers, and files in Web browser caches.  As you use a computer system, you unwittingly leave behind a trail of deleted information.  Computer systems have minds of their own, too, leaving their own trails of deletion as a side effect of activity that happens in the background.

Excellent:
Secure File Deletion, Fact or Fiction?  From a user's standpoint, applications create files that are stored on the hard drive or removable media.  When the user no longer needs a particular file, the user deletes it and moves on.  As far as the user is concerned, any information contained in that file is gone forever, unable to be recovered by the user.  However, because of the way operating systems and applications work, that file may be recoverable and if that file is not recoverable, the data it contained may be found in other files.

Deleting Sensitive Information:  Why Hitting Delete Isn't Enough.  A quick look through some of the Windows folders will show a myriad of temporary files, each file storing session information, a snapshot of what is happening on the PC at a particular moment in time.  Applications such as Word will auto save temporary versions of a document at regular intervals to save users the heartache of losing that important paper due to a sudden loss of power to the PC. ... Unfortunately just tracking down all the necessary files and assigning them to the trashcan is only akin to placing a veil over the data, it still very much exists.

How To:  Recover deleted files.  When a file is deleted from your computer, it is not really deleted.  It is simply removed from the list of files in the folder.  If you're using Windows, and deleted the file using Windows Explorer, the file will normally have been moved to the Recycle Bin.  While it is in the Recycle Bin, the file can easily be restored in its entirety, with no problem at all.

Recovering Deleted Files After You Have Emptied the Recycle Bin:  When first learning Windows 95, I relied very heavily on the extra layer of Recycle Bin recovery built into Norton Utilities. … So I understand how data loss can occur, and the unhappy place it can leave you.  Pre-FAT32, the old UNDELETE utility in DOS also was a life-saver a time or two but, once Win95B and FAT32 came into play, that one was history.

Recovering deleted files:  The Recycle Bin may be a marvel — one which most of us take for granted — but it does have its limits.  For starters, the Recycle Bin does not catch every file you delete.  All files deleted from the desktop or Windows Explorer end up there, as do files deleted from within compliant programs.  Files deleted at the DOS prompt, though, bypass the Recycle Bin….

Secure Deletion of Data from Magnetic and Solid-State Memory.  With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information.  One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory.  This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult.  [Includes a long list of interesting references.]

Bringing Data Back From the Dead:  Sometimes, a failing hard drive will screech like nails on a chalkboard.  Other times, its death will be eerily quiet.  Either way, years of work — documents, digital photos and music, save games, e-mail archives and your address book — can be gone in an instant.

Data from Columbia disk drives survived the shuttle accident.  "When we got it, it was two hunks of metal stuck together.  We couldn't even tell it was a hard drive.  It was burned and the edges were melted," said Edwards, an engineer at Kroll Ontrack Inc., outside Minneapolis.  "It looked pretty bad at first glance, but we always give it a shot."

Hard-Drive Diplomacy:  The confirmation by an international forensics team that laptops and hard drives captured by Colombia originated in a camp of FARC terrorists ought to open a new era in relations between the democratic world and Hugo Chávez's Venezuelan government. … The computers and drives contain a staggering 610 gigabytes of data, according to Interpol, including 983 encrypted files opened by its team.

File wiping on journaling file systems.  Many modern operating systems ... have the ability to use a journaling file system that makes complete erasure of data unlikely.  Journaling file systems are used to increase the integrity of data in case of failures.  To accomplish this, the file systems keep metadata and logs in various places known to the file system; most file systems can also journal all data, but turn this functionality off by default.  The metadata and logs will not be securely wiped with a file wiping tool.

Why a normal delete is not sufficient:  A normal "delete" command does not actually delete files at all.  But even with more advanced "file wiping" utilities, some data may remain that is very useful for a forensic investigator.  In particular, the magnetic properties of a hard disk can be exploited to recover data.

Deleting and wiping files:  Another difficulty occurs with so-called journaling filesystems (JFS) or log-structured file-system (LFS).  Such filesystems store the data in a different way so that the data can always be recovered after a crash.  Attempting to wipe a file using traditional means will not be successful with such filesystems.

Wiping swap files:  On many multi-tasking systems, a swap file is used to emulate RAM.  The swapfile contains data from programs that are currently running.  This data may include personal files as well as passwords.  To avoid leaking this data, wiping the swapfile is a good idea.  However, this is difficult because the swapfile is constantly being used.  Special programs are available for this purpose.

It's now a crime to delete files:  International Airport Centers sues former employee, claiming use of a secure file deletion utility violated federal hacking laws.

The spies among us.  American high-tech industries are a key target.  Every year, economic espionage costs American businesses billions of dollars.  Spies recruit company insiders, form joint ventures, and even engage in "dumpster diving" for discarded proprietary data.

Securing Your Deleted Files.  I know more than one person who rarely, if ever, empties their Recycle Bin. … If you don't feel that security is an issue because you don't have any personal or sensitive information on your machine to delete, there is another reason for keeping your Recycle Bin emptied.  Space.  Those files you hold in your Recycle Bin needlessly take up space on your hard drive. … Our second security issue comes to light the moment you click the command to "Empty Recycle Bin."  You may be under the impression that those files are now gone for good and cannot be recovered by anyone.  This is not true.

Can your PC be subpoenaed?.  As people commit an ever-growing pile of information to computers, their hard drives are becoming a digital mother lode for lawyers.  The issue moved into the spotlight when Kenneth Starr's prosecutors scavenged Monica Lewinsky's computers and published what they found, including e-mail messages to friends and unsent drafts of letters.

Junta hunts dissidents on UN computers.  Burma's ruling junta is attempting to seize United Nations computers containing information on opposition activists in the latest stage of its brutal crackdown on pro-democracy demonstrations, The Times has learnt.  UN staff were thrown into panic over the weekend after Burmese police and diplomats entered its offices in Rangoon and demanded hard drives from its computers.

Angry Employee Deletes All of Company's Data.  When Marie Lupe Cooley, 41, of Jacksonville, Fla., saw a help-wanted ad in the newspaper for a position that looked suspiciously like her current job -- and with her boss's phone number listed -- she assumed she was about to be fired.  So, police say, she went to the architectural office where she works late Sunday night and erased 7 years' worth of drawings and blueprints, estimated to be worth $2.5 million.

Magnum, P.C.?  New Texas Law Limits Computer Repair To Licensed Private Investigators Under the new law enacted in 2007, Texas has put computer repair shops on notice that they had better watch their backs any time they work on a computer.  If a computer repair technician without a government-issued private investigator's license takes any actions that the government deems to be an "investigation," he may be subject to criminal penalties of up to one year in jail and a $4,000 fine, as well as civil penalties of up to $10,000.  The definition of "investigation" is very broad and encompasses many common computer repair tasks.

Computer Forensics Gear:  Deleted files can be recovered with software tools such as Norton Utilities, DIBS, or PowerQuest Corp.'s Lost & Found.  After the files are located, they should be listed and reviewed for relevance to the investigation.  EnCase, DIBS, and NTI's FileList are well-suited for this purpose. … Evidence in all of the slack space on the entire hard drive or other storage media can be retrieved quickly with tools such as NTI's GetSlack and Filter_I software utilities.  GetSlack grabs all slack space and places it into a single file.

File Scavenger  goes well beyond simple undelete action.  It has successfully restored items even after the drive was formatted and in another case, where the operating system was overwritten from a recovery disk image.  (Review)

Restoration v2.5.14.  Restoration can rescue your accidentally deleted files and permanently delete the files you want good-and-gone.  It can live on a floppy, so it leaves no trace of its activities.

Delete, Baby, Delete.  During the controversy over the Iran-contra affair, in 1986, Lieutenant Colonel Oliver North attempted to erase all the relevant e-mail messages on his computer; he repeatedly pressed the DELETE button, thinking that he was thereby expunging the messages.  "Wow, were we wrong!" he later observed.  North didn't know that pressing DELETE doesn't result in complete deletion.  He also didn't know about the existence of a backup data-storage system.

Scrub your disk.  A list of freeware programs to wipe files.

Personal Info Fills Junked Hard Drives:  Over two years, Simson Garfinkel and Abhi Shelat bought 158 used hard drives at secondhand computer stores and on eBay.  Of the 129 drives that functioned, 69 still had recoverable files on them and 49 contained "significant personal information" — medical correspondence, love letters, pornography and 5,000 credit card numbers.

Don't be Smug in Thinking Personal Data has been Erased.  Whether you recycle your old computer, sell it, give it away or take it to the dump, you may also be giving away personal information, even if you think you erased everything on your hard drive.  Two MIT graduate students bought 158 used disk drives on the secondary market and found many "had not been properly sanitized."

Gathering the E-Evidence:  "The best way to get rid of computer data is to take the hard drive and pound it with a hammer and throw it in a furnace," said John Patzakis, president of Guidance Software, which makes forensic software that helps police find hidden files.

No Thanks for the Memories:  Personal computers have a way of hanging on to "deleted" data that may surprise you — and could get you into a heap of trouble if you're not careful.

Remembrance of Things Past:  Data is not physical, not something that you can lock away today and hope you'll be able to access in 10 or 20 years.  Large collections of data are almost impossible to safely maintain—especially over long periods.  At the same time, data is just as difficult to dispose of properly.  [PDF format]

Researchers Find a Way to Steal Encrypted Data.  A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.  The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover.

Data Detectives:  Specialists in uncovering lost or hidden data are fast becoming strategic legal weapons.

Enron can't shred electrons.  Even the act of deleting documents can in itself be revealing.  Not only can computer forensic investigators recover documents, they can tell when and how they were deleted.  In some cases, they can even determine whether a deletion was an innocent act -- part of company policy -- or if there was a more devious motive.  Still more remarkable, using an electron microscope, computer forensic teams can read information from the individual magnetic spots on the surface of a hard disk that has been intentionally erased.  This costly technique, originally a tool of the intelligence world, has been used successfully in big legal cases.

Securely Deleting Files:  If and when you ever dispose computer equipment or disks that have contained sensitive information, be sure to take precautions to ensure that all information is not only deleted, but it is completely destroyed.  Simply deleting a file is not sufficient to prevent a clever user from undeleting the file and recovering sensitive information.  Some highly sophisticated techniques are available that may be able to recover information from a disk even after it has been overwritten.  If your information is highly sensitive you may need to take additional steps such as physically destroying the disk or degaussing the drives.

Deleting Temporary Internet Files:  Ever looked at your Temporary Internet files and wondered what they are?  Ever wonder what these cookies that you keep hearing about are good for?  Maybe you should Explore the possibilities that you are wasting a lot of hard disk space with unnecessary file storage.

Cookies — Exploitations and Invasion of Privacy.  Over the years, cookies have garnered a bad reputation as being able to scan PC hard drives, take over systems by stealing valuable information such as passwords, and passing viruses.  These myths are untrue, but cookies have been used to collect information on browsing habits, browser specifications, system information, and web-based spending and viewing habits.

Cookies to Crumbs.  To put it simply, a cookie is a small text file that is saved on your hard drive by a Web server.  It cannot be executed as code or deliver viruses.  It can only be read by the server that gave it to you.  A cookie can save you time by personalizing pages, or remembering information that you enter when you register for products or services.

Why a normal delete is not sufficient:  It is in the nature of a computer, to always be updating one file or another.  Every time a file is updated or "saved", new copies are created and written wherever there is sufficient space.  Applications can create huge numbers of such files.  When a file is eventually deleted, only the last image is accounted for.  All other images appearing as free disk space, unseen, unsuspected.  That is until a disk is viewed with the appropriate software; then is all is revealed.  Even when partially overwritten, these files can make interesting reading!

The Unintentional Disclosure of Digital Data:  A perspective of how much data is worth, an overview of how data is written to magnetic media, why data erasure (deletion) is insufficient to avoid data recovery, how the data may be resurrected, and identification of known and unknown perpetrators.

Annual list of top 10 data disasters.  The list was compiled by data recovery firm OnTrack which handles more than 100,000 requests a year for help to piece together information from damaged computer hardware.

Firms become digital detectives.  Digital data can be fragile and businesses must exercise care if they are to avoid damaging or even deleting potentially useful information.

Gone for good?  "In some aspect an e-mail can exist indefinitely," says Mr Dearsley.  "Subject lines, times and dates can all be pieced together.  I have retrieved some that have been years old."

Odd mishaps cause computer grief.  Data recovery experts are the technological doctors and nurses of desktop or laptop hard drives.  Using increasingly sophisticated techniques, "lost" files or information can be rescued and rebuilt into a usable format.  This can happen in a matters of hours through remote access, but in more serious cases computer patients may have to be admitted to the lab.

Is It Really Gone? (A Look at Data Deletion).  When the delete command is used it doesn't actually touch the data recorded on the media.  It only removes the index entry and pointers to the actual data so that it appears as if the file has been removed.

Recovering Deleted Files After You Have Emptied the Recycle Bin.  The first rule is:  Stop using that computer immediately! … Use another computer to get the recovery tool you will need.  This is also one of the places where well-planned partitioning of your hard drive has a huge advantage.

Did You Really Erase Those Files?  Make sure your trash disappears permanently.

Deleted Files - Still There:  With the right software, it is relatively easy to recover deleted files from your hard drive.  Some file recovery software can even work over a network connection.

And You Thought DELETE Meant DELETE!  A High Level Overview of File Deletion.

Protecting your sources:  The provisions of the new Terrorism Act and of the Regulation of Investigatory Powers (RIP) Act 2000 give the authorities wide-ranging powers to seize computer files and to imprison you if you fail to produce "plain text" for any that are protected by "encryption".

There is also some discussion of this in "Erased Disk used against Brazilian President",  part of Risks, Volume 13, Issue 87.

The Use And Retention Of Emails:  Some Legal Lessons From The Field.  Corporate counsel often instruct corporate employees about the dangers of writing down every errant thought about the company's products and conduct.  But that instruction may have particular urgency for electronic communication.  Because of the spontaneous and reflexive nature of electronic communication – the words do not remain on a printed page to be contemplated, and perhaps revised – many users often treat e-mail, and similar transmissions, casually, not carefully.

The "E" in E-mail Often Stands for Evidence:  "It's like the gift that keeps on giving," said Tom Greene, a deputy attorney general in California, one of the states suing Microsoft Corp. in an antitrust case built largely on computer messages.  "People are so chatty in e-mail."

'Embarrassed' Suspect Sues Microsoft After FBI Finds Sex Videos On His PC.  A man awaiting trial for alleged gun crimes is suing Microsoft for privacy violations after FBI agents seized his home computer during a raid and found files containing sexually explicit videos of him and his girlfriend and evidence that he frequented pornographic Web sites.  Michael Alan Crooker, currently in jail in Connecticut, says security features advertised by Microsoft and its business partners should have kept federal agents from accessing the files on his PC.

FBI raids Houston shipping company.  FBI agents searched two buildings and loaded dozens of boxes into a truck Wednesday [10/10/2007] as part of what has been called "international" antitrust investigation involving several companies.  One is Eagle Global Logistics, based in Houston.  Some of the agents were from the Greater Houston Computer Forensics Laboratory.  They've been looking at computer hard drives.  The FBI isn't talking on the record about what it's looking for and neither is the Justice Department.

Privacy and Your E-mail Box:  Realize that e-mail is forever.  Witness the pain suffered by Microsoft recently when internal e-mail hit the courts.  Remember Oliver North?  [He's the] Poster-boy for e-mail messages surviving the delete key and rising up to slap you with court subpoenas.

E-mail and the courts:  This appears to be a compendium of legal cases in which e-mails play a significant role.  It includes several cases where deleting e-mail has cost companies large amounts of money, even when the e-mails were not recovered.

Smoking E-Mails:  KPMG's tax shelters weren't too bright.  Its internal memos on the shelters were really dim-witted.

Federal Court Turns When E-mails Contradict Deposition Testimony.  As electronic discovery becomes more commonly used, e-mails are proving to be a gold mine of information in corporate legal disputes.

The legal implications of self-destructing e-mail.  According to an article by Laurie Varendorff, an Australian records management expert, Microsoft and IBM have developed software that enables creators of e-mail messages to have tremendous control over their messages, even after they have been sent.

Experts try to resurrect SAIF files.  Experts in computer forensics often can resurrect computer files that seemed to disappear, but the deleted e-mail of former SAIF Corp. President Katherine Keene might remain a mystery.

Gravel-pit lawsuit triggers e-mail hunt.  King County [Washington] officials, responding to a lawsuit from the owner of a Maury Island gravel pit, hired a consulting firm to help search for deleted e-mails on the computers of County Executive Ron Sims and other officials.

Somewhat related:  Hidden Text in Computer Documents.  During the manhunt for the DC sniper, a letter was left for the police by the sniper that included specific names and telephone numbers.  Perhaps in order to persuade the panicking public that the police were in fact doing something, they allowed the letter to be published — in redacted form — on the Washington Post's Web site.  Unfortunately, they implemented the redactions by the completely pointless method of placing black rectangles over the sensitive text in the PDF.  A simple script was able to remove these boxes and recover the full PDF.

Data files erased at Aznar Government systems.  Aznar Government deleted all the Spanish Government Presidency computer systems in "La Moncloa" Official Palace after the elections (three days after the terrorism attacks in Madrid-Atocha train station).  There is a 12 thousand Euros bill just for deleting everything, even data back-ups. … As far as we know, in USA is not possible to do anything like that, and even Henry Kissinger files will be known in the years to come.  I mean that USA presidents can encrypt and legally protect that information, but they can not erase as Aznar did.

Second hand camera contains top secret MI6 terrorist records and pics.  A second-hand camera sold on eBay by a top MI6 agent held secret records used in the fight against al-Qaeda terrorists.  Names, snaps, fingerprints and suspects' academic records were found in the memory of the digital device.  Alongside them were photos of rocket launchers and missiles which spooks believe Iran is supplying to Osama Bin Laden's henchmen in Iraq.

More about Recovering lost camera images.

iPhone 2.0 adds secure wipe.  AppleInsider is reporting that iphone software v2.0 will add a secure wipe feature.  The screenshot ... shows the text "this will take about an hour" added to the normal erase feature.  This time is used to overwrite data to the disk multiple times.  The need for secure phone erasure came to light after a researcher was able to recover personal information from a refurbished iphone using forensic tools.  Since then, a few people have published techniques for obliterating personal data using either the gui or the more thorough command line method.

Top 10 Ways to Lock Down Your Data.  With the right software tools and a little Advanced Common Sense, you can secure your data so that even if someone did get onto your computer or into your email, they'd find nothing but headaches and woe.

England's NHS loses patient data.  Bad news:  A National Health Service employee lost a flash drive containing personal information of up to 6,360 patients.  Good news:  The data on the flash drive was encrypted.  Bad news:  The password was written on a sticky-note attached to the drive.

Security and SOX.  Nearly everyone who works with a computer has gotten some version of the 'Password Memo'.  The Password Memo lays out lots of rules for passwords — i.e., they must be at least eight characters long; they must include numbers, upper and lower case, and punctuation; they shouldn't be your user name, names of family members or pets; they shouldn't be (or even include) dictionary words; and they should never be reused.  Oh, and you should never ever write them down and you should plan on coming up with a new one every thirty days.

Clinton-era hard drive missing from archives.  A massive amount of sensitive, national security-related information from the Clinton administration has gone missing from the national archives.  The Inspector General of the National Archives and Records Administration (NARA) told congressional committee staffers Tuesday [5/19/2009] that a hard drive containing over a terabyte of information — the equivalent of millions of books — went missing from the NARA facility in College Park, Md., sometime between October 2008 and March 2009.

U.S. National Archives offers reward for missing hard drive.  The U.S. National Archives on Wednesday [5/20/2009] said it is offering a $50,000 reward for information leading to the recovery of a missing hard drive that contains personal information of former Clinton administration staff and visitors.  The small portable hard drive was being kept as a backup, the National Archives explained in a question-and-answer document on its Web site.  It held copies of about 113 four-millimeter tape cartridges of "snapshots" of hard-drive contents of employees who left the Executive Office of the President.

Anonymity is no guarantee in online postings.  Jeff Camacho uses an online handle when he spouts off about five times a day on the comment boards of newspaper Web sites.  But the computer repairman realizes one of the often-overlooked truths of posting:  His identity is easily uncovered.

Somewhat related:
Framed for Child Porn — by a PC Virus.  Of all the sinister things that Internet viruses do, this might be the worst:  They can make you an unsuspecting collector of child pornography.

Somewhat off-topic...
Video:  Don't shout at your disk drives.  The vibration causes latency problems.

High-tech copy machines a gold mine for data thieves.  Victor Beitner, a security expert who reconfigures photocopy machines destined for resale in Toronto, says businesses are completely unaware of the potential information security breach when the office photocopier is replaced.  They think the copier is just headed for a junkyard but, in most cases, when the machine goes, so does sensitive data that have been stored on the copier's hard drive for years.

Wikileaks Leakers' Hard Drives Sent for Analysis.  The computer hard drives of a US soldier accused of leaking up to 260,000 classified State Department documents have been sent to Washington for forensic analysis to determine how much sensitive information may have been breached, a spokesman for the department said today [6/11/2010].

Yet another twist:
Ad Firm Sued for Allegedly Re-Creating Deleted Cookies.  Specificmedia, one of the net's largest ad-serving and tracking companies, has been hit with a federal lawsuit accusing the company of violating computer intrusion laws by secretly re-creating cookies deleted by users.

Valuable Computer Files Found after Mono Jojoy's Death.  Colombian authorities say the data found on 15 computers, 94 USB devices and 14 hard disks at the camp of slain FARC military chief "Mono Jojoy" is many times more valuable and revelatory than that discovered after a 2008 cross-border airstrike into Ecuador that killed another top rebel commander.

NASA sold computers with sensitive data, report says.  NASA failed to delete sensitive data on computers and hard drives before selling the equipment as part of its plan to end the Space Shuttle program, an audit released on Tuesday [12/7/2010] shows.

The Death of the Hard Drive.  Stop worrying about when the hard drive in your computer will die.  Google wants to kill it permanently anyway.  The new Google Chrome operating system, which was unveiled Tuesday, as well as hints and suggestions from Apple and Microsoft, offers us a preview of the PC of the future.  And it will come without that familiar whirring disk that has been the data heart of the PC for the past 25 years.

NJ Audit: Social Security Numbers On Computers Out For Auction.  Taxpayers' Social Security numbers, confidential child abuse reports and personnel reviews of New Jersey workers nearly went to the highest bidder after the state sent surplus computers out for auction.

Huckabee and the crushed hard drives.  Send a public records request seeking documents from his 12-year stint as Arkansas governor, as Mother Jones did recently, and an eyebrow-raising reply will come back:  The records are unavailable, and the computer hard drives that once contained them were erased and physically destroyed by the Huckabee administration as the governor prepared to leave office and launch a presidential bid.  In 2007, during Huckabee's campaign for the GOP presidential nomination, the issue of the eradicated hard drives surfaced briefly, but it was never fully examined, and key questions remain.  Why had Huckabee gone to such great lengths to wipe out his own records?

The Editor says...
I can answer that question.  Because it's Arkansas!

Cell Phone Spy™ Reads Deleted Texts.  The Cell Phone Spy™ USB SIM Card Reader you can view deleted text messages from a cell phone.  The Cell Phone Spy™ allows you, a concerned parent, or loving spouse, to monitor your child or spouse's mobile interactions with others; because these days, it's not always obvious who they are talking to.

What treasures will the US really find on bin Laden's hard disk?  Hopes may be high that the fruits of last weekend's assault on bin Laden's HQ's will yield an intelligence bonanza.  But to date, most of the disks seized from al Qaeda supporters are filled with near-identical, multiple bulletin board downloads of interminable ideological debates, tracts and sermons (fatwas) on subjects such as the Islamic "permissibility of self-sacrificial operations" (suicide bombing) and exhortatory tracts to "join the caravan" (of Jihad).

Probe begins on bin Laden computer files.  With Osama bin Laden dead and buried, U.S. officials are starting to explore the computer files, flash drives, DVDs and documents that U.S. commandos hauled out of his Pakistani compound hideaway, hopeful that the intelligence trove will yield insights that point the way to other al-Qaida leaders.

CIA begins mining bin Laden's computer files, phone list.  Now, the agency's attention turns to finding the intelligence in the computer files, flash drives, DVDs and documents hauled out of the compound.  All of that is in Washington and the analysis has begun. ... Now, the agency's attention turns to finding the intelligence in the computer files, flash drives, DVDs and documents hauled out of the compound.  All of that is in Washington and the analysis has begun.

The gadget that recovers deleted text messages could confirm your worst fears.  Perfect for those in a less-than-trusting relationship, this gadget can retrieve deleted text messages.  The USB stick — called the iRecovery Stick — is designed to recover information that has been wiped from an Apple iPhone.  It can also retrieve deleted contact details and even mapping solutions, which show the destinations that the phone user has visited.

Vast F.D.A. Effort Tracked E-Mails of Its Scientists.  [Scroll down]  The software used to track the F.D.A. scientists, sold by SpectorSoft of Vero Beach, Fla., costs as little as $99.95 for individual use, or $2,875 to place the program on 25 computers.  It is marketed mainly to employers to monitor their workers and to parents to keep tabs on their children's computer activities.  "Monitor everything they do," says SpectorSoft's Web site.  "Catch them red-handed by receiving instant alerts when keywords or phrases are typed or are contained in an e-mail, chat, instant message or Web site."

Do Not Track Plus:  [An anonymous reviewer says,]  "I came across DoNotTrackPlus as a Firefox extension several weeks ago.  Since then, the program has blocked about 1500 places and sites from tracking my internet use without my knowledge.  Nobody should be without this free program!"   (Also mentioned here.)

Killer's data destruction: Adam Lanza smashed hard drive before massacre.  Before he set off on his heinous rampage, Connecticut school shooter Adam Lanza tried to cover his deadly tracks by smashing the hard drive of at least one of his cherished computers, according to investigators.  The shattered drive was recovered during a search of the home of Nancy Lanza, the killer's doting mom — and his first victim.


Jump to Privacy Compromised by Big Government.
Jump to The USA Patriot Act
Jump to Carnivore and Echelon
Back to The Home Page.

Bookmark and Share


Document location http://akdart.com/priv9.html
Updated April 11, 2022.

©2022 by Andrew K. Dart