Completely cleaning your computer history and deleted files...

[FirefoxMan]

In our local newspaper, there was a story of a woman who had been arrested and fined by the state for illegal downloading of music. Apparently this woman's computer had been searched and all the evidence needed was collected from the computer, even though this woman had "deleted" all temporary internet files, cookies, the illegal downloads, etc... What raised questions for me was that this woman had "deleted" all incriminating evidence against her WEEKS prior to the computer being searched... how did the law enforcement find all the "illegal" stuff even though all of the incriminating evidence had been deleted? When you "delete" your internet history, cookies, and recycle bin, is it in fact deleted, or does it actually stay on your HD? If it does, how do you truly delete that kinda stuff?

[DJHyperbyte]

There are 1001 reasons why they could find clues that the computer was used for such things. What I don't get is why they didn't format it completely when they knew it was going to be searched?

[MartinBradley]

One of those reasons is that it's pretty simple to get hold of data recovery software. I have one such program called Recover My Files. It does take a while to search when trying to recover a disk format, and some of the files it finds are corrupted, but some complete files can be found.

[DrBroccoli]

What I'm not gettin is why they searched her. Did they have a search warrant? Isn't it needed even in a case like this. What evidence did have to get a warrant? I am lost.

I've seen on Case Evidence files in Court TV where even after files have been deleted an expert can still examine the harddrive and possibly go back to past points and get clues as to what they had before or actually even recover it. I forget the actual process but it is possible. I think deleted files can be recovered, but purged files are permanently gone. Someone correct me if I'm wrong.

[DJHyperbyte]

You're not really wrong, but - for those interested - a little technical info:

A harddisk is a device in a computer that stores massive amounts of data, such as the operating system, the saved files and documents and basically everything else. The data in the harddisk is, simplified, devided in two parts.
1. The file allocation table
2. The actual data

The file allocation table looks like this:
FOLDER: "C:\MP3\", SECTOR 4838571
FILE: "C:\MP3\Bruce Springsteen - The River.mp3", SECTOR 4838572-4838576

The actual data looks like this:
4838571 = FOLDER DATA
4838572 = MP3 DATA part 1
4838573 = MP3 DATA part 2
4838574 = MP3 DATA part 3
4838575 = MP3 DATA part 4

Knowing this, you can ask the following question:

What actually happens when I delete a file?

That's where the problem here lies. When you delete a file, your computer removes the file only from the file allocation table. This means that the actual file data is still there, but the data isn't identified or recognized in any way. The data will only get lost once it is overwritten by other data.

There is software to undelete files since a long time (starting with DOS). The software looks at the data that has no reference in the file allocation table and tries to make sense of the data. Often this method works quite well.

Now there are ways to permanently wipe files (making further recovery impossible), the most well-known way is formatting your harddisk. A quick format will only remove the file allocation table, but this will not remove the actual data. A full format will remove the file allocation table, but also the file data. This makes recovery impossible.

As for 'specialists' going back to previous 'harddisk points', that is complete nonsense.

[EEDOK]

don't forget all the index.dat's that get left everywhere by windows.. Plus you don't need to format to get rid of files, OpenBSD and such can be configured to overwrite the sections of deleted files for security reasons quite easily, and I know there's programs out there that do it for linux and windows as well, just can't remember the names of them right now.

[FirefoxMan]

How do you permanently delet files so that recovery is impossible, without formatting your HD (won't you have to reinstall your OS if you reformat the HD?)?

[DrBroccoli]

Well I have Mcafee Virus Protection and it comes with a thing called FileShredder that (as said by Mcafee) permanently deletes files. Does anyone know if it really works?

[EEDOK]

Quote:

Originally Posted by FirefoxMan

How do you permanently delet files so that recovery is impossible, without formatting your HD (won't you have to reinstall your OS if you reformat the HD?)?

shredders, but it's better to format your hd then overwrite it with 0's, then reinstall the OS.