PDA

View Full Version : Where on the hard drive?



DanielS
01-06-2003, 09:41 PM
Iv'e read that once you delete files and empty your Recycle bin that that stuff still remains on your computer, somewhere on the hard drive, can anyone tell me then how and if I can still find those deleted files, and how do I delete those then?

thanks

Daniel

Pheonix
01-06-2003, 09:58 PM
What is done is that in the file system, the first letter of the file name is erased. This makes it no longer seen by the operating system.
It is like erasing a list out of a books index. The chapter is still there. By normal use and defragging your drive, those files will be overwritten.
If you are really paranoid, do a search on google

Garibaldi
01-06-2003, 11:22 PM
Of course Phoenix is right - the files are not deleted, just can't be found by the OS. Several good file/disk cleaning tools are available for free download (e.g. WipeDisk) if you wish to delete sensitive or confidential info on your hard disk and some can be config'd to overwrite the original info several times. Please read the instructions with any cleaning tool very carefully or you may lose ALL the info on disk. Good luck.

Billy T
02-06-2003, 12:00 AM
Hi Daniel

The problem you have is that most file wiping systems need to wipe the whole disk. They can't selectively seek out deleted files and wipe that space.

The best you can usually hope to do is clear out all your temp files etc then defrag. That will consolidate the data on your disk. Before defragging though, you need to disable your windows swap file temporarily to ensure that it doesn't hold any data as files can live on in there for some time.

After all that has been done & before you re-enable the swap file, make a new folder and copy some big files across, you need several hundred MB so it might be easier to drag & drop a folder that has a lot of sub-folders under it. That will overwrite a good chunk of your newly cleared free space, then you can delete the duplicated data and re-enable the swap file.

That will clean out & overwrite most stuff you might not want to have found, but you need to get rid of index.dat files (see the FAQs) temporary internet files, internet content stored off-line and cookies too if you want a thorough job. Do all that before defragging.

Cheers

Billy 8-{)

Muzzer
02-06-2003, 12:41 AM
To add to what has been said. You can erase files as you go. ie instead of just sending them to the recycle bin use a utility that overwrites the files before they are deleted. As above search Google or whatever seach engine you prefer. Eraser is one tool thats popular get it here (http://www.heidi.ie/eraser/)

Cheers Murray P

Captive
02-06-2003, 03:25 AM
Hello,

There is quite alot of data at say the advanced level of data deletion.

You can get programs which overwrite the file yes, if the file is/was stored in a temporary file such as a swap file or otherwise that may compromise security, although to recover from those places may be generally a bit harder.

you can delete files then overwrite them with more data with say defrag but i dont think that would be a very safe/recognised means for securing important data. Remember that if the file doesnt move and there is slack space in the cluster that data may be a security hazard

If you want to use a program which deletes the data i have found a freebie i use myself which may be of help:
http://www.heidi.ie/eraser/ which is the same one as muzzer mentioned [Doh i should read the msgs better before replying :-P]

Note if you install this program please adjust the repeated data swipes to something suitable for the data security level you want to achieve.

Note somethings: Nothing is 100% safe
Data Software recovery according to one DoD [Department of Defense in the USA] outline states that software recovery can recover the data after it has been erased several times so for safety reasons overwrite the data no less than 7 times

Data hardware recovery says the same thing but i think the number is around 35-40 times.

Also note that data should be overwritten i read in one article with psuedo random data as it reduces the possibility for recovery.

I would suggest if your data is critical enough to warrant the use of such tools you look up the matter on the net and locate a decent resource which can provide to you key issues to consider... which perhaqps goes beyond the scope of the typical length of a message forum reply.

Tobas
02-06-2003, 09:53 AM
Yes there is a 100% way - but it costs :-)

Buy a new HDD, take the old HDD out to the shed, (all good blokes have sheds), open it up, rip out the platters and put them through a grinder.

For additional fun, take whats left of the HDD outside with a sledgehammer in the other hand......

100% all the way

Captive
02-06-2003, 10:42 AM
On that note it has been mentioned to me by a tutor that some military units do indeed do this something in reality. Although they break it up and incinerate it.

That doesnt not mean that it is 100% however. When you go to smash it or incenerate it there is times when the data is still vulnerable, and it assumed the system has not already been compromised by say something as simple as a trojan or perhaps at more FBI / Military levels such as TEMPEST.

But then i guess ignorance is bliss

Billy T
02-06-2003, 11:35 AM
I guess the bottom line here is how critical or confidential is the data. If you just wants to cover your tracks from private (non-controversial)surfing while at work, or on a shared computer at home then simple deletion is probably enough.

If somebody is going to go looking for deleted files they need a very good reason to be doing that, so if it is anything other than commercial sensitivity/espionage that bothers you, don't use a computer that others may scrutinise.

One way to deal with these issues is to set up your computer with two HDDs or divide one drive into two partitions. Put OS & programs on C: and all data on D:. Make a clone copy (using Ghost or Drive Image) of your C: drive while it is still clean, i.e. you have done installation and configuring only and dump that cloned image back over the top of the working version any time you want to erase any activity tracks. This will rewrite the entire disk and get rid of any easily accessible traces of the previous information. Note that a simple data image will not do this as effectively and could leave a lot of erased but still accessible information there for the asking.

That won't help with data you have elected to save, but you will know exactly where it was stored and can delete it using an overwrite utility.

Best practice is to not have information (erased or otherwise) on your computer that you wouldn't want anybody else to see (commercial considerations excepted) as a full forensic analysis will see through just about anything short of incineration and can even lift data that has been several times overwritten. Any action that leaves the disk platters physically intact is open to data recovery.

For more information about how deep forensics can probe, see FAQ #32 and follow the link

Cheers

Billy 8-{)

Greg S
02-06-2003, 12:04 PM
PGP will overwrite with senseless data any portion of the disk you like, so you can just get it to clear all the "empty" spaces, to US military secrity standards.