Home « Forum « Author Hangout

Forum: Author Hangout

How to delete incriminating data from a PC harddisk?

REP

In the story I am working on, my MC is using Word in Windows. He is preparing a legally sensitive document for his lawyer's use that might create future problems for him if it were to fall into the wrong hands. His lawyer tells him to not save the document to his PC's hard disk. The lawyer tells him to save it to a removable disk drive and to change Word's backup location to the removable disk drive before he starts working on the document.

If a forensic computer analyst examined his PC, would they be able to retrieve all or portions of the document he wrote, possibly a .tmp file? If so, how would the MC go about deleting what the analyst might retrieve?

Capt. Zapp

@REP

If so, how would the MC go about deleting what the analyst might retrieve?


There are (or were) several products that claimed to remove ALL traces of deleted files. They claimed to use algorithms that were used to destroy top secret classified files. A couple of the ones I remember were WindowsWasher and BleachPC (or something like that).

Of course, HDs from computers containing classified material are supposed to be physically destroyed. It's 99.999~% impossible to recover any data from a lump of slag.

There was also a program called PGP (Pretty Good Privacy) that used 256 bit (I think) encryption to secure files.

Replies:   Dominions Son  REP  Joe Long
Dominions Son

@Capt. Zapp

There are (or were) several products that claimed to remove ALL traces of deleted files. They claimed to use algorithms that were used to destroy top secret classified files.


I have read (I don't know if it's true) that the CIA and NSA have technology that can scan a hard drive platter with an MRI type of device and supposedly recover not only the current value of each bit location, but several prior values as well.

The same article where I saw the above claim, also said that the CIA and NSA destroy used hard drives by grinding the platters into dust.

Replies:   Crumbly Writer  REP
Dominions Son
Updated:

@REP


If a forensic computer analyst examined his PC, would they be able to retrieve all or portions of the document he wrote, possibly a .tmp file?


A lot depends on the resources available to the analyst and how much time and resources they are willing to put into it.

There is software out there that will overwrite deleted files with all 1s or all 0s. This should be adequate against the resources available to most local law enforcement agencies.

Replies:   REP
Crumbly Writer

As long as the document is stored off-site (on the external drive), then the data is only stored on the computer's memory. If you are using a solid state drive, then the memory get dumped when you shut down the computer. However, with older computers using traditional drives, the memory gets written repeatedly to the disk.

The best way to 'erase data' is 'scrubbing' the disk, which typically rewrites all the 'empty' blocks on the drives with alternating 1s and 0s (first pass writes zeros, second writes ones and the third and final writes zeros again). However, for files which have been on the system for a long time, or have been referenced multiple times, the data gets permanently 'burned' onto the drive, meaning a computer forensics team can still uncover it, no matter how many times you scrub the disk.

What they NOW suggest, is taking a screwdriver to the disk platter, rendering it unreadable by existing drives (once you've decided the computers likely to be examined by the authorities).

Replies:   REP
Crumbly Writer

@Dominions Son

The same article where I saw the above claim, also said that the CIA and NSA destroy used hard drives by grinding the platters into dust.

After repeated leaks, the NSA (and the White House) are now considering grinding their analysts into dust!

Replies:   Dominions Son
Dominions Son

@Crumbly Writer

After repeated leaks, the NSA (and the White House) are now considering grinding their analysts into dust!


Won't work, too much liquid in a human body. They would have to be stored in a low humidity environment long enough to completely desiccate before grinding.

Replies:   Crumbly Writer
Ernest Bywater
Updated:

@REP

The best way to insure something done isn't stored on the hard drive would be to use a Live Disc to boot the computer from to work on the document and save it to a USB drive with an encryption program. That way nothing is saved to the hard drive at all, it's all in the RAM.

The next best thing would be to use SSD drives to boot the system from and have another SSD set for the Home directory, that way the SSD can be totally rewritten over and the old data ceases to be.

Most platter hard drives can have the data of removed files recovered from it, depending on how many times data has been recorded into that track and sector since the file was deleted.

...........

When you save anything to a drive the information is stored in a memory location and the fact of it being there is stored in the File Allocation Table, usually as a starting location and an ending location entry - kind of like a Table of Contents. When you tell the system to delete the file it removes the entry from the table, but the data is still on the drive until other data is written over it. When the data is overwritten in a SSD or USB or other Volatile Memory Device the data is no longer accessible at all.

However, the way platter driver works means it can often be recovered - most hard drives are platter style devices. These have data stored in sectors on tracks created on the drive, with each track having a space between it and the next one. Over the years the amount of space between tracks and the width of the tracks has reduced, allowing you to store more on a single platter of the same size, but there's still a space between tracks. When you store data on the drive there's often a sort of spill over with an echo copy recorded in the space between the tracks, and this can be recovered.

To recover the data off a platter they use a special liquid which is poured on the platter after they remove it from the drive, and then the way the liquid sticks to the platter enables them to tell if the bit at each location is a 1 or a 0 and they reconstruct the data at the bit level. This works because the are only the two data options and the storage is an electronic charge, thus each bit position either has a charge or it doesn't have a charge, which tells them which type of bit it is. - That's the simplified answer of how it's done.

............

edit to add: Classified platter drives have the data destroyed by writing over the data on the drive a number of drives to scramble the echo data. You do it by special software which stores all Zeros in each bit location, followed by another pass with all Ones, a third pass with Ones and Zeroes in alternate locations, and a fourth pass with Zeroes and Ones, and then repeat the whole sequence. For ultra security the drives are also physically destroyed.

Replies:   REP  Zom
Crumbly Writer

@Dominions Son

Won't work, too much liquid in a human body. They would have to be stored in a low humidity environment long enough to completely desiccate before grinding.

Trump wouldn't mind grinding them underfoot (the bloodier the better), while the NSA wouldn't mind grinding them under the weight of the legal system. The idea is to extract revenge, not to cover up the already exposed truth.

Replies:   Dominions Son
Dominions Son

@Crumbly Writer

Trump wouldn't mind grinding them underfoo


My sort of point was that if you grind a fresh human body, you get goo, not dust. Grinding a human body into dust as you originally proposed isn't possible without going to extreme lengths to dry it out first.

Switch Blayde

@REP

Don't forget about the trash can. When something's deleted, it goes in there.

Replies:   Ernest Bywater
Ernest Bywater

@Switch Blayde

Don't forget about the trash can. When something's deleted, it goes in there.


The File Allocation Table entry is what is placed in the Trash Can, not the actual file or data.

Replies:   Crumbly Writer
Crumbly Writer

@Ernest Bywater

The File Allocation Table entry is what is placed in the Trash Can, not the actual file or data.

It doesn't go "in" the trash can, rather that's how the trash can is created (i.e. it "is" the trash can).

But, putting stuff in the trash and emptying it doesn't do anything to remove it from the computer.

Replies:   Ernest Bywater
Ernest Bywater

@Crumbly Writer

It doesn't go "in" the trash can, rather that's how the trash can is created


There's a file in the computer that's known as the Trash Can when you send a file to the trash can the data from the File Allocation Table is moved from the normal File Allocation Table list and placed in the Trash Can list. When you tell the system to clear the Trash Can it simply clears the Trash Can list. The actual data for the file on the drive isn't touched or affected in any way. However, it will be overwritten the next time the computer wants to use that space.

Files can be recovered by some software after the file allocation list is gone as long as the actual data hasn't been overwritten yet. The system recovers the files by using software to check what is in each storage location and comparing that to the File Allocation Table and then listing what it finds that's not in the File Allocation Table.

REP

@Capt. Zapp

to remove ALL traces of deleted files.


Thanks Capt Zapp. My MC's problem is the files were never save to the PC's hard disk. I do not that Word has temporary working files that are given names by Word. I don't know where these temp files are saved and I'm not sure it there may be other files saved also.

When one of my companies went out of business, we had to destroy the hard disks that contained classified material. Under the watchful eye of out security officer, we opened the hard disks and removed the platters. We took a screwdriver and scratched up both sides of the platter and then bent it in half and flattened it with a hammer. At the time, that was the Government approved method of destroying hard disks containing classified data. The Government may have slagged theirs, but we did not have that capability.

Replies:   Dominions Son
Dominions Son

@REP

Thanks Capt Zapp. My MC's problem is the files were never save to the PC's hard disk. I do not that Word has temporary working files that are given names by Word. I don't know where these temp files are saved and I'm not sure it there may be other files saved also.


There is a system temp directory for temporary files.

Here is an article from PC world on how to clean it out.

http://www.pcworld.com/article/2602104/windows/how-to-clean-your-windows-temp-folder.html

Replies:   Crumbly Writer
REP

@Dominions Son

I don't know if it's true


As I indicated I worked with classified data and was involved in the destruction of a number of classified hard disks. During our indoctrination in handling classified computer disks, we were informed that there it was possible to recover data that had been wiped by programs similar to those that Capt Zapp mentioned. If I understand the method used, the wipe programs only remove the central portion of the data track created by the write heads. The recovery programs are based on placing the data platters in a special hard drive that has a very sensitive read head that is setup to read the data still present at the outer edges of the data track. It is a time consuming and costly process, but it can be done.

Grinding the magnetic medium off of a platter is definitely a good way to destroy data stored on that medium. Bending a platter as I described above is also a good way to do it for you will never flatten that disk to the extent its data can be read. Re-flattening the platter might be possible without distorting it, but in the process you would destroy the magnetic medium on which the data is stored.

Replies:   Crumbly Writer
REP

@Dominions Son

overwrite deleted files


Thanks DS.

As I mentioned to Capt Zapp, the files aren't deleted. They may be on the disk but you don't have their names and short of wiping the entire disk, it won't help my MC. Since my MC might be creating sensitive files on a regular basis, wiping the disk after creating a sensitive file won't work as a long term solution.

REP

@Crumbly Writer

'scrubbing'


I am familiar with the process of scrubbing/wiping a hard disk. It won't work for my MC because he may have to create sensitive documents on a on-going basis, and those techniques affect the entire hard disk. He won't want to reload the operating system and all his programs every day.

His personal PC is subject to seizure by the authorities at almost anytime, although such a seizure would be the result of a lawsuit, so he would have some idea that it might happen. But he will need to use the computer during the high risk period.

My concern is that PCs can allocate hard disk sectors to be used as RAM. So if Word were to use that allocated hard disk RAM storage area, the data would still be there when the computer is shutdown. There may be other ways in which Word could leave data on the hard disk or in a solid state memory locations that are not dumped when power is removed. Is there a way to selectively remove this data without affecting other portions of the hard disk or memory that my MC would like to retain. If this can be done, then there is the second question of how would my MC know what areas need to be cleaned.

REP

@Ernest Bywater

it removes the entry from the table,

Not to be argumentative for I appreciate the help, but what actually happens is first letter of the filename in the FAT is overwritten with an invalid filename character. Restoring the first character of the filename with a valid character allows you to retrieve the file if it hasn't been overwritten after deletion.

Procedures for destroying data on a hard drive platter have changed over the years, and I suspect each government defines what it feels is adequate. I know that at the time I was involved in destroying hard disks containing classified data, the process you defined was known to the US Government and was not deemed adequate. For whatever reason, we had to physical damage each platter in a way that made it totally unusable and the data irrecoverable. I don't know today's approved process.

Replies:   Ernest Bywater
Ernest Bywater

@REP

Procedures for destroying data on a hard drive platter have changed over the years, and I suspect each government defines what it feels is adequate.


When I was working in the Aust DoD we followed the same rules as the US DoD and that was to use 2 types of drive clearance based on the highest classification of material that might have been on the drive.

1. Writing Over the drive as earlier described was used for drives where the data on the drive could only be in the categories below Secret and Highly Protected - which is the equivalent of Secret for data that was of a National Security type, eg. personnel data type stuff.

2. Write Over and Disc Destruction (which I also mentioned) was for all data at or over Secret and Highly Protected. The Write Over was done before it left the facility because the destruction was done elsewhere and the policy was easier to write as do the Write Over to all drives first.

Ernest Bywater

@REP

He won't want to reload the operating system and all his programs every day.


If you use a Live Disc or an SSD with an OS etc on it the only information on the main system is in the RAM and will be lost as soon as the system reboots. Thus he need only turn off the system and boot to the other as required, no need to rebuild the system at all, and the main system doesn't have to be cleaned at all. However, you have to ensure the Live Disc or SSD has all the software you want to use on it.

Zom

@Ernest Bywater

File Allocation Table

Guys, the FAT (File Allocation Table) disk structure has been well and truly superseded on hard disks by the MFT (Master File Table). In fact all Widows systems after Me (i.e. the VAST majority of PCs in existence) use NTFS which is MFT structured. The purpose of the two is similar, but the MFT is quite different in nature and has a much more complex structure.

Replies:   Ernest Bywater
docholladay

How about using some kind of magnetic fields. Could that possibly work to erase a hard drive's data completely?

Replies:   Ernest Bywater
Switch Blayde

I don't think anyone answered the main part of the question.

If he's saving to a removable drive and even has Word write the auto-backups to that removable drive, is any of the data written to the computer's main hard drive? Like in a tmp file.

The question about wiping out data on the hard drive would only be necessary if the answer to the question is yes — that Word or Windows stored some of the data on the computer's hard drive.

Replies:   Crumbly Writer
sejintenej

I watched for replies to this question with interest because I have had various PCs fail on me - fail in the sense that they will no longer even start to boot up so special programs couldn't work.

Apart from perhaps REM's idea of hammering the hard disks into weird shapes (and not having a strong enough magnetic field available) I think I will consign my collection of hard disks to the tender mercies of the deepest depths of the English Channel ( or if you are French, The Sleeve) in the hope that they are not swept into a fisherman's net

Replies:   Ernest Bywater  REP
Ernest Bywater

@Zom

Guys, the FAT (File Allocation Table) disk structure has been well and truly superseded on hard disks by the MFT (Master File Table).


Although the process name was used as the title of the original process, and more recent processes use different names, such as that used in Unix and Linux and the latest versions of MS Windows, the process known as File Allocation Table is still the same process working in the same basic way.

Replies:   Zom
Ernest Bywater

@docholladay

How about using some kind of magnetic fields. Could that possibly work to erase a hard drive's data completely?


a very strong EMP or magnetic field will totally scramble everything on a drive and render it totally useless, and is one way of erasing data. But it takes a strong field to do it.

Replies:   Not_a_ID  Crumbly Writer
Ernest Bywater

@sejintenej

I watched for replies to this question with interest because I have had various PCs fail on me - fail in the sense that they will no longer even start to boot up so special programs couldn't work.


depending on what is actually wrong, the drives may work on another system - I've recovered data from dead systems for many people in the past.

madnige

Quick-n-dirty total erase - burn the disk in a furnace. If the temperature of the platters gets over the curie temperature for the magnetic material, the whole disk assumes the local (earth's) magnetic field which is fixed on cooling through the curie temperature - total erasure, as well as melting various bits. Any semiconductors are destroyed on heating to over a few hundred C, and aluminium (used for the frame, and often the platters) will melt if you can get it hot enough. Modern platters are often glass, which doesn't like either thermal or mechanical shocks, and get it to red hot and it will slump and no longer be circular or smooth. SSDs, they're semiconductors so just get them up to a few hundred C for a while and the precisely positioned diffused regions which actually make up the components on the chip will start to spread, totally destroying the internal circuitry (unlike EMP which at best will take out only the peripheral circuitry, allowing the charge patterns in the memory array to be recovered by a sufficiently determined & funded agent). Basically do a Terminator 2 on it, you need to heat it to at least cherry red.

Secure use - install a small live Linux onto a removable HDD (preferably a SSD for reasons noted above) and tweak it to not use a swap file, or to configure and use a ramdisk as a swapfile. Some versions of Linux (Puppy?) run entirely in RAM; set up a USB flashdrive with a suitably configured Linux, walk up to a machine, plug it in, reboot to the flashdrive, do your stuff, reboot, unplug and walk away.

Replies:   docholladay
docholladay

@madnige

do your stuff, reboot, unplug and walk away.


Shouldn't this be: unplug, reboot and walk away?

REP

Thanks guys. I appreciate all the suggestions.

From what I received, my MC has a potential problem if I go with what I was thinking of, so I'll modify things to evade the problem.

Replies:   Not_a_ID
REP

@sejintenej

When I replace my PC, I pull the hard disk out of my old unit and install it in either an open slot of the new PC or in an external HD case, which I connect to the PC. After the new PC boots, and if the old HD isn't defective, I can retrieve its data or use any special program that may be on the old HD.

Of course if the only thing you want to do is keep someone from accessing the disk's data (i.e., not classified data) all you really have to do is put it on a hard surface and hit it with a sledge hammer a few times. Caving in the case will damage the interior mechanisms. Hit it a couple of more times and you will deform the platters. Simple, easy, and you can work your frustrations off at the same time.

Replies:   sejintenej  Not_a_ID
sejintenej

@REP

REP
Thanks. I have a sledge hammer and also a kango hammer so those should do the job nicely.

(For those not accustomed to UK building site tools, a sledge is a very heavy hammer with a three foot long handle and a kango is a very heavy (60 lbs) electric tool with a vibrating pointed blade for destroying concrete, road surfaces etc.)

Not_a_ID
Updated:

@REP


Of course if the only thing you want to do is keep someone from accessing the disk's data (i.e., not classified data) all you really have to do is put it on a hard surface and hit it with a sledge hammer a few times. Caving in the case will damage the interior mechanisms. Hit it a couple of more times and you will deform the platters. Simple, easy, and you can work your frustrations off at the same time.


A fire axe could work in a pinch too. There is a reason both items are standard equipment in classified spaces on a warship. It isn't for damage control/firefighting. ;)

Another note on recovery of data from magnetic media. A factor on being able succeed in an overwrite will also be "age" of the file location. As alluded to already, there is something of a "memory" of past states that persist. That said, the Hollywood 1's and 0's option could work if the data is recent and hasn't been there for long. But if that file has been there for the better part of a year, you're basically looking at physical destruction at that point if you want to prevent recovery.

Beat it with a sledge, douse it in gasoline, set it on fire, and throw it in a blast furnace. ;)

Replies:   Crumbly Writer
Not_a_ID

@REP

From what I received, my MC has a potential problem if I go with what I was thinking of, so I'll modify things to evade the problem.


As various Washington D.C. Investigations have revealed, often times you don't even need to go to extraordinary measures to thwart government investigators on the digital front. It is possible for them/others to recover a lot of stuff in theory... The question is if they'll go to the relevant level of effort to do so.

Not_a_ID

@Ernest Bywater

a very strong EMP or magnetic field will totally scramble everything on a drive and render it totally useless, and is one way of erasing data. But it takes a strong field to do it.


A firm with the right equipment could just shift the platters into a new unit and ignore the zapped electronics issue. In theory they might even be able to reconstruct the corrupted data, short of someone taking an magnet that weighs several pounds directly to the disk.

The case for the computer itself, as well as the hard drive case and presumably the building its in should also dampen the impacts to the physical disk platter. The typical concern with an EMP is induced voltages over all those miles of unshielded and minimally grounded wiring. So it isn't that the HD got wiped, it's that the HD got electrocuted.

Replies:   Dominions Son
joyR
Updated:

Obviously the OP has a reason for his character(s) acting as they are and the various security measures and methods of violent destruction proposed all sound highly entertaining, but why is all this necessary?

Firstly would someone in that situation really take technical computer advice from a lawyer, rather than a computer expert?

Secondly, if the MC is writing this "legally sensitive document for his lawyer's use" then exactly how useful is it? Apart from an affidavit there are few occasions when a non-contemperaneous document would be of any real use or even admissible in court. So, either the MC could simply go visit the lawyer and write the thing there and then, give it to the lawyer and leaving, or avoid all the computer hassle by putting old fashioned pen to paper, if necessary employing a code, or just write it on flash paper, easy to destroy and as he wrote it, he could obviously write it out again if the first needed to be destroyed.

Replies:   REP
Dominions Son

@Not_a_ID

So it isn't that the HD got wiped, it's that the HD got electrocuted.


Pull the hard drive a blast it with an arc wielder. :)

Replies:   joyR
joyR

@Dominions Son

Wouldn't you need a covenant in order to wield an arc...??

Stop watching Indiana Jones... put down the DVD and step away from the TV.

REP
Updated:

@joyR


but why is all this necessary?


It is a revenge story. The MC plans to use computers and the Internet do something unorthodox and potentially illegal to those he feels harmed him. His goal is to do the same thing to them that they did to him (the title is Sauce for the Gander and it should be ready for posting close to the time that my Time Scope 2 posting ends).

The MC expects to be sued by his targets and is setting up a defense team. To fully understand the MC's actions and motivations the lawyer wants him to prepare an electronic journal. The MC will present his actions in court as a public service, but his real motivation is revenge. The targets are wealthy and powerful and they will accuse him of illegal activities (true if his real motivation can be proved); so there is a possibility that his computer would be seized by court order and analyzed. The lawyer wants to make sure there is nothing that might be incriminating on the MC's computer.

Replies:   docholladay
docholladay

@REP

The MC plans to use computers and the Internet do something unorthodox and potentially illegal to those he feels harmed him.


Then why not have your MC use a local Library's computer. I believe most of them have computers that are available to the public for their use. I don't know how many would have internet access but some do. Save anything needed for later activity on usb devices or some other media. As long as the MC doesn't use the same library regularly and doesn't set a traceable pattern of library usage it might be hard to narrow it down to a particular person.

Replies:   REP  Not_a_ID
REP

@docholladay

needed


Good idea. I had him hiding from the bad guys in libraries for a week or two, so I'll have him or the lawyer think of the library computers or something like that. A minor rewrite should do it.

Ernest Bywater

In my short story CIA Exposed: TARP Cover Up I've the MC writing a story on USB drives so as not to have anything on the computer due to concerns about being spied on. The process is detailed in the story.

http://storiesonline.net/s/13593/the-cia-exposed-t-a-r-p-cover-up

One issue with using a library computer is you would still leave traces on the computer, but it wouldn't be your computer, although other could recover the files and read what you wrote.

Not_a_ID

@docholladay

Then why not have your MC use a local Library's computer. I believe most of them have computers that are available to the public for their use. I don't know how many would have internet access but some do. Save anything needed for later activity on usb devices or some other media. As long as the MC doesn't use the same library regularly and doesn't set a traceable pattern of library usage it might be hard to narrow it down to a particular person.


Being on a USB Drive doesn't fully cover you, there are ISP logs that could potentially "get you" via TCP/IP protocol stuff relating to NAT specifically and MAC Addressing. Likewise, depending on the public Library, thanks to MAC address stuff depending on what level of detail is getting logged, they could narrow it down to specific computers at specific times. And if the library keeps logs, or has security camera footage....

Anymore, the "better" option would probably be to avail yourself of free public wifi, but when you use it, make sure you're not using the "stock" wifi that comes with your computer, and make sure that activity does only go to the USB drive.

Or for a slightly easier option, find an old wifi device that can't be tied back to you(don't keep it, don't advertise you had it), record what its MAC address is/was, and before you connect to "public wifi" make sure you switch your wifi device's MAC address (via software) to that specific address, and remember to change it back once done(This is actually something that can be done through the stock Windows interface for that matter). So you're not running around with two physical wifi interfaces for a lone device. :)

There are programs "out there" that can generate valid MAC addresses at will for you as well. So in that respect, you could have a character go that route, so their illicit acts never happen from the same MAC(but at the very small risk you might eventually come up with a MAC address being used by a device on your specific sub-net, as unlikely as that may be). But that is really wandering off into the weeds on tech details. :)

Dominions Son

@Not_a_ID

Being on a USB Drive doesn't fully cover you, there are ISP logs that could potentially "get you" via TCP/IP protocol stuff relating to NAT specifically and MAC Addressing. Likewise, depending on the public Library, thanks to MAC address stuff depending on what level of detail is getting logged, they could narrow it down to specific computers at specific times. And if the library keeps logs, or has security camera footage....


Worse, with a computer you don't have full physical control over, they could have a key logger installed and you would never know.

Zom

@Ernest Bywater

the process known as File Allocation Table is still the same process working in the same basic way

Sorry EB, but it's really not. The only similarity between FAT and NTFS (MFT) is the purpose. How they work is significantly different.

Replies:   Ernest Bywater
Ernest Bywater

@Zom

How they work is significantly different.


The basics I set out are the same, just like the basics of driving a manual 10 speed truck are the same basics as driving an automatic 4 cylinder car. Sure the gear lever system work in a different way, but the basics of selecting gears to change the drive shaft speed from the crankshaft are the same.

Every operating system has some sort of File Allocation Table where it lists the files and the memory storage locations of the actual files (as I previously stated). When you choose to delete a file it erases the entry, and not the actual file. The file itself is wiped only when it gets overwritten by having something else written to that space.. - The basics are the same, regardless of what you call and regardless of the oeprating system being used.

Replies:   Zom
Zom

@Ernest Bywater

The basics are the same, regardless of what you call and regardless of the oeprating system being used.

With that type of reasoning you can say that a Mac and a PC and an Altair and all smart phones, TVs and watches, are all the same thing, because they all compute and interact with a user. Something is NOT the same because it superficially does the same thing, especially when they do them quite differently. There is nothing in NTFS that resembles the FAT in FAT based systems.

Replies:   Not_a_ID  Ernest Bywater
docholladay

@Not_a_ID

Write what the MC wants to be uploaded at one computer as a batch command. Save it to the USB drive. Move to another location insert USB, run batch command, remove USB, Logoff and walk away. Makes for a huge search area increasing the odds. Just about all procedures/commands can be handled in the batch command, so limited key strokes on upload computer to be tracked. Would have to know which computer the upload was created at in order to utilize the Library's computer logs and security camera records.

Not_a_ID

@Zom

There is nothing in NTFS that resembles the FAT in FAT based systems.

Uh I'm pretty sure that NTFS doesn't handle deleted files much differently than FAT does, it just isn't called a "file allocation table" anymore.

Really, once you move into things like ext3 which does journaling, and recovery of deleted files becomes easier. At least so long as the drive wasn't encrypted and/or you have the encryption keys.

Replies:   Zom
Ernest Bywater
Updated:

@Zom


There is nothing in NTFS that resembles the FAT in FAT based systems.


I suggest you go back and do some studying of computer systems.

The main File Allocation Table Systems in use for the lats 30 years have been named FAT 16, FAT 32, NTFS, EXT2, and EXT3 - there are also some others. They all work on the same basic File Allocation Table process of having a Table which works much like Table of Contents for a book. Space is set aside at the start of the drive for that table and it lists the file name then the storage location the file is stored in, judge like I described in the first post. You are having issues because the process is known as a File Allocation Table and you're mixing it up with the system known as FAT16 and FAT32 - which are simple names for the early Windows version. With NTFS they used the exact same layout and gave it a new name, that's all - the main difference between the three is the amount of space set aside and used for each entry in them. The way they all operate is the same as I said at the start.

Like a lot of things with computers, the process methodology stays the same, but the names for it change just so they can make it seem different. Directory or Folder - two names for the same process and procedure.

typo edit

Replies:   REP  Zom
REP
Updated:

@Ernest Bywater

The one aspect of your presentation that I question is your repeated statement about the file entry being deleted.

If that were true, then the Undelete Programs would not be able to undelete a file. Since they can recover a deleted file, the entry has to be still present.

The OS doesn't delete the file's FAT entry when you delete the file. The OS modifies the entry's name using an illegal file character, so the file will not appear in a listing of a HD's files. The entry remains in the FAT for a period of time before it is dropped. I am not aware of the factors causing it to be dropped. The Undelete Programs do their thing by showing the user a listing of all the FAT entries, and providing the user the ability to change the illegal filename character back to a legal character. The file name will then be displayed in the directory listing of the HD's files. Of course there is the concern that a portion of the file was overwritten while the file was "deleted", but that is a different issue.

Replies:   Ernest Bywater
Ernest Bywater

@REP

The one aspect of your presentation that I question is your repeated statement about the file entry being deleted.


The file itself isn't deleted when you tell it to delete, the entry in the table is deleted from the table, or if you send it to the Trash Bin it's moved to the Trash Bin record. The actual file is still sitting on the drive until something else is written into the space it's sitting on. The recovery system works by checking the drive itself and reinstating the entry. Leave it too long and the file can't be recovered due to part of it being overwritten.

Think of it like a word processor Table of Contents where you use three levels of chapter headings in the document, set the ToC to look for three levels and it lists them all, set it for two levels and all the third level headings vanish from the table, but they're still in the document - same sort of effect. No entry in the table, but it's there in the document.

Replies:   REP
REP
Updated:

@Ernest Bywater


recovery system works by checking the drive itself and reinstating the entry


We all agree that the file is still on the HD if it hasn't been overwritten.

My issue is the file entry in the FAT. It sounds as if you are saying it is deleted (i.e. gone forever, which is what deleted means) and I am saying that is not true.

Please explain to me how the recovery system can reinstate the entry if it no longer exists. Since the FAT is the structure that holds all file entry information, the recovery program has to go to the FAT to find the file's entry which is the first step in reinstating the file.

No entry - no recovery.

Entry still present (not deleted) - recovery possible.

Replies:   Ernest Bywater
Ernest Bywater

@REP

Please explain to me how the recovery system can reinstate the entry if it no longer exists.


There are two main ways the data of the file is stored on the drive:

1. The data is stored in contiguous locations - not common with many of today's systems.

2. The data is stored in a number of file locations and part of the data stored as the last info in the first storage location is the information on where to find the next lot of data, and so on until the very last lot has the end of file info.

In both cases the first storage location is noted in the allocation table.

When you run a recovery program it examines the drive storage location for what is in it, and does a full catalogue of what it finds, then compares it with the allocation table and tells you what extras it found and if you want them reinstated.

............

As it was explained in the college tech class on hard drives and data storage I did those years ago, think of all the storage locations on the drive like a large wall of pigeon hole boxes, each with it's on ID for the box. The allocation table is like a clipboard sitting on the table in front of it that has the list of files and the box address of the first data for the file.

For the sake of this example think of 26 rows of 100 boxes with each row being a letter and the numbers being 00 to 99 and the storage foes from A00 to A99 then B00 to B99 etc. Assume the file in question needs 40 boxes.

If the data is stored in one contiguous set of boxes the first box has a sign on it saying the name of the file and a note that the file is stored from there to the last box listed. So the table says it starts at A35, and when you get to A35 there's a note saying the file is from A35 to A75 andA75 has an End of File note.

In the second set up the same file and location listing sends you to A35, and in A35 is a note saying go to A36 next, that has a note saying go to A37, etc. Then you get to A41 and it says go to B15, and each box goes on until you get to the last box which has a note saying End of File.

..........

that's the basics of the process. The recovery program examines each location and notes what's there. Think of it like doing an inventory stocktake where you open every box and count what's in it while noting what's there.

Replies:   REP
REP
Updated:

@Ernest Bywater


The allocation table is like a clipboard sitting on the table in front of it that has the list of files and the box address of the first data for the file.


I agree with what you said EB - the allocation table has the list of files that correlates to the assigned and unassigned portions of the HD disk space. The files in the list that are associated with deleted files (unassigned disk space) are still in the list and they contain the start address of the files that were deleted.

So, why do you keep insisting that the files associated with the deleted files have been deleted from the Allocation Table's list of files?

Replies:   Ernest Bywater
joyR
Updated:

Leaving aside the FAT / NTFS issue for a moment.

Unless the MC named the thing "legally sensitive document" instead of some innocuous and oft used filename, does it really matter if it's listed? After all, unless you know that the filename refers to that specific document, how would anyone know to what it refers? The MC could even change the file extension after saving and again before opening again, to disguise that it is any type of file containing text.

Or hide it in a picture file jpg/gif etc. Attempting to open the picture would make it appear corrupted, make the file one of many, all intentionally corrupted and all in the same sub directory, the file wouldn't even stand out enough to attract attention.

ETA

To make deletion easier, why not create a small partition on the drive, one that can easily be overwritten repeatedly, and often, if necessary.

Replies:   Ernest Bywater
Dominions Son

If all else fails, when in doubt C4. :)

Replies:   REP
docholladay

Remember depending on how you tell something. It can be seen as both the truth and a lie. I have seen times when the truth was seen as being a lie. And times when a lie was seen as being the truth both on and off the polygraph testing machines. Its why those test results are not considered valid any more in courts.

Crumbly Writer

@Dominions Son

There is a system temp directory for temporary files.

Here is an article from PC world on how to clean it out.

I'm familiar with it, because every time WORD crashes, it leaves 'temporary' links behind. However, I rarely save them because the recovered files cause problems with various sites I post to.

Crumbly Writer

@REP

During our indoctrination in handling classified computer disks, we were informed that there it was possible to recover data that had been wiped by programs similar to those that Capt Zapp mentioned. If I understand the method used, the wipe programs only remove the central portion of the data track created by the write heads.

More than that, disks retain 'ghost' images of the old data, even when the data on them has been erased. So if you examine the disk, you can still read content that's been erased, overwritten and has complete new data in it.

Consider that every time you click the wrong link and an obscene image pops up. If anyone ever accuses you of something, all the cops need is one or two of those 'momentary' images and you'll spend the rest of your life labeled as a convicted pedophile. In Ernest's case, he sent an email to the wrong person, asking about access to a site he didn't know anything about. They're still examining his disks, trying to uncover more of those 'never stored on his computer' images.

Crumbly Writer

@REP

I am familiar with the process of scrubbing/wiping a hard disk. It won't work for my MC because he may have to create sensitive documents on a on-going basis, and those techniques affect the entire hard disk. He won't want to reload the operating system and all his programs every day.

If he's working with so much sensitive data, he WOULDN'T be using such ancient technology. Using solid state disks would solve most of the problem, assuming he never physically 'saved' anything to his computer.

Crumbly Writer

@Switch Blayde

If he's saving to a removable drive and even has Word write the auto-backups to that removable drive, is any of the data written to the computer's main hard drive? Like in a tmp file.

He'd be required to disable the 'autosave' and 'recover' features on software like WORD, since they aren't secure and leave easily traceable information. Thus, if WORD crashes, he'd have to recreate EVERYTHING by hand (and memory).

Crumbly Writer

@Ernest Bywater

a very strong EMP or magnetic field will totally scramble everything on a drive and render it totally useless, and is one way of erasing data. But it takes a strong field to do it.

Again, not complete--especially in the case of the old 'hard' drives with disk platters. Often, images get 'burned into the disk' even where there's new 'data' on those physical locations. The magnetic field only erases the current data, not the old data etched into the disk's surface.

And again, it's no longer an issue with the advent of solid state disks.

Replies:   Ernest Bywater
Crumbly Writer

@Not_a_ID

Beat it with a sledge, douse it in gasoline, set it on fire, and throw it in a blast furnace. ;)

If that doesn't work, then a small nuclear device should do the job! 'D

Zom

@Not_a_ID

isn't called a "file allocation table" anymore.

Thank you. And there is no single table that allocates file start points any more.

NTFS doesn't handle deleted files much differently than FAT does

If you mean in terms of outcomes, then you are correct. The mechanics of achieving these same results is different.

Zom
Updated:

@Ernest Bywater

Space is set aside at the start of the drive for that table and it lists the file name


Oh dear. You really should read up on how NTFS works compared to FAT based systems. There is no allocation table reserved sector space with NTFS. The MFT is actually a file and is more like a database than a simple table. It does not need to be located anywhere in particular on a HDD and is often non-contiguous. I have sucked a lot of those eggs.

Replies:   Ernest Bywater
Ernest Bywater

@REP


So, why do you keep insisting that the files associated with the deleted files have been deleted from the Allocation Table's list of files?


The actual data files aren't touched by the delete command, but the list entry is removed from the list. I keep saying that because that's what happens. Tell the system to delete the file Whatza and it's list entry is removed at the same time as the memory units allocated to it are listed as being available. Thus it no longer shows in the list while the data is still in the boxes.

Ernest Bywater

@joyR

Unless the MC named the thing "legally sensitive document" instead of some innocuous and oft used filename, does it really matter if it's listed?


Yes, because there is software that can check all the files on a system for text of particular words. Law Enforcement uses such software to examine computers, and would thus find the data.

Replies:   joyR
Ernest Bywater

@Crumbly Writer

Often, images get 'burned into the disk' even where there's new 'data' on those physical locations.


As I explained in an early response, the data in the actual memory track is wiped and replaced, but what you're referring to is where an echo copy is stored in the space between the tracks that isn't replaced because the head doesn't pass directly over it.

Ernest Bywater

@Zom

There is no allocation table reserved sector space with NTFS.


A rose by any other name will still prick your thumb with its thorns. Call it a File Allocation Table or a Master File Table, it matters not, it still does the same job. When you format a drive with NTFS the amount of usable space is reduced due to it setting aside the space it uses for the Allocation Table which they call a Journal - same job, same basic process, different name because it has a few extras, that's all.

https://en.wikipedia.org/wiki/NTFS#Master_File_Table

Quote

In NTFS, all file, directory and metafile data—file name, creation date, access permissions (by the use of access control lists), and size—are stored as metadata in the Master File Table (MFT). This abstract approach allowed easy addition of file system features during Windows NT's development—an example is the addition of fields for indexing used by the Active Directory software. This also enables fast file search software such as Everything to locate named local files and folders included in the MFT very quickly, without requiring any other index.

End Quote

NTFS makes two copies of the table with one stored in a Mirror file.

Ergo, NTFS has a File Allocation Table which it calls a Master File Table.

Replies:   Zom  Crumbly Writer
Zom

@Ernest Bywater

it matters not

It certainly does.

Just because it eats insects like a duck means nothing. It doesn't look like a duck, it doesn't sound like a duck, and it doesn't move like a duck. An MFT is not the same thing as a FAT, regardless of how often the end result of its use is perceived to be the same as a FAT. The mechanisms of its use are entirely different. FAT is not a generic term in computing. It has a specific meaning.

If they want to be correct, folk should stop using the term FAT or File Allocation Table when referring to the NTFS, or HDD use by post-Me Windows in general.

Replies:   Ernest Bywater
Ernest Bywater

@Zom

An MFT is not the same thing as a FAT, regardless of how often the end result of its use is perceived to be the same as a FAT.


They both work in the same way, they do the same function, and sue the same processes. They just give them different names, is all. MFT has a few extra bells, but it still has the same core function working in the same basic way.

Replies:   Zom
REP

@Dominions Son

C4.


A bit of overkill compared to a sledgehammer, but very effective.

joyR

@Ernest Bywater

Yes, because there is software that can check all the files on a system for text of particular words. Law Enforcement uses such software to examine computers, and would thus find the data.


Yes, I'm aware of that. But that is checking the files content. The FAT/NTFS does not contain the content, thus unless the file name is incriminating, why the concern?

Except of course for those discussing the processes by which FAT/NTFS work, rather than as they apply with regards to the OP's question.

Replies:   Ernest Bywater
Dominions Son

You aren't being consistent with yourself. You can't delete a file entry from the allocation table and then go to the allocation table and recover the start address from a file entry that has been deleted.


Actually, he was fairly acturate, you just didn't understand it.

At first go, the allocation table entry isn't deleted.

It is corrupted in a particular way so that the file system ignores the entry.

The file can still be recovered by fixing the allocation table entry using special tools, as long as the disc sectors allocated to that file aren't overwritten with other data.

Old "deleted" file entries do eventually get deleted from the allocation table.

Replies:   REP
Ernest Bywater

@joyR

Yes, I'm aware of that. But that is checking the files content. The FAT/NTFS does not contain the content, thus unless the file name is incriminating, why the concern?


Ask the OP about what's the issue with their story. In the story i wrote where the fellow took precautions he was working with documents he'd been informed the CIA was after and he'd noticed people tracking him and searching his place, so he didn't want them to know he'd received the documents they were chasing. I suspect a similar issue for the character in the story the OP is writing.

REP

@Dominions Son

Actually, he was fairly acturate


Thanks DS. I went back to check what he said and couldn't find what I recalled reading so I deleted the post.

I agree with what you said 100%, but EB is saying that is not correct.

According to what EB is saying, at the time of deletion, the file data remains on the disk and the OS deletes the file's entry from the allocation table (i.e. it is not corrupted, it is totally gone).

I described my understanding of the way the OS corrupts the deleted file's allocation table entry to EB; see my ‎6‎/‎2‎/‎2017‎ ‎9‎:‎08‎:‎02‎ ‎AM post. He said it wasn't done that way. Check his ‎6‎/‎2‎/‎2017‎ ‎10‎:‎06‎:‎56‎ ‎AM post for he details of what he says happens.

Zom

@Ernest Bywater

They just give them different names, is all.

I can see this is a religious issue for you EB, so I will not try any further to bend your zeal.

Replies:   Ernest Bywater
Ernest Bywater

@Zom

I can see this is a religious issue for you EB, so I will not try any further to bend your zeal.


Funny, I thought that was your attitude, so I gave up trying to tell you the truth, since you kept ignoring the facts.

Replies:   Zom
EzzyB

@REP

I actually worked in intelligence for many years. There were standards that several programs followed. Mind you this was in the 90's and early 00's.

Essentially these programs, one in particular I remember was made by Norton, write the drive space that contained the file over and over again. First all 1's, then all 0's. The standard was that the space had to be re-written 10 times. As someone has already said forensics can often recover something if it's not overwritten many times.

Normally deleting a file does nothing. It simply overwrites the first character in the file allocation table, essentially removing the index to the file, which still exists.

SSD's may be even worse if I understand how they work correctly. They can only be written to a finite number of times before that section of drive becomes unusable. A modern "smart" SSD will then insure it doesn't rewrite the same space until the whole drive has been used. A spinning hard drive will constantly try to reuse the outside of the platter (it spins faster, better performance).

No sure what is used to "clean" an SSD, a simple one-pass wipe may be sufficient to avoid forensics.

If I really, really was unsure, I'd just pop-open the hard drive and destroy it. Not that they are terribly expensive these days.

Replies:   REP  Not_a_ID
REP
Updated:

@EzzyB


If I really, really was unsure, I'd just pop-open the hard drive and destroy it


Thanks. Good idea, but impractical for my MC's situation.

The MC is starting a business and due to the nature of the business, he expects to be sued. So he sought legal counsel to prepare for that eventuality and to provide guidance to minimize his exposure. The lawyer needs the background of what motivated him to setup the business and how he plans to conduct business, so requested an electronic journal. Producing the initial journal might leave traces on the MC's computer, and the timing would probably result in them being non-recoverable. I had the idea of having the lawyer request updates and that would create an ongoing problem. Destroying the HD every month isn't feasible.

I was also involved in the intelligence community; but from what you described a month or so ago, we worked in very different areas. I don't talk about my USAF role, but my civilian role was predominantly training military intelligence personnel to operate and maintain the new technology my company created for the US military and alphabet agencies. My efforts also included writing O&M manuals for the intelligence gathering equipment. Most definitely not a Bond type role; more of an office job.

Replies:   ezrick
Zom
Updated:

@Ernest Bywater

trying to tell you the truth


EB, Over the years I have written software to directly manipulate FAT file systems, NTFS based file systems and Recycler databases without using the operating systems.

My software generally used BIOS level calls to sector/cluster reads and writes only. I won't go into the reasons for doing so, but as a result of my research and experience doing so, I am intimately familiar with the structures and operation of FAT and NTFS systems, first hand at the coal face.

My claims are not based on reading Wikipedia or other incomplete sources.

My mistake here was trying to correct assertions that were 'known' to be true by acclamation.

Crumbly Writer

@Ernest Bywater

A rose by any other name will still prick your thumb with its thorns. Call it a File Allocation Table or a Master File Table, it matters not, it still does the same job. When you format a drive with NTFS the amount of usable space is reduced due to it setting aside the space it uses for the Allocation Table which they call a Journal - same job, same basic process, different name because it has a few extras, that's all.

...

NTFS makes two copies of the table with one stored in a Mirror file.

Ergo, NTFS has a File Allocation Table which it calls a Master File Table.

The NTFS file does not operate the same way, nor does it present the same challenges. However, it still allocates (but doesn't clear) existing space, allowing 'deleted data' to remain indefinitely, potentially allowing it to be recovered later. But it is still harder to recover than it was under the older Windows system. In short, the danger is reduced, but surely not eliminated.

ezrick

@REP

I was also involved in the intelligence community; but from what you described a month or so ago, we worked in very different areas.


I actually worked for the four-letter agency, A-R-M-Y. Almost exclusively find-the-baddy-on-the-battlefield stuff. I find 'em, they kill 'em.

Still, as to the problem, I think Ernest may be on to something. Boot from a USB stick, with a pre-installed version of the OS on it. Defining the USB as the default drive for Word would be doable. As long as he doesn't get the USB drive confiscated he should be OK.

Replies:   REP
REP

@ezrick


Still, as to the problem


Thanks, but as I said I got the solution from an earlier post and it looks like it is working okay.

Not_a_ID

@EzzyB

SSD's may be even worse if I understand how they work correctly. They can only be written to a finite number of times before that section of drive becomes unusable. A modern "smart" SSD will then insure it doesn't rewrite the same space until the whole drive has been used. A spinning hard drive will constantly try to reuse the outside of the platter (it spins faster, better performance).

It's called "wear leveling" with the SSD tech. Some variations require OS support and other things to function properly. Older SSD devices had lifespans in the hundreds of thousands of writes. Newer ones are into the millions now, IIRC.

That said, I haven't really looked into data forensics on them... But from initial impressions I had on them, trying to permanently delete something on them would be a bigger PITA than wiping a traditional HD with magnetic platters. (EMP may do nada, normal magnets do nada, and the chip itself may survive being hit with a hammer--so retrieving data from it might still happen. That junk of silicon can be rather vexing in other ways. Of course ESD could potentially make it all moot.)

The one thing the solid state drives have is small form factor. USB thumb drives(and smaller) in particular. They're small, unobtrusive, and easy to dispose of without throwing all kinds of flags.

madnige

You may be interested in this paper:

Secure Deletion of Data from Magnetic and Solid-State Memory

...and a related paper

Data Remanence in Semiconductor Devices

Also relevant, IIRC and touched on in the above papers, flash memory controllers and modern HDD controllers (at the near-hardware level) will sometimes do an on-the-fly substitution of a good sector for a (near) failing sector, leaving the old data on the old sector which has been mapped out so it will not now get used, but it is still accessible by low-level methods.

If you want to destroy a USB stick, try putting it in a microwave at full power for 10s or so - or any electronics not heavily hardened and shielded so as to withstand EMP.

Replies:   Zom
Zom

@madnige

You may be interested in this paper:

Interesting reads. Thanks for the links.

Wheezer
Updated:

I decided to try a little experiment this morning. I have (had) two old hard drives to play with. I pried the covers off both drives (Hammer & chisel - no Torx driver the right size) exposing the platters. I placed about 5 pounds of lump charcoal in a pile, saturated it with lighter fluid, and laid the hard drives platter side down on top. After lighting the charcoal, I turned my leaf blower on the flames. Within a minute, I hade a raging inferno going. The extra oxygen provided by the leaf blower turned that old junk bbq grill full of charcoal into a small blacksmith's forge. Within five minutes the drive platters were ash - nowhere to be found, and the aluminum drive cases were melted. All that remained was some stainless steel hardware & screws. Let's see them recover data from that! :D

Addendum: I just checked, and the copper cores of the printed circuit boards partially survived, although they are little more than copper foil at this point.

Lapi
Updated:

@REP

Unless you use a flash drive or an external drive, data can be re-created. It becomes very expensive and time-consuming. You should not use DES 256 since DES 256 has a backdoor. Some non-US encryption when used after things get deleted several time make it harder. The data will not stand up in court but it will be re-created. One of the reasons 'Glyphs' have disappeared, NSA and some 'No-names' do not like them.

Most level 17 clearances just use DES 256 and an external drive. Be sure to boot from it also not from the hard drive of the PC.

Joe Long

@Capt. Zapp

Reportedly Hillary Used BleachBit and a hammer.

Back to Top