, , , , , , , , , ,

One thing I’ve learned in recent months is the task of erasing files from a hard drive is much harder than I’d originally thought, and there are several factors that make data recoverable from even the oldest and most worn out storage device a forensic investigator might come across.

Deleting a file, even from a ‘trash’ folder, simply removes it from a list and hides it from the operating system. It might get overwritten eventually, but the file still remains until then. A lot of people already know this, so they might use special disk-wiping programs, like CC Cleaner.
Disk wiping programs supposedly overwrite an area of the hard disk several times with a random stream of bits. The problem with this is most random number generators don’t produce anything truly random, although some are better than others. Several programs are available that can separate the layers of bits and therefore recover the original data. When used in security systems, random number generators can often be compromised in several ways, sometimes by changing the temperature and voltage levels of the circuit to manipulate the output.
The third thing to remember is magnetic storage devices require a stronger magnetising force to erase data than to write it, and given the limited magnetic field strength a read/write head can generate, it can’t be done this way. Traces of the original recording would aways be present in the background on a cassette tape, no matter how many times it was re-used. The same could be said of hard disks.

The only reliable way of making data unrecoverable is to physically destroy the storage device. Of course, doing this and replacing it on a regular basis costs money, so a person who routinely stores anything incriminating also has the problem of knowing when to destroy it.

So basically anyone who’s determined to recover the entire history of an intact hard disk drive, and knows how, will do just that. Those who believe there’s any truth in the ‘nothing to hide, nothing to fear’ concept would be in for a real shock, considering the average person has indeed stored embarassing stuff at some point, not to mention the data that would compromise their bank accounts. Those I know with first hand experience of data recovery won’t pass on their old storage devices under any circumstance for this reason.

Organisations are also faced with this same problem when replacing IT equipment. A disposal firm collects the equipment in the understanding the hard drives are wiped before the computers are sold on. Unfortunately ths isn’t entirely the case.
A study by the forensics department at the University of Glamorgan, in which used hard drives were collected and analysed, revealed data belonging to businesses could be recovered by criminals buying used computers with the intention of getting hold of this data. This was often after the disposal firm ran disk-wiping software.