History in your computer

[Nitro89]

hi, i know a PC keeps a deep detailed history of your doing deep inside the system, does anybody know how to access this please?

[guns1inger]

Actually, it's not that deep or detailed. It depends on what you are looking for. The registry will keep some items, like the last 5 word documents you opened. many programs use the registry to store the last items accessed. Some older programs still save these details in .ini files, which could be anywhere. Then you have internet browsing history, last accessed sites and temporary cache. You have cookies.

Good forensics people can also piece together a lot from all the data you have deleted, because unless you deliberately remove it and overwrite all the free space several times with random junk, a lot can be retrieved.

Short of taking out the HDD and exposing it to very high magnetic forces to completely scramble the content beyond recovery, there is nothing you can do to stop good forensics people finding things you thought were gone. I have seen some of these guys in action, and it is scary just how much they can get from a completely formatted drive.

[Nitro89]

wow, i didn't know that much!

[yoda313]

Yeah best thing is to puncture it so it can't be accessed at all. That is if your that concerned about throwing it away.

That said I still have my 386 on hand so I'm not too worried about it (and i'm still using my xp emachine along with my new vista pc).

[gadgetguy]

While it's true that good forensics people can retrieve far more data than people think, no one can retrieve data that's been overwritten. Even if it's only been overwritten once. The data on the drive is only a series of 1s and 0s and it has to be one or the other because either it meets the threshold or it doesn't. Contrary to popular belief, what is commonly referred to as a "full format" does not change all of the bits to 0s (or 1s). It only resets the directory and flags, and the lead-ins for each segment. (As opposed to a quick format which only clears the directory and flags). This is why a lot of data can be retrieved after a full format and the magic of the forensics guys is being able to patch the seemingly disconnected data together into a coherent stream.

This info comes from a friend of mine that has done forensic recovery. I asked him about a algorithm I heard about that analyzes "near threshold" bits on a hard drive and tries to reconstruct data from that, but he said that while it's theoretically possible he's never seen it work in practice and a smart lawyer can call on their own experts and dispute the process as being too unreliable.

Of course I said all that to emphasize that if you really want to delete your data, it has to be over-written and you need software specifically designed to make sure that happens.

[Nitro89]

when you delete files does the file that you just deleted, can it be accessed again?

[gadgetguy]

Yes, as long as nothing else is written over it.

[Nitro89]

you've lost me

[gadgetguy]

When you delete a file it is not removed from the hard drive, it is only removed from the directory and the storage area is made available. As long as nothing gets written over the same storage area, the file is available for recovery.

[thecoalman]

You can even make partial recoveries where data has been "overwritten". Your hard drive is broken up into clusters, each cluster can only hold 1 file or a part of one file. when the files is written the last cluster to be used is not entirely overwritten and contains partial data called slack space.

You can use something like BCwipe, this will overwrite all free space on your HD including the slack space. Assumming you have deleted everything the files are most likely unrecoverable.

If you really want to be safe use Dban http://dban.sourceforge.net/ , then drill holes in it, take it out to the shooting range for a meet and greet with a .357 and finally throw it into a cauldron of molten steel.

[GimpGuy2000]

Hi all, just thought I'd throw my 2 cents worth in. When it comes to data, there is equipment that can recover info even from a written over drive, burned, even in pieces, however, take these things into consideration, they use microscopic tools in forensic labs to do this, it's a long tedious process, highly expensive "probably more money I make in 5 years" and not worth anyone's time unless it's some top secret info or crime type scenario. With this in mind, I doubt you have to worry as writing over it will probably more than enough for your taste.

The only other means to make sure a hard drive is completely erased beyond a doubt, drill holes in it, scrape the platters on the concrete, use them for Frisbees, burn them to a crisp . But once again, I doubt you would need to go through such extremes. The average "JOE" won't have anything worth the time, money or effort.

Cheers,

Paul

[sacajaweeda]

Do all that then toss it in a WOODCHIPPER!

It might be pointless, but I bet it'd be about 1/10th of a second of fun and make a really neat noise.

[GimpGuy2000]

Do all that then toss it in a WOODCHIPPER!

It might be pointless, but I bet it'd be about 1/10th of a second of fun and make a really neat noise.

LOLLL. Well, that's one way for sure... Give it to my 2 year old, she destroys anything!


Paul

[Nitro89]

i wanted to recover something, but oh well

[thecoalman]

Do all that then toss it in a WOODCHIPPER!

That didn't help this guy: http://www.crimelibrary.com/notorious_murders/family/woodchipper_murder/index.html

[GimpGuy2000]

i wanted to recover something, but oh well

Hi nitro, didn't see that. What are you trying to recover? Sometimes a simple system restore will do. There are some recovery tools for certain items, etc...however it highly depends what you want to recover.

Paul

[lordsmurf]

there is equipment that can recover info even from a written over drive, burned, even in pieces, .....they use microscopic tools in forensic labs to do this,

I speak with forensic specialists from time to time, and have never heard of this. Do you know the name of this supposed product? I'd like to hear more, if such a beast actually exists.

[GimpGuy2000]

there is equipment that can recover info even from a written over drive, burned, even in pieces, .....they use microscopic tools in forensic labs to do this,

I speak with forensic specialists from time to time, and have never heard of this. Do you know the name of this supposed product? I'd like to hear more, if such a beast actually exists.

Hi, it's not specific equipment or a "name brand" or "product"like Kraft. You can't buy it at your local Walmart.
Hard drives that are trashed , the data can be extracted a bit at a time using microscopic technology. I think another term is MFM which can take months to a couple of years depending on what you need recovered which is why I stated it's used by forensics, crime investigations and intelligence or high cost recovery companies, I also imagine some crime investigations simply go to a PC forensics lab. Not all agencies are going to have or have access to this I'm sure as it's probably quite costly. Just tell the forensic guys you speak to, to Google on Computer forensics as well, I'm sure something will come up. While I'm not sure on the solidity of this site, here is a link...

http://www.computerforensiclabsinc.com/services.html

Even after wiping a disk, then using MFM, it shows a 98% wipe which leaves data recoverable. Could be why government agencies and military etc...order any drives destroyed, slagged, turned to dust if you will. If data was not recoverable, I don't think it would be an issue. Sure, it's not 100% but what is?

All that aside, I was simply making a point about worrying about data erasing. Unless it's some top priority, a typical wipe will do.

Hope this answers your question.

Cheers,

Paul

[ofbarea]

Get this book: Steal This Computer Book 3: What They Won't Tell You About the Internet

I had the previous edition and it is very interesting reading. It has a section of computer forensics.

[lordsmurf]

Hi, it's not specific equipment or a "name brand" or "product"like Kraft. You can't buy it at your local Walmart.

Well, no shit.

But for such a process to exist, some degree of tools have to exist that allow for the process to take place. Even the link you gave shows no evidence of the claim that even a severely-damaged drive can be recovered, as you stated.

MFM is nothing more than the method by which data is magnetically written to a floppy diskette. Hard drives have not used that method in decades.

I don't expect a link to a Walmart.com item, but a white paper from a specialty company would have been nice. If it truly is a process that can be done with existing tools, I would expect such information would be available somewhere.

I don't expect to buy one, but I was hoping to pass along such information next time I converse with or visit a criminalist. Their field changes all the time, and it's hard to keep up with all the available technologies.

[adam]

MFM is nothing more than the method by which data is magnetically written to a floppy diskette. Hard drives have not used that method in decades.

He's not talking about "modified frequency modulation" he's referring to "Magnetic Force Scanning Tunneling Microscopy"

I don't expect a link to a Walmart.com item, but a white paper from a specialty company would have been nice. If it truly is a process that can be done with existing tools, I would expect such information would be available somewhere.

http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/index.html
http://en.wikipedia.org/wiki/Scanning_tunneling_microscope

It's data recovery at the ATOMIC level. Even though the data is overwritten completely, and even though it can only be overwritten with a 1 or a 0, a bit is never written exactly the same so through these microscopes you can see evidence of past bits that have been written and then repeatedly overwritten. With this information, it can be possible to recover/recreate data that has been completely overwritten.

[GimpGuy2000]

Lordsmurf

Well, no shit.

LOL, no, I knew you didn't think so but was just making a point, I don't think the equipment is exactly well known brands or anything. I could hazard a guess and say GE, since they make so much equipment for hospitals, etc...but it would only be a guess.

But for such a process to exist, some degree of tools have to exist that allow for the process to take place. Even the link you gave shows no evidence of the claim that even a severely-damaged drive can be recovered, as you stated.

Isn't it up to forensic types to FIND evidence? "kidding of course"

I don't expect to buy one, but I was hoping to pass along such information next time I converse with or visit a criminalist. Their field changes all the time, and it's hard to keep up with all the available technologies.

I see. I thought they brought people in to teach criminologists new technologies and keep them updated. The reason I say this is my old college instructor who teaches everything PC, internet, all securities, etc...has many awards and well, let's say I could never come close to being his PC expertise status. Back to point, he travels all over to teach new technologies to all sorts of crime types including the F.B.I to keep them all technologically updated including technological forensics. It was he who I first learned this from some years back. But I suppose it depends on what level these forensic guys are and in smaller organizations, just as with any, supply is scarce I'm sure. I'm no criminologist but I did stay at a Holiday Inn

It seems Adam has tackled the response well so hopefully that helps and no point in me going over it again then.

So any who, take care.

Adam

Thank you for posting that, much appreciated.


Paul

[thecoalman]

It's data recovery at the ATOMIC level. Even though the data is overwritten completely, and even though it can only be overwritten with a 1 or a 0, a bit is never written exactly the same so through these microscopes you can see evidence of past bits that have been written and then repeatedly overwritten. With this information, it can be possible to recover/recreate data that has been completely overwritten.

That's actually quite amazing, imagine the storage possibiliites even applied to todays standard drives.

[lordsmurf]

I thought they brought people in to teach criminologists new technologies and keep them updated.

Yeah, about the same as people teach doctors new medicines.
It's sadly very similar, where new products are sold, conferences are attended, and new information is fed down the usual channels. But to learn more, you have to seek out the information on your own. I also do not refer to the mega-sized crime labs like you see on the CSI television show (only a few of those exist in the world), but your average lab. I had a conversation with one not long ago, and this exact discussion came up.

IT folks are largely unaware of this too, and I interact with plenty of them.

Thanks for the info adam, that's what I was looking for.

[guns1inger]

It also depends on who you are trying to hide it from. If it is your parents/siblings/school IT guys then just deleting and overwriting will be fine in most cases. There are plenty of tools, many freeware, that will hide enough of your crap.

From a forensics point of view, they may not have to recover every bit, they just have to find enough to infer the existence of suspect files.

So, what are you trying to hide ?

[thecoalman]

i wanted to recover something, but oh well

[Doramius]

Most everything as far as destroying it, has been said. It's difficult to totally lose the information. Once something is magnetized, it tends to hold a strong impression of the magnetism for a long time. Rewriting can cause the polarity to change in parts to make it more difficult to retrieve. Melting it is the 100% sure way. However, you aren't trying to destroy your drive.

What are you trying to recover? If it's a document or a simple file, and you haven't done too much activity, it may not be too hard to recover. You may want to take a look at the overall cost of trying to recover something. If it's financial information for a major business that you require to avoid a tax audit, you may want to put forth the effort. If it's just an email that you had some really good points you just can't remember, you may just need to take it as a sign from above and start over.

In the computer world, there's a term called "Cost of Ownership". It means, If it costs more to repair or troubleshoot, start over. There is no sense in trying to figure out how to stop a nasty virus in a single PC when it's moving at snails pace and has already taken 3 hours longer than you expected to work on it. Back up important things, wipe the drive and reinstall the OS. Do a scan on your backup data, and then restore the settings. That's just an example, but I feel it drives the point of understanding.

[gadgetguy]

I found the first document Adam linked to interesting. To summarize what I read:
"Hard drives are sloppy and leave a lot of stuff behind. Using the stuff that gets left behind, data that was once there can be reconstructed."
This caught my eye in the conclusion:

Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media)"

Isn't that the definition of overwritten?

This seems to confirm that data that is truly overwritten cannot be recovered, however due to the inherent properties of magnetic media and manufacturing limitations, it is unlikely that portions of each data bit location will be completely overwritten, leaving telltale marks of the prior data.

I still remain skeptical about the reliability of data retrieved this way. It must require extraordinary patience and/or luck to be able to piece together any coherent data. And from the opening remarks of the paper I have to question if this is more misinformation designed to intimidate.

[MackemX]

I always used to just format then copy a huge file multiple times until the disk was full again thinking that would be OK but as mentioned I'm sure you can still recover previous data

[GimpGuy2000]

I thought they brought people in to teach criminologists new technologies and keep them updated.

Yeah, about the same as people teach doctors new medicines.
It's sadly very similar, where new products are sold, conferences are attended, and new information is fed down the usual channels. But to learn more, you have to seek out the information on your own. I also do not refer to the mega-sized crime labs like you see on the CSI television show (only a few of those exist in the world), but your average lab. I had a conversation with one not long ago, and this exact discussion came up.

IT folks are largely unaware of this too, and I interact with plenty of them.

Thanks for the info adam, that's what I was looking for.

I see. So really they get left in the dark more or less. Well, I wish tax dollars went to them for learning, equipment, etc...but unfortunately it goes everywhere it shouldn't. As I said, my old instructor went in to update the F.B.I clan on internet security, etc...but that's the F.B.I, they can afford it. I think the same SHOULD be done for any crime team not saying it ever will. I guess in many ways, when these guys rely on their own resources and learning, in my eyes, that is something to be proud of.

Anyway, I suppose if they could find a place to send evidence "eg...a hard drive" that could aid them quite a bit. I am no expert on the way it's done but I do know it can take a couple of years to microscopically extract every bit "or enough" data to convict. Depends on the amount of info and condition of the drive.

Just a thought not fact: I think if they used a sort of microscopic imagery to sort of 3-d snapshot the drive it may be a faster process. They could then read the data by feeding the shot into their system. Of course as technology grows, I'm sure they will find better ways.

Honestly, I don't think we'll have hard drives too much longer, I think it'll all be on a chip eventually. There are already 64 gig flash drives for a grand. Not long and computers will use this type of storage exclusively. Just my opinion though.

Cheers,

Paul