NORMAN — I am sometimes asked to perform basic computer forensic analysis for customers who want to know if their computers have been used for “illicit” purposes. The results can be revealing, if not downright disturbing.
One customer, the owner of a popular hairdressing salon, needed to know if her employees had recently used a company computer to visit pornographic websites while she was out of the office. Another client, an attorney, wanted to know if a certain machine had been used to download pornography that could have possibly been viewed by children using this “family” computer.
The first job was relatively simple. Even though you can delete the temporary “cache” files of an Internet browser, a history of visited websites is still sometimes retained in a hard-to-remove “.dat” file. A little special processing and fiddling about, and, voila, I had a list of recently accessed websites. Indeed, many were porno websites.
The second job was a bit more difficult, as someone had tried to cover their tracks. There were no clues in any of the normal places. At the very least, someone had “deleted” files and then emptied the “recycle bin.” I was also told that the computers hard drive might have been reformatted in an attempt to “erase” files.
Again, after employing some special and unusual measures, I recovered thousands of hard-core porn pictures from what appeared on the surface to be a “clean” computer. Someone was in big trouble.
Keep privacy in mind before you sell or give away your old computer. A study done by students at MIT, examining 158 used hard drives purchased on eBay, found that 74 percent of the drives contained readable data, even though 36 percent of the drives had been reformatted.
Discovered were emails, medical records, financial data and 3,722 credit card numbers, not including one hard drive that came from an ATM that contained bank account numbers and 2,868 credit card numbers.
True erasure of computer files requires a bit of work. Simply deleting your personal files and emptying the recycle bin does not get the job done. Repartitioning or reformatting doesn’t do it, either. A file is not truly erased until the physical space that it occupied on the hard drive is overwritten with new data.
To clean up your old files, you need to delete them, empty the recycle bin and follow up by running a file cleanup program like Ccleaner (available at ccleaner.com). Ccleaner also can get rid of those pesky temporary and “.dat” files mentioned above.
Ccleaner has a function called “Drive Wiper” that does exactly what you need for true file deletion, providing an effective and easy way to make unwanted files completely disappear.
Run the program, click Tools on the left and select Drive Wiper from the list of functions. Make sure the dropdown box next to “Wipe” says “Free Space Only,” rather than “Entire Drive.” Otherwise, you will erase the entire hard drive and your computer will no longer work. Oops.
Next, select how thoroughly you want the files to be erased. Without going into an entire treatise on computer forensics theory, suffice it to say the default security setting, “Simple Overwrite,” will work for most situations. Finally, pick which drive to wipe and click “Wipe.”
When it comes to computer file erasure, what we are most concerned with is the probability that your computer will some day be sold, given away or thrown away. When that happens, you want to make sure that your personal files have been deleted so they don’t fall into the wrong hands. For this purpose, Ccleaner’s “Simple Overwrite” will get the job done.
If you are worried about genius computer super-experts recovering your files, then choose the higher, three-pass to 35-pass security functions. Be warned, though; they take a long time. Just to see what would happen, I once chose the 35-pass setting on one of my test computers; it took a full week to finish.
Dave Moore has been performing computer consulting, repairs, security and networking in Oklahoma since 1984. He also teaches computer safety workshops for public and private organizations. He can be reached at 919-9901 or davemoorecomputers.com.