The ghost of information past: think deleted data from your PC is gone for good? Think again

The ghost of information past: think deleted data from your PC is gone for good? Think again – Tech Issues

Rebecca Rohan



When businesses use technology to resurrect lost computer data, they call it “rescue” or “recovery.” And that’s a good thing. When the government or litigants in a case retrieve someone’s data, it’s called “computer forensics.” And whether that’s a good thing depends on which side of the lawsuit you fall. When the competition takes your hard drive out of the dumpster or a blackmailer bids on your retired PCs or mainframes, you’ll call it something else–loudly and with a few choice words. To put it plainly, data on your hard drive often lives on long after you think it’s been destroyed, leaving you vulnerable to the competition or data thieves. But you can fix that problem.

First, you should keep track of your old, small storage, or broken hard drives. Make sure you know what’s on them. If it’s information you wouldn’t want anyone Outside of the company to have, store those drives in a secure location or destroy the data. But you’d be surprised to know that simply reformatting hard drives before throwing them away doesn’t prevent someone from reclaiming the data. There is even a danger of data coming back after you’ve shredded electronic files with software that overwrites the hard drive.


The best way to protect your business is to physically destroy the hard drive–the platters, or disks, inside the drive that store information, says Bill A. Thompson, a 22-year veteran of Britain’s Royal Air Force Police and a part-time computer investigation instructor with Guidance Software in Marina del Rey, California. “That is a sure way of preventing the recovery of information,” says Thompson. To do this, he says, you need two basic tools: a hammer and a screwdriver. “Break open the case and destroy the platters,” Thompson says. “You can get software that will do multiple overwrites of the hard drive with different characters, and usually this would be good enough. If someone wanted to get information from your hard drive after the multiple overwrites, they would need specific help. It would not be easy, and it would not be cheap, but it can be done.”

If you’re serious about security, start with multiple overwrites, using software that conforms to Department of Defense specifications. Then spend a few minutes with a magnet, hammer, and screwdriver. Together, these tools can save a lot of sleepless nights, if not lawsuits. As for floppy disks, Thompson says just breaking one won’t do: “There are cases where a suspect has broken a diskette and cut the magnetic media inside the disk with pinking shears. Investigators were able to piece together the fragment’s of the media, held together with little more than cello tape, and were able to recover valuable evidence from the disk. It is the magnetic media inside the casing that needs to be destroyed.” Thompson’s suggestion for destroying it: “Burn it to a crisp and make sure that the remains are crushed to dust.”

Of course, if the drives are still in service, use stringent social, physical, network, and software security to protect your data.


Companies can learn to minimize their exposure, says Joan Feldman, president of the Seattle-based Computer Forensics Inc. ( Computer Forensics helps companies handle issues such as data restoration and content and retention control. Content control means ensuring there are three ways of preventing certain content from being created on your company’s system. Feldman first advises clients to develop a privacy policy. “Alert people that the materials on their computers are not their own,” she says. “An informed adult will make the right decision about what they want to stay and what they want to keep on a computer that might be reviewed by another person. Informing them cuts down on the incidents.”

Second, Feldman advises a usage policy, banning inappropriate jokes via email and other program files. “If you don’t write it, you don’t have to get rid of it,” she says. Third, she suggests turning to technology. “Install software that monitors e-mail and Internet transactions, and software that blocks words or phrases from traveling through email systems.”

Retention control means teaching employees not to save too much information. “I talk to them about what they do with their backup tapes,” says Feldman. “They are routinely created in almost every business environment, and almost always contain everything that’s on the computer system. Usually the backup tapes are recycled or reused on some kind of a schedule. When you reuse a backup tape, the new information replaces the old. Some companies have to keep it for specific lengths of time, but some have no such reason.”

Whether an e-mail at the heart of a lawsuit actually exists on the tapes, restoring and reviewing one day’s worth of documents and e-mail for a company with 100 employees can cost up to $30,000, not including attorney fees, says Feldman. “We look at all the possible places they could be storing information, then make recommendations for lowering the volume,” she says. Technological help can come in the form of self-expiring e-mail (head to for a free trial) or auto-purge functions that empty trash mailboxes after a certain period of time. For example, you can set Microsoft Exchange (the server side of Microsoft Outlook) to purge e-mail on a schedule. “All of the major e-mail applications have functions that can schedule purging of email,” Feldman adds. “Five years ago people didn’t know what we were talking about; maybe they hadn’t been sued,” she says. “Sadly, after the experience of being subpoenaed, they get interested in how to keep less data.”

The best way to keep your company’s data secure is to follow the advice of Thompson and Feldman: limit the type of data created or stored; limit the length of time you keep data; limit the locations of data, such as removing it from retired drives; and destroy data completely when its number is up.

All Gone?

Here are some common methods companies use to destroy data and why they might not always work:

* Recycling, Recycled files are not deleted until the space is needed or someone manually deletes it. Anyone can easily recover the files using simple Windows commands such as double-clicking the Recycle Bin icon, selecting the files you want to recover, and choosing restore.

* Deleting. Deleted files are still on the hard drive only the file names are changed, so you can’t find them through usual methods such as a File/Open dialog or in Windows Explorer. The files remain on the disk until they’re overwritten by other data. Anyone can buy a do-it-yourself recovery program such as Ontrack’s EasyRecovery Professional Edition 5.12 ($489;

* Shredding or file-wiping. Some utilities let you overwrite files multiple times with patterns of ones and zeroes, but computer forensic software may still recover them if the method used isn’t strong enough. If you do succeed in destroying the files you meant to, the data they contained may still exist in more places on the drive, such as in the cache, backup or temporary files, a swap file, virtual memory, the print spooler, thumbnail versions of graphics, preview versions of print documents, temporary Internet browser directory, or in any number of alternative file views.

* Reformatting. Reformatting makes the file system invisible to Windows when you reload it onto the clean disk, but software may be able to reclaim the pre-format data.

* Hiding files and directories. Forensics software knows the tricks. EnCase, for example, makes thumbnail pictures of all graphics files even when the pictures’ extensions have been changed from .JPG to .DLL. (For a review of EnCase, see “Nowhere to Hide,” Techwatch, this issue.)

* Hiding partitions. Even partitions created on your Windows PC by other operating systems are easily exposed by FDISK, identified by utilities such as PowerQuest’s PartitionMagic 7.0 ($69.95;

* Copying to disks. Floppy disks, CD-ROMs, and PDAs won’t shield or protect you. Some software can copy any drive remotely, so if someone makes it into the system, there is a risk that the drive will be read while attached to the system or remnants of the data will be read while in other parts of the system.

COPYRIGHT 2002 Earl G. Graves Publishing Co., Inc.

COPYRIGHT 2002 Gale Group