Get a FREE fully-working copy of Steganos Security Suite 7 (worth £49.99) when you sign up to the Practical PC Newsletter. Restoring Deleted Files - Part 3
Kai Chandler delves into restoring deleted files - Part Three
In Part One of this series of three articles on restoring deleted files, we looked at the Recycle Bin and how to restore deleted files held there.
In Part Two we focussed on recovering deleted files even after they've been removed from the Recycle Bin.
This third and final part covers secure deletion of files. As there are so many ways of restoring deleted files, how can we be sure a sensitive file has been properly erased?
Given time and resources, most files, no matter how securely deleted, can be recovered. If you don't want it found, don't put it on the computer!
It's really a case of 'horses for courses.' Someone protecting government or commercially sensitive information may go to more extreme lengths than someone deleting routine office files.
Single Pass files
The simple answer is to use a software tool to overwrite a file with other data in a single pass. But is this enough?
Department of Defence Method
In the hands of a forensic technician, a hard disk can be made to reveal data even after it's been overwritten once. The US Department Of Defence recommends that the data area is overwritten with 0s, then 1s and then once with pseudo-random data. But is this enough?
Gutman method
Peter Gutman of the Department of Computer Science, University of Auckland reported in his paper, 'Secure Deletion of Data from Magnetic and Solid State Memory' that '...it is effectively impossible to sanitise storage locations by simply overwriting them, no matter how many overwrite passes are made or what data patterns are written.' Overwritten data can be recovered using magnetic force microscopy, in which the magnetization patterns on the hard disk surface are made visible. However, it's generally accepted that 35 passes of overwriting is as secure as it gets. Of course, the more overwrites, the longer it takes.
Beware hidden copies
Unfortunately for those wishing to hide their tracks, copies of the deleted files may be hidden elsewhere on the hard disk such as the slack space between used disk sectors, or in Windows' swap files.
If you intend using so-called secure file deletion tools then be warned that they are not always as effective as they'd like to be. One that seems to do the job is East-Tec Eraser 2002. It clears swapfiles and for ease of use adds an 'Erase beyond recovery' option to the right-click menu from Windows Explorer. East-Tec Eraser 2002 is shareware so you can try before you buy. Download from http://www.east-tec.com/ If you like it, East-Tec Eraser will cost $39.95 to register.
There's a wealth of information on the subject of secure file deletion at the SANS Institute Information Security Reading Room http://rr.sans.org/incident/index.php
