Erasing Data from Your Hard Drive - Permanently
Published: Oct 03, 2003
By Stephen Elderkin
Law Enforcement Technology Magazine
There is no longer any doubt that your personal identity is now embedded in computer technology. The personal computer has become a mainstream household appliance in homes across the United States, almost as common as a microwave oven.
Every computer sold today facilitates easy access to the world's new www backbone of information. Online banking, bill paying, shopping, health insurance, flight booking - just about every transaction is possible via the Web. Ease of use and cost efficiency are driving forces behind this trend.
However, while the Internet has made life more convenient and efficient, the tools necessary to secure the wealth of personal information disseminated in online transactions lag behind.
Security has become the hot topic for individuals, companies and government agencies. With a single Internet connection, virtually anyone in any place using a computer can gain access to confidential and proprietary information. Even deleted files are not safe. As a result, companies are making significant security investments to safeguard themselves from uninvited outside connections to their machines.
According to International Data Corp. (IDC), corporate spending for IT security and business continuity solutions is projected to grow to $155 billion by 2006.
But within all the hype and marketing storms on security issues lies one generally overlooked security hole: retired PC's, a back door into personal privacy. According to the National Association of Investigative Specialists, it is estimated that identity theft is affecting 500,000 new victims per year at an estimated annual cost of anywhere from $700 million to $3 billion.
How Hard Is it to Steal and Use Someone's Personal Identity?
To illustrate, let us examine the simple scenario of John Doe. John works as an advertising director. He, like many of us, uses his personal computer to do online banking and keep track of his financial records.
The day finally came when John decided to donate his computer to a local charity and buy the laptop he had been saving for. To verify his data was gone, John reformatted his drive to erase personal and previously deleted files. John then charitably donated his old computer.
Two weeks later, John was at a lunch meeting with an important client when he learned that his credit card had been rejected. John promptly checked his account online and found that someone had purchased $3,000 worth of stereo equipment a week before.
John's story is not unique. What John did not know is that a couple of cyber criminals had become quite adept at purchasing old computers from local charities and mining them for data. With little effort, they searched and recovered John's deleted files and Internet history from his old PC.
John did password protect his financial file, but only to his demise. The perpetrators simply downloaded a password-breaking tool from the Internet and recovered the password John used to protect his data.
Unbeknownst to John, his Internet banking URL, along with login ID, were stored in an Internet cookie located on his hard drive, john used the same password to permit access to both his financial records and online banking account. John's personal identity was compromised. John's deleted files, credit card data, billing data and transaction history were now unprotected.
Armed with John's identity and purchase history, the criminals made an online purchase of $3,000 worth of stereo equipment from the same online store that John had purchased from a month ago. The equipment was delivered to a false address using next day shipping.
With their crime completed, the offenders disappeared from John's life, leaving him to clean up a sticky situation, since the burden of proof of fraudulent behavior now rested on him.
John had the responsibility of somehow proving that he did not make purchases a second time from the online electronics store. This presented quite a challenge because he had previously purchased similar equipment. John's integrity was called into question by the credit card company and a very long and costly settlement process began.
Unfortunately, John is not alone. According to the FBI, identity theft is the fastest growing crime in America. A study issued by the Federal trade Commission found that an identity theft is reported every 6 minutes.
It is ironic how much energy, time and money are being invested into safeguarding private data on a daily basis, considering valuable data is simply discarded in the trash for anyone to pick up of mistakenly sold off with a computer. The doors and windows are locked, grounds monitored and patrolled, property locked down, but in a back alley sits an old computer containing a copy of the same supposedly protected data waiting to be picked up by the local trash department of anyone else walking by.
Even more disturbing is the online auction having a fire sale on computers containing your valuable information. Why break into the office or house when profitable information can be found in the trash or purchased cheaply online?
Hard Disk Sanitizing - Get Rid of Your Deleted Files
In order to effectively plug this security hole that affects anyone owning a PC, you must realize the misconceptions of partitioning and formatting disks to erase deleted files. The first step to protecting yourself is to know which security precautions work and which do not.
Many people believe the misconception that repartitioning a disk will erase all deleted files stored on a hard drive. (Repartitioning is the process of changing the size and sequence of partitions on a disk to prepare the drive for formatting.) Repartitioning the drive only alters the partition tables stored on the disk. Further, deleting a partition only erases the few bytes of data that define the partition, leaving all file data on the hard drive intact.
In fact, there are even programs available that can restore a disk's integrity after a partition has been erased. Contrary to popular belief, repartitioning a drive makes it extremely easy to recover an entire hard drive, including previously deleted files.
Formatting a drive also does not permanently erase data. Formatting a drive has two purposes. First, it recreates the master file tables that keep track of where file contents are stored on the disk. And second, it verifies each sector is okay to read and write to.
Even though performing a low-level format is time-consuming, it does not actually erase the contents of files organized by the master file tables. After a format, all contents of the deleted files can be resurrected from their deleted state with minimal effort.
If Repartitioning and Formatting Disks Will Not Permanently Purge Deleted Files from Hard Drives, What Will?
The only way to guarantee all data has been erased from a hard drive is to overwrite all sectors on the disk with artificial information, such as overwriting configurations with random patterns of ones and zeros. Although this sounds complex, there is an easy way to do this.
Drives can be sanitized and made ready for sale, donation or disposal by using a disk sanitizing tool. The disk sanitizing tool talks directly to the drive and overwrites all contents on the disk, including the boot record, master file tables, deleted files and contents of all files. At the completion of this process, users can have confidence that all of their data has been erased, and the drive can then be safely sold, donated or disposed.
There are a variety of easy-to-use hard disk sanitizers on the market today that can perform complete hard disk sanitization. There are even solutions that are compliant with the U.S. Department of Defense's disk sanitizing standards, one of the most rigorous data deletion standards.
One such user-friendly solution approved by the U.S. Department of Defense is WipeDrive 3.0 from WhiteCanyon Software, Inc. in Orem, Utah.
Erase Your Deleted Files - Permanently
If you are concerned about file security on a daily basis, you should understand that deleting a file or folder, emptying the recycle bin, and defragging your hard drive, do not erase the contents of deleted files.
To demonstrate this point, try copying some larger files to a storage device like a diskette. You will see it takes a long time to copy. However, if you then select the copied files and delete them, you will see the operation happens instantly.
So, what accounts for this discrepancy in time?
The answer is straightforward: the operation system did not actually erase the contents of the deleted files as the user intended. Instead, it only erased the file's index in the Master File Table, leaving this information retrievable by anyone who has access to the disk.
This occurs because when a file or folder is stored on a computer, its data is stored in two places. Indexing details such as the file name, size and creation date are stored in a Master File Table, while the contents of the file are stored on the free space area of the disk or the file clusters.
So, in our example, when you copy a file to a diskette, the filename is first entered into the Master File Table and then clusters are set aside for storing the actual contents of the file. The process of copying the contents of a file to clusters is the time-intensive step of the file storage procedure.
In contrast, file deletion appears to occur almost instantaneously, because, in actuality, only a few bytes are altered in the Master File Index. This is why deleted files can easily be undeleted.
Deleted Files Will Stay on a Drive Permanently Unless Overwritten by Something Else.
When a file is deleted, the clusters or location on the disk are then marked in the Master File Table as being free. The total number of free clusters on a disk constitutes the free space of that disk.
The contents of deleted files reside in the free space until they are replaced with new files. If unreplaced, deleted files remain intact.
Besides the issue of deleted files, there is the added security risk that your private information is continually being stored without your knowledge in places that you never even knew existed. For example, both your operating system and the programs you use on a daily basis create temporary files that contain your data for purposes of protecting users from data loss resulting from improper shutdown of application. This phenomenon is called document migration.
To observe how document migration occurs, first, turn on the ability to see hidden system files in Windows by going to your computer's file explorer and selecting file options.
Next, create a Word document in an empty folder and browse the document folder while editing the document. You will find many additional files residing in the same folder as your newly created document. These hidden files contain all details of your document's information.
When you close your document, the application simply deletes these files, and as discussed previously, deleted files can easily be undeleted. Now your Word document has spread its contents to other areas of the disk without your knowledge.
What Measures Can Users Take to Ensure Their Deleted Files Are Permanently Gone and Prevent Document Migration?
To protect data in deleted files, users should employ a file deletion management system. There are a number of file deletion programs available specifically designed to identify and permanently purge your computer of previously deleted files. These solutions can be downloaded from the Internet, purchased online or at retail outlets.
One such solution, SecureClean 4.0, also available from WhiteCanyon Software, offers the first utility that actually scans a computer, identifying traces of previously deleted files and information and permanently erases discarded data including e-mail messages.
Sanitizing data requires more than dragging files to a trash bin, reformatting or partitioning a computer. To assure the protection of deleted information, users should completely overwrite all contents in deleted files or on a hard drive using a data sanitization utility.
Stephen Elderkin, an expert on forensic software, was the chief forensic scientist for AccessData Corp. Over the past eight years, he has worked with the Secret Service, CIA, FBI, and U.S. Customs developing forensic software tools. He now is president and CEO of WhiteCanyon Inc., a company that specializes in permanent deletion technologies.
data erasure, privacy protection, identity theft