Secrets of Digital Forensics – Revealed!

We may not all agree on whether robots have souls, but one fact is beyond doubt: your computer files have an afterlife.

Say you’re using Windows and you have a Word document saved on your hard drive. Recipe for sweet pickle casserole from your Aunt Mindy. You hate sweet pickles, and Aunt Mindy’s visit is over (finally!), so you decide to get rid of the document.

You select the icon and press Delete. Is it gone? Not yet, of course. It’s in the Recycle Bin.

Ok, you empty your Recycle Bin. Now is the file gone? Nope. You can’t access it anymore, but it’s still there.

See, Windows keeps a record of all the files on your system and where they’re located, and that record is separate from the file data itself. When you delete a file, it just removes the record of the file, changing the status of that space from “in use” to “available.” The actual data is still there, completely intact.

By the way, this isn’t some sinister plot hatched by Microsoft to immortalize sweet pickle casserole. Nearly all operating systems do something similar. It’s not about privacy, it’s about efficiency. Deleting only the records of the file is much quicker than deleting the file itself – and most people think their computers are slow enough as it is.

Time goes by. Since the recipe data is marked as gone, Windows may overwrite that data in the future. It may be gone just a few minutes later. Then again, it might not. How long could it last? Hours. Weeks. Decades. It all depends. And even if part of the file is overwritten, the fragments that remain can still be recovered, examined, and possibly reassembled.

Instead of just deleting that one file, let’s say you completely reformat your hard drive. Clean slate, everything gone. Right?

You can probably see where this is going. Even reformatting your hard drive is more of a bookkeeping exercise than anything else. It still doesn’t scrub clean the actual data.

This applies not just to hard drives, but to USB flash drives as well. So if you let your friend borrow your flash drive for the weekend, he could – theoretically, if he wanted to, if he knew how – he could look at not just the files you meant for him to see, but many of the files you’ve deleted from the device over the the last few weeks, months, years. He could copy them onto his own computer, and you’d never even know.

How? There are lots of tools out there – many free, and many others cheap. Active@ File Recovery is one I’ve used myself with great success – the trial version is free, and the full version is something like $30. Of course, my own intentions were less nefarious. I was trying to recover data from one of my own hard drives that had died years ago. (I was very successful, too.) But it’s worth keeping in mind that such tools exist, in case you ever save any files with data more sensitive than a casserole recipe.

So how do you clear out those old, deleted files? One method (in Windows, at least) is to use the “cipher” command. Detailed documentation on “cipher” is here. I haven’t tried it myself yet, so if you go down that road, do it with caution. And even if you do completely delete the data, some information remains. The Windows Registry stores vast troves of metadata about your activities, including a list of recently accessed documents. That doesn’t apply to the flash drive scenario, but it’s still something to keep in mind.

Should you be worried about any of this? Eh. Not necessarily. Sure, people can violate your privacy with computers, but then people can do all kinds of terrible and complicated things. That’s just part of living in a society, and it’s been true for centuries. You trust some, you get burned occasionally, and life goes on. Nevertheless, I think it’s good to at least be aware that deleted files do not disappear.

I’m taking a digital forensics class right now, which is my source for a lot of what I’m telling you. If you have any questions about this, or any other digital forensics topic, ask me in the comments. I’m far from an expert, but I’ll do my best to answer.


5 responses to “Secrets of Digital Forensics – Revealed!

  1. Interesting stuff! I never knew that my files lived on. Maybe I can even retrieve my files from my U.S.B. that just went kaboom *Not really. It was exposed to the technological menace known as water).

    So today I promised to also start looking at anomalies in Ancient Egypt. I’m thinking I’ll just share one anomaly a day, And I’ll be curious to see your own responses to my data. Also, I’ll post hyperlinks to the places I got my data from.

    And now I’ll also just start pasting directly from my notes.

    The pyramids of Giza are not completely made of limestone blocks. Although much of it is indeed blocks, there are also Geopolymers at work here- essentially, a limestone based cement.

    “”The most convincing argument is the presence of amorphous SiO2 (silica),” Barsoum told Discovery News. “In sedimentary rocks, the SiO2 is almost always crystalline.”
    He also noted that some samples of calcite and dolomite taken from pyramid samples featured water molecules trapped inside ­— again, he said, this is not a phenomenon found in nature.
    The researchers believe that a limestone concrete, called a geopolymer, was used for, at most, 20 percent of the blocks — in the outer and inner casings and in the upper parts of the pyramids.
    Davidovits, himself, tested a limestone-based concrete recipe at the Geopolymer Institute at Saint-Quentin.
    He concluded that diatomaceous earth (a soil formed by the decay of tiny organisms called diatoms), dolomite and lime were mixed in water to produce a clay-like mixture. This was what the ancient Egyptians would have poured into wooden moulds at Giza to obtain concrete blocks in a few days.
    Indeed, with this recipe, Davidovits produced a large concrete limestone block in ten days.”

    Why does this matter? Concrete is a modern invention. How could the Egyptians possibly have had the technology to create a concrete made from limestone over 4,000 years ago?

    This answers many of the questions surrounding the pyramids, such as how the builders managed to use ramps to get up the sides of the pyramids, especially while carrying huge limestone bricks, or how the pyramids were constructed so precisely that each side sloped perfectly to hit the point at the top. The pyramids were poured.

    MLA citation

    P.S.: Looks like hyperlinks don’t like me. So if you want to look at my sources, I guess you’ll have to copy and paste them into your internet browser address. But that’s not too bad, is it?

    • This is also very interesting. But again, you have to consider that a cyclical view of progress (that is, technological progress being made and then lost) does not mean that no overall progress has occurred. Have you seen any evidence that older civilizations had the same level of technology we have today – electronic microprocessors, terabyte hard drives, etc.?

  2. Egyptian brain surgery. My IB mentor, Dr. Dr. Richy (I call her dr. dr. because she has 2 PHD’s, as well as 5 other degrees) has just sent me 3 articles about Ancient Egyptians performing successful brain surgery, with the patients living for years after the surgery. There are other anomalies that I haven’t double checked yet, so I still need to research those too (So much research!). I will come back tomorrow and post what information I find from the articles.
    I will also note that we are still learning to do brain surgery today. So there’s a start for evidence.
    I’ll see if I can double check some of the other anomalies tonight and make sure they exist before I start posting my response. For now, I’ll leave you with nothing but the promise of an argument after I do more research, mostly because i just started this project and so i’m keeping you updated as I do research.
    Thank you for responding with well-thought out questions! They are helping direct my research and informing me of any weak points in my arguments. I’ll be sure to keep you up to date on my project.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s