With a little persistence and knowledge of how Windows works, you don't have to be a computer forensics expert to uncover all sorts of data, including sensitive data, "lying around" on the typical workstation. Web sites you've visited, files you've downloaded, old documents you thought you had deleted -- these are typically there for anyone who can access your system to find. And with sophisticated data recovery software, even data that you went out of the way to make sure was gone may still be lurking in bits and pieces that can be put back together.
Hidden Data and How to Find It
The typical home computer or business workstation is full of data of which its user is blissfully unaware. Even many IT pros don't realize how many virtual nooks and crannies there are where data hides out and can be recovered. You can gather a lot of information about a person by examining the "data trails" he's left on his system or on the various servers with which his computer has communicated. We'll start with the most obvious:
Previously Visited Web Sites
Everyone knows you can discover the Web sites a person has visited by checking the browser's history and temporary Internet (cache) files. If you want to cover your "Web tracks," you need to delete those files - a seemingly simple process on most browsers. However, just clicking a button to empty the folders isn't enough, as you'll see later in our discussion of "deleted" files. Additionally, not all files are deleted when you clear the history this way; the index.dat file may be left behind.
Clues to the Web sites you visit also lurk in often overlooked places. Your Favorites or Bookmarks folder can provide a lot of insight into where you frequently go on the Web. An examination of the Cookies folder can also indicate Web sites you've visited. What about those typed addresses that the browser "autocompletes" for you? A good investigator can type random letters to see what choices (from addresses you've typed into the address box, not clicked links pop up. As shown in Figure 1, they hang out in the following registry key:
You can delete one or more of these URLs directly from the registry to clear it from the list (right click and select Delete).
Clearing the history in IE also deletes the typed URL entries.
Additionally, your My Downloads folder and temp directories may show what files you've downloaded.
There are also software programs designed to make it easier to collect Web "evidence." An example is Web Cache Illuminator from Northstar, which displays Web page titles and other information not easily discernable from the raw cache list (http://www.nstarsolutions.com/wci/).
Note, too, that even if you manage to delete all traces of Web sites you've visited from your computer, if you are behind a firewall, in many cases the firewall (or Web proxy server) will maintain a list of Web sites visited and which users or computers accessed them.
Other Places Data Hides
People often just don't think about all the information that can be gained from the data stored on their computers. For example:
- Word processing programs and other applications create temporary files when you're working on them. These are not always automatically deleted when you close the program or even when you restart the computer. They may be stored in the same folder with the original document, or the application may create a special temp folder in the application's program files folder.
- The Windows and/or Office clipboard can reveal data that you've recently cut or copied from documents, even if you've deleted the document itself. The Microsoft Office clipboard may hold multiple items, not just the last material placed on it.
- Instant Messenger programs may be configured to log text conversations to a file on your hard disk. Client-server IM systems in which communications go through a central IM server may log conversations to the server. Your contact or "buddy" list indicates persons with whom you regularly chat.
- Your e-mail or personal planner software's contacts list will reveal information, including e-mail addresses, physical addresses and phone numbers, of people with whom you associate. Your calendar and task lists can reveal your past activities and those you have planned for the future.
- Your My Documents folder will show what documents you've recently worked on. Your Media Player's playlists and history can reveal the audio and video files you've listened to or viewed.
- Backup tapes, CDs, floppies and flash memory drives may still hold copies of documents and files that you have deleted from your computer.
- Information you've deleted may still remain in memory until you shut down the computer, or in virtual memory (the page or swap file on the hard disk).
Deleting a file doesn't erase it. For example, when you "delete" an e-mail message, it usually just goes into another folder (marked Deleted Items). When you empty that folder (manually or automatically when you close the e-mail program), the items go into the Recycle Bin by default.
Even when you empty the Recycle Bin, that's not the end of it. Files "deleted" by the operating system aren't erased from the disk. All that happens is that the pointers to that file are removed from the file system's table and the space where it is stored on disk is marked as reusable. The 1s and 0s that make up the data itself are still sitting there until new data is written to that location. And even when it is, because the drive heads don't always line up exactly the same every time, fragments of the old data may still be discoverable.
Even formatting the hard drive doesn't do away with the data.
How Forensics Examiners Collect and Preserve Digital Evidence
Computer forensics examiners use special data recovery programs to "get back" the data that has been "deleted" but still remains on the disk. Recovery can be a long and tedious task, and sophisticated commercial recovery software can be very expensive. There are, however, low cost and even freeware recovery programs that can often recover data that was supposedly "gone for good." Consumer versions include:
- File Scavenger (http://www.quetek.com/prod02.htm)
- GetDataBack (http://www.runtime.org/)
- Back2Life (http://www.grandutils.com/Back2Life/)
You can download some free data recovery tools here:
http://free-backup-software.net/data-recovery.htm. Most of these utilities are marketed for recovering data you have "accidentally" deleted, but they can be used by amateur forensics examiners to recover deleted "evidence," as well.
Examiners are, of course, aware of all the locations on the computer where data can hide, including inside "alternate data streams" within the NTFS file system. Computer forensics experts also know that people who are trying to hide files often store them in unlikely places in the directory structure, such as the system directories. A simple search for particular target file types (.jpg or .gif when looking for graphics files such as pornography, .doc, .txt, etc. when looking for documents) or large file sizes will often turn up these deliberately "hidden" files.
When a forensics expert is examining a computer for evidence in a criminal case, it's important to leave the original hard disk exactly as it was when it was seized. Any attempt to recover data introduces changes to the data itself. To solve this dilemma, forensics examiners make an exact bit-level duplicate of the disk and perform the actual examination on the duplicate disk. Disk imaging software designed for this purpose is used to make the copies.
If a computer is targeted before the fact, investigators can install "spyware" or hardware on it to collect information even more easily. This type of spyware is much more insidious than the advertising related spyware that gathers statistical data and calls home. Here we're talking about key loggers (which come in both hardware and software versions) that can record every keystroke typed, screen monitors that take screenshots of everything you see on your monitor as you work at your computer, and other monitoring and logging programs that record specific information, such as copies of your e-mail messages, and save them in a special folder or even send them to the investigator over the Internet without your knowledge.
The legalities of collecting digital information vary from state to state and country to country, and depend on who is doing the collection. Law enforcement officers may need a warrant to monitor your communications or examine the contents of your disks. Private persons such as employers who own the computer or spouses with whom you share ownership of the computer may be able to legally access whatever they wish without your knowledge or permission.
How to "Forensics-Proof" your System
There is a common principle in criminal investigation that says anyone who enters a crime scene inevitably leaves something of him/herself behind. Even when no crime is involved, it's difficult to use a computer - especially over a period of time - without leaving behind many bits and pieces of data that can identify you and your activities.
If you are concerned about someone recovering data from your computer, you can take certain precautions:
- Each time you sign on, be sure you empty the deleted items folder on your e-mail client, clear the browser history and cache, and delete all temp files.
- Be aware of what is in your downloads folder, which applications (such as IM) log information, and history lists in various applications.
- Set your system not to maintain a list of recent documents.
- Disable autocomplete in your browser and other applications.
- Clear the clipboard contents.
- Encrypt and/or password protect sensitive documents.
- Set strong passwords on your e-mail accounts and other protected applications.
- Shut down the computer to clear memory.
- Delete the page file before you shut down (it will be recreated when the computer is restarted).
If you will be giving away or selling your computer and you're worried about sensitive data remaining on the drive, just formatting it is not enough. Use an overwriting program to overwrite the disk multiple times. Examples of such programs include Cyberscrub (www.cyberscrub.com), WipeDrive (www.whitecanyon.com), DataGone (www.powerquest.com) and many others. Ultimately, the only way to completely guarantee the destruction of data is to physically destroy the drive itself. Government agencies leave nothing to chance; they pulverize, incinerate or use acid to destroy disks that have held extremely sensitive data.
Data hides in many places on your computer, and a good investigator can find out a lot about the user of a computer by examining that data. Whether you want to conduct a forensics examination yourself or whether you're worried about being the subject of one, it pays to know the most common ways data is recovered. In this article, we've discussed some (but by no means all) of the places where data may be hiding on your system.