4

I’ve recently got into a little trouble and need advice. It seems I may have inadvertently downloaded a illegal file from a p2p network (along with 100’s of other legal files). I was certainly not aware of this nor have I viewed anything like this (!). As a matter of course I always use Cyberscrub to delete files (7+ overwrite) and also I have run the wipe free space option (again 7+ overwrite). So the file (if it existed) will have been deleted this way. I am concerned the one file might have been stored somewhere else, or it can somehow be pieced back together. Also I am concerned where the file name may be stored and if the measures I took would delete it are enough. It was through p2p so I’m pretty sure I don’t have to worry about internet cache. But what about other caches? I also regularly use cccleaner for my internet activity, mostly secure banking etc Does this clean cache and what about thumbnails (??). I am most concerned about the recovery of the file via forensics, even though I don’t recall ever downloading and viewing such a file. Any information / advice would really be appreciated as I am worried sick !

Edit also I have been told by police that “they went to the date of the offence from information given and found a file name matching they one they were looking for”. It doesn’t look good ! Cyberscrub deletes the file and also changes the date of creation, changes the file size etc So if it’s true what they say how could this happen? Where did that information come from on my computer? I asked for the full name of the file and they said a long line terms that the file name supposedly contained. Where did they get this information? Am I being set up?

James009
  • 111
  • 1
  • 7
  • Blah, I cleaned up the formatting, but I guess you were still editing and overwrote it. [See the edit history](https://security.stackexchange.com/posts/191562/revisions). – Mike Ounsworth Aug 14 '18 at 19:32
  • 4
    I think the law enforcement / "Am I being set up" part of the question is out of scope for this site. We can answer the tech parts of the question though. – Mike Ounsworth Aug 14 '18 at 19:33
  • Sorry! And yes any help would really be appreciated on the tech side. The cache and thumbnails side is what’s worrying me at the moment although would welcome all or any info on the OP – James009 Aug 14 '18 at 19:41
  • I'm writing up an answer, sit tight. – Mike Ounsworth Aug 14 '18 at 19:47
  • Also what about information stored by the p2p software (I uninstalled it around 2 months ago as I now use torrent)? I believe the software was emule. Would search terms or downloads be recorded in the operating system for terms used in an installed program? Last question, if I had viewed the file (which I haven’t to my knowledge) would the fact I accessed it be available anywhere? I don’t use WMP I use MPC. Thanks for any help! – James009 Aug 14 '18 at 19:50
  • If you can remember which p2p software you used, you could look into how trackers work in that. I know in bit torrent for example, there are central servers that act as middle-men to direct people who want a given file to people who are offering it. These trackers may keep logs that the police could subpoena (if they are in a cooperative country, etc). – Mike Ounsworth Aug 14 '18 at 20:02
  • At first I thought it was Limewire but I’m prett sure it was emule. Will take a look many thanks! – James009 Aug 14 '18 at 20:17
  • Would the trackers keep logs of search terms? I’m sure the ones I used would be completely innocent. – James009 Aug 14 '18 at 20:24
  • It's technically possible. You'll need to do some digging to tell if they do or not. Also, everything was over SSL/TLS, right? If not, then you could have ISP / router logs to worry about too. Yuck, messy. – Mike Ounsworth Aug 14 '18 at 20:27
  • To be honest I’m more concerned about the file being recovered as they can’t charge me without the file according to my legal advice. – James009 Aug 14 '18 at 20:36
  • Although there was an interesting case in the news where someone’s router was forensically analysed and files were identified / found. I am unsure how that could even happen. I can post the link on request. – James009 Aug 14 '18 at 20:37
  • @James009 Yeah I'd be interested to see the news story. My guess is that the router kept detailed DNS history or something of that sort. – forest Aug 14 '18 at 22:08
  • https://sputniknews.com/europe/201703211051817486-doctor-child-porn-software/ so no files were found but the router stored them ?). I can’t see how that could work. – James009 Aug 15 '18 at 09:02

1 Answers1

6

There's a lot of questions rolled in there. I'll try to answer a few of them.

This became a bit of a ramble.

TL;DR Secure erase programs like the one you describe worked well on old magnetic disks, but SSD and hybrid HDD/SSD drives work today are more complex and while some drive manufacturers provide secure erase functionality, there are really only two reliable ways to securely delete a file:

1) Select "Full Disk Encryption" in your OS (ie before downloading any suspicious files), and then if you reformat your disk using a different encryption password, the original files will be unrecoverable encrypted blobs.

2) This:

Hard drive shredding

Unfortunately, I think you have a old notion of secure deletion. We need to take a detour into how hard drives work. For an even longer read, see wikipedia.

History of secure erasure

We're going back to the late '80's / early 90's: magnetic tapes and hard drives write data in bands (think vinyl record). As technology increased over time, these bands got closer together, but in the early 90's there was enough unused space between bands that high-precision magnetic equipment could read residual magnetic fields of data even after it had been written over. You'll see in that wikipedia article that in the 90's, NIST / DoD recommended 3, 7 or even 35 passes of zeros or random data to fully wash out all magnetic residue leaking out the sides of the band.

You'll also see that in the mid 2000's that dropped to 1 round. Why? Because hard drive manufacturers were packing bands so tightly that there was no unused space between the bands anymore and one pass of zeros was sufficient. Good news.

Then came SSDs Solid-state drives have a limited number of times each transistor can we written, so to increase drive lifetime, they do a thing called wear leveling which essentially means that each time you write to a file, it writes a new copy of it somewhere else on the disk and flags the old one as "unused space" so that each sector gets an even amount of use. This has the unfortunate side-effect of leaving many copies of each file scattered around the disk. Wear leveling is done at the hard drive firmware level, so even the OS can't do anything about it. As @James009 said in comments: "So basically if I wipe an SSD then it will start wiping the drive, but it will place the wiping data (the 1’s and 0’s) in places where there is less “wear” and not wipe through the drive."

This paper from 2011, titled "Reliably Erasing Data From Flash-Based Solid State Drives" says:

Our results lead to three conclusions: First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs.

Whether that's still true 7 years later, I don't know.

Bottom line: I Don't think of SSDs the way you think of RAM or traditional hard disks -- concepts like "used space", "unused space", "overwriting a file in-place" etc. Instead think of an SSD drive like a database server with their own CPU that stores and returns (address, data) pairs and does all sorts of black magic optimizations about how that's physically stored on disk.

There are some techniques that are effective for sanitizing SSDs, but they usually rely on the drive having a secure erase command, or on other physical characteristics of the drive. The only method that's guaranteed across all manufacturers is to only ever put encrypted data on the drive.

Modern recommendation: cryptographic erasure.

Since 2014, NIST (in SP-800-88 Rev. 1) have deemed that zeroing out data is only applicable to magnetic media and recommends instead "cryptographic erasure", which is fancy speak for "use full-disk encryption, then you can safely destroy or format the disk simply by forgetting the encryption key!"

Unfortunately this means you needed to have disk encryption turned on before the file was written. Basically, make sure that every piece of data handed to the SSD is encrypted, because once it's there's a chance that it'll be there forever :(

Related questions

There are actually a pile of good answers to this question already. I should have searched before sinking my afternoon into writing an answer :(

P.S. I have never used any of the tools you mention (cccleaner, cyberscrub, so maybe somebody else can speak to those)

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Thanks for the reply! I believe I purchased the computer around 5 years ago so I’m hoping it didn’t have an SSD drive (it was 1 Tb). I’ve read it is very difficult to erase files from an SSD drive. Assuming it’s not, in your experience would the file be recoverable? – James009 Aug 14 '18 at 20:21
  • 1
    Unfortunately I didn’t use encryption as I didn’t feel I had anything of value / risk to encrypt. Lesson learned! – James009 Aug 14 '18 at 20:22
  • I have no personal experience doing digital forensics, but my understanding is that if it's a proper magnetic disk (not a HDD / SSD hybrid, look up the specs for the model number), then your secure deletion program will probably do the trick. – Mike Ounsworth Aug 14 '18 at 20:22
  • @MikeOunsworth About SSD and wear leveling, I don't understand why if we completely rewrite the SSD it is still possible to retrieve documents. We know that each segment of the disk would have been rewritten one time. – Xavier59 Aug 14 '18 at 21:24
  • Just one final comment, I agree securely wiping a file on an SSD drive would be pretty pointless due to the way in which files are stored ie there would be some traces left. – James009 Aug 14 '18 at 21:34
  • 2
    @Xavier59 Because wear-leveling is more complex than you realize. I am not an expert, but my understanding is that A) if you write 128 gb of data to a 128 gb drive, the wear-leveling algorithm may shuffle things around while you're doing it so that some sectors never actually get overwritten – Mike Ounsworth Aug 14 '18 at 21:35
  • 2
    and B) _"A pool of reserve space can also be kept. When a block or sector does fail, future reads and writes to it can be redirected to a replacement in that pool."_ So the drive may actually be larger than advertized, so there is more physical memory than the OS can address and also blocks marked as "failed" will never be written to and will always retain their content. – Mike Ounsworth Aug 14 '18 at 21:36
  • But what would be the effect of wiping the free space of an SSD? I can’t seem to find a succinct answer to this. Some say it would allow all deleted data to be unrecoverable others say not, but they don’t give a reason why. They just say wiping a file wouldn’t work and wiping free space may damage the drive – James009 Aug 14 '18 at 21:36
  • @James009 See the comment I just posted to Xavier59. Don't think of SSDs the way you think of RAM. Instead think of them as standalone databases with their own CPUs that do black-magic voodoo optimizations in terms of how data is physically stored. A lot of it varies from manufacturer to manufacturer too, so it's hard to generalize. – Mike Ounsworth Aug 14 '18 at 21:39
  • 2
    So basically if I wipe an SSD then it will start wiping the drive, but it will place the wiping data (the 1’s and 0’s) in places where there is less “wear” and not wipe through the drive. Unless I misinterpret (?). Got to go, thanks for all your help, will check on any reply in the morning – James009 Aug 14 '18 at 21:46
  • 1
    Exactly! Well phrased. Some manufacturers support a Secure Erase instruction that the OS driver can call which will zero out everything, ignoring wear-leveling, but it still doesn't solve the problem that SSD sectors tend to fail in a way that they can still be read but not written to. The only real solution is to only ever hand the SSD encrypted data. – Mike Ounsworth Aug 14 '18 at 21:53
  • 1
    @MikeOunsworth This extra unused space is called the overprovisioning space. For an n GB drive, the extra space is often at least n GiB - n GB (where GB is 1000 MB and GiB is 1024 MiB). You can never securely erase an entire SSD just by writing to the block device (or writing over free space). You have to either destroy it, use TRIM, or use SED (modern encryption-based ATA Secure Delete). – forest Aug 14 '18 at 22:05
  • @MikeOunsworth That's not the "only solution". Many SSDs support self encryption, the reason is that it is a nearly "free" feature: the SSD needs to scramble the data to prevent difficult patterns causing problems like cell crosstalk, it is easy to just drop in AES as the scrambler. These drives can effectively wipe all data, even failed cells, by simply rotating the key. – user71659 Aug 15 '18 at 07:39
  • So if I had used encryption where would the (supposed) file be now? From the above I would have had to have known I had the file in the first place to destroy it. So in effect if someone inadvertently downloads something on an SSD drive, deletes it with other downloaded files, then carries on as normal then encryption doesn’t help. Even if someone knowingly downloaded files they would have to destroy the whole disc each time to be sure of deletion (?). – James009 Aug 15 '18 at 09:10
  • Also on the below thread a person states "Note that writing to all free space will defeat wear-leveling because then the micro-controller doesn't have blocks left to remap." ... https://security.stackexchange.com/questions/12503/can-wiped-ssd-data-be-recovered – James009 Aug 15 '18 at 11:35
  • Final comment. See below paper. They consider wiping free space and single file overwiting on SSD drives. Table 2 shows "In most cases, overwriting the entire disk twice was sufficient to sanitize the disk, regardless of the previous state of the drive. " The exception was drive A. Table 3 shows what data could be recovered from a single file overwrite. I personally always use gutmann or on occasion US DoD, the percentages are given. So it looks like it is possible (up to 5% probability) but unlikely that any data would be recovered if both wiping operations are performed. But possible (!). – James009 Aug 15 '18 at 13:28
  • https://www.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf – James009 Aug 15 '18 at 13:28
  • @user71659 Good point. Is that not a subset of "Some manufacturers support a Secure Erase instruction", which has the problem that an arbitrary laptop's drive may or may not support that? – Mike Ounsworth Aug 15 '18 at 13:45
  • @James009 Thanks for the paper link. I think your understanding has caught up to mine! – Mike Ounsworth Aug 15 '18 at 13:49
  • From my understanding drive properties play a crucial role. Also note that the above paper talks about a full drive overwrite, where files are already on the computer and the free space was wiped there seems to be a very good chance of recovery. Strangely the single file overwrite, was quite effective apart from one of the drives. – James009 Aug 15 '18 at 15:58
  • Thanks Mike, at least this research has taken my mind off things for a while. I’m 80 % sure that my drive was a HDD but in the event it was an SSD some trace of the file may be found. Time will tell. I’ll (hopefully) update with the forensic results at some point in the future. Thanks again. – James009 Aug 15 '18 at 16:00