8

I am aware that to delete something completely we will have to use a program that over-writes the deleted file such that it is unrecoverable.

Is there anyway to tell that this has happened? Or is the resultant state so random that no one can tell that it has just been "cleaned" ?

Ok so we have a 100GB C:\drive and all of the data is "cleaned". After "cleaning", if someone try to do a reversal and couldn't, he will suspect that it is "cleaned" before. So what I do is to copy "random files" and delete them such that if he do a reversal, he would get the "random files". Now the question is, if I simply have 50GB of "random files", will the remaning 50 GB show evidences of "cleaning" ? Do I need to fill all 100GB will "random files" (and delete them) to erase ALL traces of "cleaning" ?

Pacerier
  • 3,253
  • 6
  • 34
  • 61

3 Answers3

8

You are correct, in order for a file to be deleted the actual disk blocks it previously inhabited must be overwritten. This is generally done with random data; for example, the Windows tool 'cipher' overwrites unused (e.g., formerly used) disk space with 0s, then 1s, and then random data.

If a forensic investigator were to look at your computer's disk, and you had wiped deleted files in this manner, he would notice that the "slack space" on the disk was filled with random data, and that there were few or no deleted files. Let's say you deleted "readme.txt" and didn't wipe it; he'd find the contents of that former file, and say "Okay, here's a deleted text file." Therefore, if he can't find deleted files of any sort then he must conclude either a) you've never deleted a file or b) you've wiped your slack space to overwrite deleted files. Obviously b) is more likely than a).

To put it a different way: if the resultant state of the wipe is random, then that very randomness is what tells the investigator that the disk has been "cleaned".

Some tools, such as PGP shred, will overwrite the single file you specify rather than cleaning up all slack space on the disk. If sensitive files are shredded, and normal files are deleted as usual, then it would be harder for an investigator to prove that file wiping had occurred.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 4
    So for full deniability, the key is - after you've *wiped* the drive, copy some large, innocuous files onto it - then delete *them*. :) – John C Oct 02 '11 at 12:54
  • @JohnC this is actually my question. When I recopy files and delete them, that will be done let's say for 80% of the wiped space. So in the remaining 20% of the wiped space, is someone able to deduce that they were wiped before? – Pacerier Oct 02 '11 at 13:22
  • @Pacerier, that's information you might want to add to the actual Question, it wasn't obvious that was what you were already doing. – John C Oct 02 '11 at 15:19
  • @JohnC ok updated =D – Pacerier Oct 02 '11 at 23:06
4

What gowenfawr says is completely correct, however, I would like to add something to that.

Depending on the filesystem, there may be some remainings. On NTFS, indexes of files are not removed when wiping/deleting the file. So although you cannot recover the content of you file, there will always be traces of the file.

See this blogpost from sans forensics for more info

http://computer-forensics.sans.org/blog/2011/09/20/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files

Henri
  • 1,525
  • 10
  • 11
2

In such case, the easiest solution is to use truecrypt. It's legal to use, easy to justify need and nobody can tell how much data you used to have, what files were there etc.

Michał Šrajer
  • 4,154
  • 4
  • 18
  • 21