As the use of computer forensics in criminal investigations is now commonplace, news reports have made ordinary computer users aware that deleting a file via the Recycle Bin does not truly destroy it. Nevertheless, understanding among the public about what constitutes an effective method for permanently deleting data is still poor. This article looks at two of these methods – formatting the hard drive and using data wiping tools – and dispels some of the many myths surrounding their use.
Many people believe that the act of formatting a drive permanently wipes all the data contained on it. However, the purpose of formatting is to create a file system to manage data, and so all that is lost is the directory entities that index the data on the drive. While this renders data undiscoverable via the operating system, contrary to popular belief, it does not delete or overwrite it. For this reason, most data formatted on a drive can be recovered.
Computer forensic recovery of data after formatting usually involves ‘data carving’, which involves identifying for flags in raw data which suggest the start and end of a block of data. When a block is identified, analysts then attempt to reassemble the information in between the blocks to make up a single file. Standard data structures can also be searched for.
If a computer forensic analyst had been asked to identify digital evidence of images on a formatted drive, for example, they might search for a string of code that is common in all image files to narrow down their search. Data carving, which is also used in recovery programs such as ‘Recuva’ and ‘Disk Drill’, can prove very successful – meaning that the majority of a drive’s contents can often be recovered.
Historically, it was widely believed that it was necessary for a hard drive to be written over repeatedly with random binary codes (ones and zeros) in order for the data to be permanently wiped. Now, however, it is accepted that fully writing over a drive just once can render all data completely unrecoverable.
The main reason why experts previously believed that multiple overwrites were necessary is that the head (the part of the hard drive that writes the information) is not always precisely positioned, and so it was feared that the information would not be overwritten precisely enough, byte for byte.
However, studies have shown that after a single overwrite, there is only a 0.5% chance of successfully recovering a single byte of data and even less chance of recovering more than this (Kleiman and Sudhar). Additionally, research has also shown that even if data recovery were possible, any previously deleted data could well be incomplete or corrupt once it has been retrieved (Cross and Shinder).
Given that a typical two-page Microsoft Word document has a file size of over 22,000 bytes, the danger of any significant data being recovered is quite negligible.
It seems, therefore, that it is not necessary to perform multiple wipes, providing that a sufficient method is used to overwrite the entire drive in the first instance (rather than simply formatting). This is great news of course for companies wishing to remove client sensitive data from computers before disposing of them, but is not such welcome news for law enforcement tackling increasingly computer-savvy criminals.
Contact our Experts
Find out more about the services from IntaForensics:
- Speak to a member of our team: Tel: 02477 717 780
- Complete our online contact form