- Hiding incriminating evidence (either of your "leak" or of the actual malpractice, incompetence, corruption or other criminality which you are trying to draw public attention to) is not as simple as hitting the delete key on your computer keyboard.
At a simple level, some people forget that file deletions can be recovered from the "waste basket", and with a hex editor or recovery utilities, many files can be "undeleted", simply by changing the first character of the deleted file name, provided that it has not yet been overwritten.
- The popularity of Digital Cameras, has lead to the availability of lots of free or cheap Digital Photo file recovery tools which work in this way, which usually succeed very well in "un-deleting" photograph image files which have been accidentally "erased" on Flash Memory or other Smart Media or which have become otherwise corrupted e.g. Photorescue etc.
What works for (,jpg) image files also works for Microsoft Word (.doc) or Adobe (.pdf) whistleblower files etc.
- Remember to hide your personal details when Purchasing such software online, or Registering for a time or use limited "free" demonstration version of such software - obviously do not do this from work !
- Deliberately "erasing" the "whistleblower files" stored on USB memory sticks, Digital Camera or MP3 music player memory devices, may well be enough to let a whistleblower smuggle out copies of sensitive documents past cursory security checkpoints, which can then be recovered once the whistleblower is in a safe place.
- Deleting corporate emails e.g. Microsoft Exchange is not a simple matter either. Very often deleted emails can be simply recovered from the "wastebasket" deleted folder. Anything that has remained on the system for more than a few hours, is likely to have been backed up to other backup storage media, and so may also be recoverable during a "leak inquiry" investigation.
- Make sure that you delete the Browser History and Temporary Files (Tools / Internet Options / Delete Files / Delete all off-line content and Tools / Internet Options / Clear History in the Microsoft Internet Explorer web browser) - it is not just your internet browsing which is monitored, it is also your intranet web browsing, search engine queries and document downloads, which are potentially monitored.
Securely erasing Hard Disks
- Sometimes the actual source of "whistleblower leaks" and Security / Privacy breaches, is the incompetent (or penny pinching) attitude of government or corporate employees, who fail to securely dispose of old computers and hard disks etc. or who lose them or allow them to be stolen.
- "Secure" deletion utilities repeatedly write binary patterns over the deleted filespace several times, to try to frustrate even the more sophisticated magnetic disk surface reading equipment, which can pick up the "shadows" of previous patterns of zeros and ones. However this does take quite a long time to do thoroughly.
Even multiple deletion passes do not really obscure the magnetic track edge information, which can sometimes be used to re-construct the patterns of zeros and ones on a magnetic data storage hard disk.
- Magnetic de-gaussing of hard disks is also no longer guaranteed, especially if done in a hurry, as high density storage technologies such as perpendicular recording (i.e. vertically through the thickness of a magnetic coating, not just horizontally on the surface) or magneto-optical techniques, involving lasers to thermally temporarily lower the magnetic coercivity, come into use.
- There are also laptop / notebook / mobile phone computer hard disk drives which have large Flash Memory buffers which will contain a large amount of recent data and which will not be affected by magnetic de-gaussing.
- Even physical destruction of hard disks can leave traces of important data still readable, as the recording density of the technology keeps increasing. i.e. even a small fragment of a modern hard disk potentially now contains quite a lot of data.
- Many modern ATA / IDE hard disks (usually those with a capacity larger than 15 GB) do actually incorporate a Secure Erase function, called the ATA Security Feature Set, built into the hard disk electronics
Some free software (HDDErase.exe) to use this feature, and plenty of other useful advice is available from the Secure Erase project, originally sponsored by the US National Security Agency, headed by one of the pioneers of hard disk technology, Dr. Gordon F. Hughes, at the Center for Magnetic Recording Research (CMRR), at the University of California San Diego (UCSD)..
- Whole Disk or at least Whole Volume Encryption (e.g. using TrueCrypt strong encryption software) is a viable option to frustrate data thieves, computer forensics investigators and whistleblowers, provided that the actual de-cryption pass phrases are held or stored securely e.g. not written down on a bit of paper kept in the same laptop computer bag as the hardware it is supposed to protect, so that they can both be lost or stolen together.
- Most Flash memory devices e.g. USB thumb/ pen drives, digital camera or mobile phone memory cards (e.g. SD or microSDHC etc.) or the flash memory buffers found in conventional magnetic disk drives used in some laptop computers, or the Solid State Drives increasingly used for performance enhancement in desktop or server computers etc. is very hard to securely delete, due to the use of "wear levelling" algorithms.
c.f. this academic paper:
Reliably Erasing Data From Flash-Based Solid State Drives
Michael Wei∗, Laura M. Grupp∗, Frederick E. Spada†, Steven Swanson∗
∗Department of Computer Science and Engineering, University of California, San Diego
†Center for Magnetic Recording and Research, University of California, San Diego
Not all of the models of device tested by these researchers actually implemented the manufacturers claimed secure delete functions correctly, leaving data which can be read forensically by cheap electronics which can by pass the Flash Translation Layer of the hardware controller.
Whole Disk encryption of the entire device using TrueCrypt will offer some reasonable degree of security, on a fresh, previously unused flash memory stick or card but if you ever need to change the encryption key, there is a risk that some or all of the previous key can be recovered forensically.
If the old TrueCrypt Volume password / keyfile is being changed because of a possible security breach, then you should really use a fresh USB memory card (they are getting to be quite cheap now) and physically destroy the old one (needs quite a lot of physical force with a hammer etc. to grind it into dust)
If you are in a hurry, and need to hide the data on a USB flash memory drive / card from casual "recover my lost photos" software, then using TrueCrypt to overwrite it with an encrypted Volume which entirely fills up the available capacity of the device (less , of course, any spare blocks which have been reserved by the controller for wear levelling etc.) is a better than nothing option.
- Under both Windows and Macintosh operating systems, there is often a local Wastebasket for "deleted" files kept on the actual USB / flash memory device itself, which also needs to be cleared out.