File deletions

File deletions

  1. Hiding incriminating evidence (either of your "leak" or of the actual malpractice, incompetence, corruption or other criminality which you are trying to draw public attention to) is not as simple as hitting the delete key on your computer keyboard.

    At a simple level, some people forget that file deletions can be recovered from the "waste basket", and with a hex editor or recovery utilities, many files can be "undeleted", simply by changing the first character of the deleted file name, provided that it has not yet been overwritten.

  2. The popularity of Digital Cameras, has lead to the availability of lots of free or cheap Digital Photo file recovery tools which work in this way, which usually succeed very well in "un-deleting" photograph image files which have been accidentally "erased" on Flash Memory or other Smart Media or which have become otherwise corrupted e.g. Photorescue etc.

    What works for (,jpg) image files also works for Microsoft Word (.doc) or Adobe (.pdf) whistleblower files etc.

  3. Remember to hide your personal details when Purchasing such software online, or Registering for a time or use limited "free" demonstration version of such software - obviously do not do this from work !

  4. Deliberately "erasing" the "whistleblower files" stored on USB memory sticks, Digital Camera or MP3 music player memory devices, may well be enough to let a whistleblower smuggle out copies of sensitive documents past cursory security checkpoints, which can then be recovered once the whistleblower is in a safe place.

  5. Deleting corporate emails e.g. Microsoft Exchange is not a simple matter either. Very often deleted emails can be simply recovered from the "wastebasket" deleted folder. Anything that has remained on the system for more than a few hours, is likely to have been backed up to other backup storage media, and so may also be recoverable during a "leak inquiry" investigation.

  6. Make sure that you delete the Browser History and Temporary Files (Tools / Internet Options / Delete Files / Delete all off-line content and Tools / Internet Options / Clear History in the Microsoft Internet Explorer web browser) - it is not just your internet browsing which is monitored, it is also your intranet web browsing, search engine queries and document downloads, which are potentially monitored.

Securely erasing Hard Disks

  1. Sometimes the actual source of "whistleblower leaks" and Security / Privacy breaches, is the incompetent (or penny pinching) attitude of government or corporate employees, who fail to securely dispose of old computers and hard disks etc. or who lose them or allow them to be stolen.

  2. "Secure" deletion utilities repeatedly write binary patterns over the deleted filespace several times, to try to frustrate even the more sophisticated magnetic disk surface reading equipment, which can pick up the "shadows" of previous patterns of zeros and ones. However this does take quite a long time to do thoroughly.

    Even multiple deletion passes do not really obscure the magnetic track edge information, which can sometimes be used to re-construct the patterns of zeros and ones on a magnetic data storage hard disk.

  3. Magnetic de-gaussing of hard disks is also no longer guaranteed, especially if done in a hurry, as high density storage technologies such as perpendicular recording (i.e. vertically through the thickness of a magnetic coating, not just horizontally on the surface) or magneto-optical techniques, involving lasers to thermally temporarily lower the magnetic coercivity, come into use.

  4. There are also laptop / notebook / mobile phone computer hard disk drives which have large Flash Memory buffers which will contain a large amount of recent data and which will not be affected by magnetic de-gaussing.

  5. Even physical destruction of hard disks can leave traces of important data still readable, as the recording density of the technology keeps increasing. i.e. even a small fragment of a modern hard disk potentially now contains quite a lot of data.

  6. Many modern ATA / IDE hard disks (usually those with a capacity larger than 15 GB) do actually incorporate a Secure Erase function, called the ATA Security Feature Set, built into the hard disk electronics

    Some free software (HDDErase.exe) to use this feature, and plenty of other useful advice is available from the Secure Erase project, originally sponsored by the US National Security Agency, headed by one of the pioneers of hard disk technology, Dr. Gordon F. Hughes, at the Center for Magnetic Recording Research (CMRR), at the University of California San Diego (UCSD)..

  7. Whole Disk or at least Whole Volume Encryption (e.g. using TrueCrypt strong encryption software) is a viable option to frustrate data thieves, computer forensics investigators and whistleblowers, provided that the actual de-cryption pass phrases are held or stored securely e.g. not written down on a bit of paper kept in the same laptop computer bag as the hardware it is supposed to protect, so that they can both be lost or stolen together.

  8. Most Flash memory devices e.g. USB thumb/ pen drives, digital camera or mobile phone memory cards (e.g. SD or microSDHC etc.) or the flash memory buffers found in conventional magnetic disk drives used in some laptop computers, or the Solid State Drives increasingly used for performance enhancement in desktop or server computers etc. is very hard to securely delete, due to the use of "wear levelling" algorithms.

    c.f. this academic paper:

    Reliably Erasing Data From Flash-Based Solid State Drives
    Michael Wei∗, Laura M. Grupp∗, Frederick E. Spada†, Steven Swanson∗
    ∗Department of Computer Science and Engineering, University of California, San Diego
    †Center for Magnetic Recording and Research, University of California, San Diego

    Not all of the models of device tested by these researchers actually implemented the manufacturers claimed secure delete functions correctly, leaving data which can be read forensically by cheap electronics which can by pass the Flash Translation Layer of the hardware controller.

    Whole Disk encryption of the entire device using TrueCrypt will offer some reasonable degree of security, on a fresh, previously unused flash memory stick or card but if you ever need to change the encryption key, there is a risk that some or all of the previous key can be recovered forensically.


    If the old TrueCrypt Volume password / keyfile is being changed because of a possible security breach, then you should really use a fresh USB memory card (they are getting to be quite cheap now) and physically destroy the old one (needs quite a lot of physical force with a hammer etc. to grind it into dust)

    If you are in a hurry, and need to hide the data on a USB flash memory drive / card from casual "recover my lost photos" software, then using TrueCrypt to overwrite it with an encrypted Volume which entirely fills up the available capacity of the device (less , of course, any spare blocks which have been reserved by the controller for wear levelling etc.) is a better than nothing option.

  9. Under both Windows and Macintosh operating systems, there is often a local Wastebasket for "deleted" files kept on the actual USB / flash memory device itself, which also needs to be cleared out.

About this blog

We know that there are decent, honest, trustworthy individual politicians, civil servants, law enforcement, intelligence agency personnel and broadcast, print and internet journalists etc., who often feel powerless or trapped in the system. They need the assistance of external, detailed, informed, public scrutiny to help them to resist deliberate or unthinking policies, which erode our freedoms and liberties.

Some of these people will, in the public interest, act as whistleblowers, and may try to leak documents or information to the mainstream media, or to political blog websites etc.

Here are some Spy Blog "Hints and Tips", giving some basic preecautions, and some more obscure technical tips, which both whistleblowers, journalists, and bloggers need to be aware of, in order to help preserve the anonymity of whisteleblowing or other journalistic sources, especially in the United Kingdom, but applicable in other countries as well.

Whistleblower anonymity may not always be possible, or even necessary, forever into the future, but it is usuially crucial during at least the early stages of a "leak", whilst it is being evaluated by others, to see if it merits wider publication and publicity.

Email & PGP Contact

Please feel free to email your views about this blog, or news about the issues it tries to comment on.


Our PGP public encryption key is available for those correspondents who wish to send us news or information in confidence, and also for those of you who value your privacy, even if you have got nothing to hide.

You can download a free copy of the PGP encryption software from
(available for most of the common computer operating systems, and also in various Open Source versions like GPG).

We look forward to the day when UK Government Legislation, Press Releases and Emails etc. are Digitally Signed so that we can be assured that they are not fakes. Trusting that the digitally signed content makes any sense, is another matter entirely.


Tag Cloud

CryptoParty London

CryptoParty London

Most months there is a CryptoParty London event. where some of these Hints and Tips and other techniques are demonstrated and taught.

Usually at:

Juju's Bar and Stage 15 Hanbury St, E1 6QR, London

Follow on Twitter: @CryptoPartyLDN

Syndicate this site (XML):


Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Open Rights Group

renew for freedom - renew your passport in 2006
Renew For Freedom - renew your Passport in the Summer Autumn of 2006.

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

Amnesty International's campaign

BlogSafer - wiki with multilingual guides to anonymous blogging

NGO in a box - Security Edition privacy and security software tools

Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

Public Concern at Work - "(PCaW) is the independent authority on public interest whistleblowing. Established as a charity in 1993 following a series of scandals and disasters, PCaW has played a leading role in putting whistleblowing on the governance agenda and in developing legislation in the UK and abroad. All our work is informed by the free advice we offer to people with whistleblowing dilemmas and the professional support we provide to enlightened organisations."