Computer Forensics: What Valuable Information Do You Leave Behind?

While on Facebook

It is probably safe to assume you have a Facebook profile, and let’s say you just received a friend request from someone you know.  Nice, but not so fast.  Unless you have taken the time to review all of Facebook’s privacy settings, I would not accept the friend request just yet.  Protect yourself first.

For instance, if your privacy settings make your profile and posts visible to “Friends of Friends”, are you sure you know your friend’s friends?  Similarly, when you allow people to ‘tag’ you in pictures, you are leaving your personal information unprotected, because each link is basically a link to your Facebook profile.  Other things to look out for include contact information you provide to friends – and, by extension the third-party applications they use on their profiles – as well as information that is automatically public. As Facebook points out “some things (like your name and profile picture) do not have sharing icons because they are always publicly available. As a general rule, you should assume that if you do not see a sharing icon, the information will be publicly available.”

The amount of personal information available on the internet is unbelievable.  The worst part is, users don’t realize this at all.  On Facebook alone, users tend to advertise where they have been, where they are currently at and what they are planning to do – today or tomorrow.  Their profile contains their contacts, personal interests, birthdate, and the infamous “What’s on your mind” status.  If an investigation is warranted, Facebook can be used as a “tool” to “profile” someone and track his or her whereabouts and activities.  True, Facebook will require a subpoena before it turns over someone’s profile but, yes, it can be done. Facebook does share.

Temporary Internet Files

It is also good to check your computer browser settings.  This is where your (Internet Explorer) browser keeps track of where you have been online.  You will be surprised by what you find by simply viewing your Temporary Internet Files.  This directory even includes date and timestamps for when you visited websites.  You may find this helpful or not – it depends on the situation.  Should you want to clean up your internet trail, is deleting really deleting?

Deleting files – really?

Getting rid of unwanted files is not as easy as you think it is.  If you think that by hitting the delete key, data is gone forever, you are wrong.  If you think that clicking on Empty Recycle Bin erases the files irretrievably, you are wrong again.  How about if you go to the DOS prompt and issue a delete command?  Will this do the trick?  Nope, wrong again.

If you search online for “undelete files,” you will get more than 8 million hits on this topic.  You will also find tons of software that will assist with undeleting files.  They do work.

When a file is deleted from the recycling bin, depending on which operating system is installed on the computer, usually only the “pointer” to the location of the file on the hard drive is deleted or renamed.  The actual data is intact until that particular space on the computer actually reused by another file.  To restore the file an undelete application simply scans the free spaces on the drive.  The undelete application will then recreate the pointer or index.

This is why it is important that, as soon as you realize the need to restore a deleted file, you should not add any data to your laptop or desktop so as to reduce the risk of overwriting your deleted files before you can retrieve them.  Remember that the data is retrievable if it has not been over-written by another file.  This is true on any type of storage, i.e., USB external drives, those cute little thumb drives and the super-tiny SD cards in cell phones or cameras.

So, as soon as a computer is declared as evidence, all processing on it must be stopped to preserve the current state of the laptop and a computer forensic examiner must be contacted to handle the examination of the hard drive.  The forensic examiner will scan the deleted files from a different computer or drive so as not to write over any free space on the evidence hard drive.

You may be tempted to purchase an undelete files application online and do this yourself.  This is OK for personal use but my advice is to get a forensic examiner to do this if working with an evidence computer.

Securely wiping the contents of the hard drive media

Now, if your real intention is to completely delete a file, then I suggest you search online, this time for “secure wipe” or “disk wipe”.  You should get about 2 million results.  Why do you need this?  Secure wipe applications will go through every bit of free space and over-write each bit with a 0 (depending on the application) to ensure that all free space is written over and no data is recoverable.  This is a must before donating your old computer -why?  Yes, you are right this time.  Simply reformatting your computer leaves your data behind, making it potentially accessible to strangers.

Happy computing!

Myra O. Santos is the Information Security Professional & Certified Computer Examiner for e5.  She is also a board member for The Law Center. The information contained is to ignite one’s curiosity regarding digital evidence and social media and is for educational purposes only.