4 Replies Latest reply on Dec 20, 2013 8:58 AM by rmetzger

    Shredding previously deleted files

      I've been using the Shredder facility to shred my files recently but just wondered whether there's a way to shred files deleted in the past (deleted using the standard delete / empty bin option) before I learned about Shredder?

       

      Thanks,

       

      Rg.

        • 1. Re: Shredding previously deleted files
          Hayton

          Good question. That's a tricky one, and depends on how long ago the files were deleted. When you do a standard Windows 'Delete' and the files go to the Recycle Bin, all that happens is that Windows marks the files in its indexes as 'no longer needed'. That's why you can get them back easily if you change your mind - Windows just removes that flag from the file(s). When you empty the Recycle Bin, Windows just deletes the entries for those files from the indexes. The file contents are still there on disk ,which is why criminal forensics often has no trouble in seeing 'deleted' content.

           

          As time goes by, of course, new files get created and may overwrite the 'deleted' files. The longer you leave it, the harder it is to get back all the information from the deleted files. If you do a disk defrag, the gaps where the deleted files used to be will be overwritten by the disk reorganisation.

           

          However, there is a program (at least one) which is free, intended for non-specialists, and is pretty effective. Recuva, from Piriform, will attempt to recover deleted files. The Deep Scan option can take several hours, and if that can't get a deleted file back then it's gone, as far as you're concerned. (The forensic specialists at the FBI/FSB/Shin Bet/MI5 have similar programs to find deleted information, but they're probably not going to publicise how they do it too much.)

           

          If you can get back a deleted file using Recuva, then you might, in certain circumstances, want to shred it thoroughly. Shredding is a misnomer. What 'Shred' does is to perform multiple overwrites of the disk space allocated to the file. The more overwrites, the more effectively the file contents are rendered unrecoverable. I believe the Gold Standard for file destruction used to be DoD 5220.22-M, but the DoD (and by implication the NSA, CIA, DHS and all the rest of the acronym-obsessed community) now insist that nothing less than degaussing or physical destruction will do. You might not want to go that far. Their point is that recent advances in recovery techniques make it impossible to guarantee that everything that should be deleted is totally gone forever.

           

          The usual algorithm used for secure shredding is still, I believe, the Gutmann method, which makes 35 passes over the data with a random pattern of overwrites on each pass. That method may not be as effective as it used to be, but is still pretty good. McAfee I believe allows up to 10 passes over the data to be deleted; the shredder in Glary Utilities likewise. Others may offer more. Be aware that the more overwrites, the longer the operation takes - an obvious point to make, but if you have many files to shred then it can be very noticeable. It all depends how fast your disk access and disk operations are.

           

          The best you're probably going to get is the file shredding offered by Recuva itself -

          http://www.piriform.com/recuva/features/securely-delete-files-you-want-to-erase- forever

           

          To make sure the 2009 budget is gone for good, run Recuva and search for documents on that drive. When Recuva finds the2009BUDGET.xls file, right-click it and select SecureOverwrite.

           

          Recuva overwrites the portion of the hard drive where the ghost of 2009BUDGET.xls lives repeatedly until no recovery software (Recuva included) can ever get the file back.

           

          And don't forget that your disk's free space will probably contain some parts of deleted files, which may not be recoverable by standard (free) programs. Wiping free space is an extra safeguard, but make sure to defrag your free space first.  I once wiped free space and messed up a couple of hundred files which were scattered across it. And of course, temp copies of deleted files could be stored in your page file, and your hibernation file .... there are ways to get information back from those two areas.

           

          Further info (and there's lots of it out there, some of it very illuminating) :

          http://en.wikipedia.org/wiki/List_of_data_erasing_software

           

          http://en.wikipedia.org/wiki/Data_remanence

          http://www.pcmag.com/article2/0,2817,2387179,00.asp

           

          http://www.nber.org/sys-admin/overwritten-data-gutmann.html

           

           

          I hope that answers your question. Here's some extra reading, in case you wondered about what digital forensics can do ...

          http://www.magnetforensics.com/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the- evidence/

          http://www.magnetforensics.com/part-2-oh-no-the-suspect-wiped-free-space-to-get- rid-of-the-digital-evidence/

          http://www.magnetforensics.com/how-private-is-internet-explorers-inprivate-brows ing-first-define-private/

          • 2. Re: Shredding previously deleted files

            Wow - many thanks for the comprehensive response. Very useful and interesting too.

             

            Rg.

            • 3. Re: Shredding previously deleted files
              kooltay

              I have heard of it, I know nothing about it, Data Recovery is the one I see recommended the most. I had to use Data Recovery once many years ago on a family members machine and recovered quite a bit, but it was a purchased version.

              Try the Data Recovery and see if it finds anything (what have you got to lose? as of now you have already lost data) I would try the trial version and see if it recovers anything before thinking about buying the full package.If it does not recover anything then I would not buy it. Maybe then you might try the Data Recovery trial and see if that recovers anything.

              • 4. Re: Shredding previously deleted files
                rmetzger

                rg001c7345 wrote:

                 

                Wow - many thanks for the comprehensive response. Very useful and interesting too.

                Agreed. Thank you Hayton.

                 

                Microsoft (via Sysinternals and Mark Russinovich) has a tool to help with such issues called SDelete.

                http://technet.microsoft.com/en-us/sysinternals/bb897443

                 

                The description of this problem is fairly interesting to security wonks like myself.

                 

                For your use try (from a cmd prompt):

                 

                SDelete -c C

                 

                which would clean the free space (-c parameter) on drive C: (C parameter). As Hayton said, try defragging the drive prior to using SDelete, to improve performance.

                 

                For VM cleaning, try:

                 

                SDelete -z V

                 

                which would zero out free space on the virtual drive space, on drive V: (presuming V: is the virtual drive letter assigned).

                 

                One area not discussed is 'Slack Space.' This is the area at the end of every file which does not end on the actual end of a cluster, which could and usually does contain other data from a previous file. So, if a file is 4093 bytes long, and a cluster allocates 8192 bytes (say), the remaining 4091 bytes of space at the end of the file but before the end of the cluster, is Slack Space. Unfortunately, some malware may use this space to hide code or data for their code. SDelete does not address slack space.

                 

                Additionally, SDelete does not clear Directory Entries, so it is still possible to find file names even if the file's content may be unrecoverable. (Still a data loss if the name of a file could be used.)

                 

                Good luck,

                Ron Metzger