|Deleted computer files never truly gone
by Sarah McCaffrey
96th Air Base Wing Public Affairs
3/10/2005 - EGLIN AIR FORCE BASE, Fla. (AFPN) -- What you don’t know can hurt you, especially when it comes to deleting computer files.
A recent court-martial here involved an Airman who was convicted for possessing child pornography on his home computer. The Airman thought he was covering his tracks by deleting the incriminating computer files from his computer. He even tried to erase the information from the hard drive, said 96th Air Base Wing legal officials.
In this case, what the Airman didn’t know hurt him.
“Whenever you delete a file, you’re really not deleting the file,” said Georges Stokes, system administrator for Air Armament Center plans and programs office. “The data is still technically there.”
The information that people attempt to delete from their computers varies from user to user said Special Agent Robert Renko, Defense Computer Forensics Laboratory director of operations.
“People will sometimes try to delete things they that they think are the ‘smoking gun,’” he said. “For example, if we’re doing a computer forensic exam for a fraud investigation, we might find deleted documents, spreadsheets and e-mails. On the other hand, in a child pornography investigation, we see more deleted pictures, movies and Web pages.”
One of the most common ways people try to delete files from their computer is by moving a file to the recycling bin on their computer, Agent Renko said. Most users think this deletes all traces of the file, but there are other clues, like digital footprints, that can be traced back to the file.
Digital footprints are created in multiple places each time a person opens a file. When people delete files, they don’t often think to delete the many digital footprints left behind each time a document is opened, Mr. Stokes said. Although the user may not be able to retrieve the file once they have deleted it, the digital traces indicate the file did exist on the computer.
“Sometimes all that is needed for burden of proof is a file name,” Mr. Stokes said.
Digital footprints are not the only evidence forensics analysts can recover from supposedly deleted files. Analysts can restore files completely and even retrieve all of the information from a certain time period on a computer.
“Our forensics experts are able to recover some pretty amazing things,” Agent Renko said. “A Department of Defense investigator recently shipped us evidence where she wanted us to completely reconstruct a 48-hour time period on a suspect’s computer. We were able to do that showing every e-mail sent, every Web page viewed and every program that was run.”
The technology available to these analysts can help them recover data even if someone attempts to completely reformat or destroy his or her hard drive, Agent Renko said.
“We receive at least one hard drive a week that is damaged in some way,” Agent Renko said. “This week we’re working on a drive that the owner attempted to destroy by throwing (it) in a tank of home heating oil.”
Recovering information from a computer drive doused in heating oil may seem like a tedious and daunting task, but when the outcome is considered, it’s worth the work, Mr. Stokes said.
“It’s a time consuming process, but when you’re dealing with people’s indiscretions, time is not a factor,” Mr. Stokes said.