I know what you did on your PC last summer

[vincent_inactive]

COMMENTARY--The old cracker practice of "dumpster driving" is about to take a very sophisticated and scary turn. Deleting a file on a disk is not enough to keep someone with a little patience and the right software from sampling every file you've ever saved to that disk.

While such a scenario is still remote for average users, with more and more personal data being stored in applications on home and office computers, it's a good idea nonetheless to start "shredding" files before physically discarding your floppies and hard drives.

When you save a file in the DOS/Windows universe, an entry is made to your PC's File Allocation Table (FAT) to indicate file name, size, and where the data lives. When a file is deleted, basically the entry to the FAT is removed, allowing the space allotted to that file to be available once again. It's important to note that at this point, no data is erased or overwritten.

In fact, Windows safeguards deleted files, which are sent to the Recycle Bin until the bin is emptied. This second chance is sometimes helpful if you delete an important file by mistake. However, even if the file is "emptied" or erased from the Recycle Bin, it is still possible to "undelete" a file. Software such as Norton Utilities can reconstruct the FAT entry and allow the file to be accessed once again.

In a perfect world, you might ask Windows to write new data over deleted old data. Even if Windows allowed this, some applications in Windows litter the hard drive with temporary or intermediate backup files. Thus, when you delete a saved file, you've deleted only the last, final copy--all the backups and temp files still remain.

But that's not all. When files are first saved, they fill in pre-set clusters. That's fine, as long as every file fits perfectly. Typically, the end of a file falls short, meaning there's a gap between the end of the file and the pre-set end of that final cluster. This gap is known as "slack space." If the end of a file happens to occur over a previously "erased" cluster, it's also possible to read some of the previously written data.

Additionally, saved files may also contain random pieces of RAM data, called "RAM slack." If you consider how many files, saved backups, and temporary files you may have, there's a lot of slack space on, say, a typical 4GB drive, and a lot of old data hanging around.

Note that neither reformatting nor defragging the drive erases data. So even if you defrag, delete all the files at a command prompt, and then reformat your drive, in theory someone could still recover your data. For an illustration of how slack space, RAM slack, and deleted files can work against you, take a look at a software product called EnCase; it's used by legitimate forensic investigators to crack criminal cases.

Fortunately, programs such as File Shredder and Eraser 5.1 can help. What these programs do is delete a file by overwriting the clusters with junk data. The Department of Defense requires at least seven overwrites. These programs allow up to 100 overwrites.

Another program, Evidence Eliminator, scrubs bits of files that don't appear in the FAT, that exist only in the slack space, and could be reassembled to reveal information about you or your company, including Web sites you visited long ago.

There also are ways to read the magnetic 1 and 0 signatures found on the physical drive itself. Some government agencies worldwide require that old disks be sanded or dissolved with acid. The retrieval of such minute signatures, however, requires very expensive, specialised equipment.

It's highly unlikely that you or I are worth the time and effort for such extreme data recovery. Then again, just as carbons and discarded documents found in dumpsters once fueled pranks in the early days of computing, carelessness with magnetic media today could come back to haunt us tomorrow. It's yet one more thing to consider when saving your credit card or password information to your hard drive.

ZDnet Security