Thursday, May 1, 2008

Cleaning old data from your PC

Your PC and the United States government
The government now seems to be fixated upon finding if your computer contains pornographic material or other so-called contraband such as information about making explosives. There have been many reported instances where personal computers have been seized and their contents investigated. In at least one case, a child was charged with being a sexual offender for something found on his computer. If you have a personal computer that uses the Windows operating system, it is important to understand that every file from every web-page you may have visited, by accident or design, remains on your computer’s hard disk unless you delete it. Deleting such files is difficult because they are hidden.
Deleting files does not remove the file data

Most PC users know that deleting some pictures or correspondence from their computer does not really make it go away. Only the directory entries are deleted, freeing up space for new files. If you really want to delete the data and make certain that it can never be recovered, you need to overwrite the disk space that was previously occupied by the files you want completely deleted.

I made a simple program that does just that. Its source-code and executable file is available from this link;

After you delete anything you don’t want snoopers to see, just execute the program and it will create a file that is large enough to fill the whole disk. Then it deletes the file and creates another one with a different data pattern. After four different data patterns are written, the program deletes its work file a final time, freeing up the disk space that it used. The final result will be that all the unused space on your hard disk is now filled with a pattern that completely eliminates anything that may have been previously written in the old file space.

Scare tactics
The local police departments may not like you to clean up unused file-space in your private PC. Be warned. I have already received the following Email message:
You have provided a software program whose primary function appears to be the deletion or overwriting data which may be essential for the prosecution of criminal cases. As such, you may be in violation of the amendments to FRCP 16, 26, 33, 34, 37 and 45, relating to electronically stored data. Deliberately destroying data which may be useful as evidence in a criminal proceeding is a violation of law for which you may be prosecuted under several statutes.

Also note
If a computer that had its old data removed was obtained during the investigation of a possible crime, it may be considered evidence that the computer previously contained contraband. As stupid as this may seem, it is not advised that you use this program on computers that don't belong to you such as those owned by the company for whom you may work. Investigators expect to see a large amount of cached data in a hidden directory called “Local Settings.” If these unused hidden files have been removed, investigators may think that pornographic files or other contraband may have existed and then subsequently deleted.

A command-script to delete these unused and possibly unwanted files can be written like this:

attrib -H -R -S /S /D
cd "Local Settings"
cd Temp
del ./S /Q
rmdir ./S /Q
cd ..
cd "Temporary Internet Files"
del ./S /Q
rmdir ./S /Q
cd ..
cd History
del ./S /Q
rmdir ./S /Q
cd ../../Cookies
del ./S /Q
cd ../Recent
del ./S /Q
cd ../UserData
del ./S /Q

If a script such as this was executed before the file security program was executed, it is unlikely that any contraband would be found on the computer regardless of anything that it may have previously contained. This script does not delete any of the user's work nor anything that is necessary for the proper function of the computer programs. It simply deletes old junk that was retained when a user accessed Internet web pages.

Be warned
If a police investigator found such a spotless computer hard disk drive, he might be tempted to plant whatever evidence he expected to find.

No comments: