Erased Files Often Aren't

You've erased the disk with DOS commands, so why is your informant database still there?

by / December 31, 1996
The statement "now you see it, now you don't," might work just fine for a magician, but it sure doesn't fit when talking about the standard DOS deletion of computer files. Unfortunately, the file's data and most of the file name remains behind. To make matters worse, potentially sensitive information -- which is unrelated to the file -- may be dumped from the memory of the computer and may be left lurking on the computer hard disk.

That's right. The e-mail message joking about your boss may still be on your hard disk drive. It is also possible that data associated with previously erased files may contain your network password and log on information.

Such information can cause serious breaches of security, unless files are securely deleted using any number of programs that are available on the market. One such program, MICRO-ZAP, is available for free download for government use from Government Technology's Web site .

Desktop and notebook computers are wonderful tools. They allow us to perform tasks more quickly and more accurately than ever before. Word processing files and e-mail messages are created effortlessly and automated spell-checkers make life easy. Database files track all types of information and allow for sorting and retrieval of the information in almost any format desired. Electronic spreadsheets make quick work of financial analysis. Worldwide information on almost any topic is just a few keystrokes away via the Internet. All of this means more in productivity and cost savings.

However, it can also mean that sensitive information may fall into the wrong hands. It is important to understand that most computers were never designed with security in mind. However, the benefits far outweigh the security risks when proper security software is used.

War stories always seem to drive the point home when it comes to computer topics, and I have a great one to share. Sorry, no names here to protect the innocent. A few years ago I was asked to give a lecture to a small but elite group of executive managers for several state police agencies.

My primary topic was to deal with possible uses of computer artificial intelligence in the identification of financial crimes. A secondary topic was to include a brief discussion about computer-evidence issues and the related training associated with the needs of these agencies.

In preparation for the meeting, I asked the coordinators of the conference to provide me with several blank floppy diskettes for the purpose of sharing law enforcement software with the agencies involved. A few days later, I received several floppy diskettes in the mail and it was readily apparent that they had previously been used.

As you can surmise, curiosity killed the cat and I put on my forensic computer science hat and took a 'forensic peek' at the diskettes. That brief examination revealed the diskettes had been sanitized and the files on all of the diskettes had been "erased" using standard DOS commands.

The recovery of the erased files took just a few minutes and the content of the actual files dealt with information that would not be considered sensitive. However, my further examination of the diskettes revealed quite a bit of sensitive data which had been written to the file slack associated with the erased files.

Without going into great technical detail, file slack is the portion of a computer file that exists between the end of the file and the end of the last cluster assigned to the file. This might sound complicated, but trust me, it really isn't.

My scheduled lecture followed lunch. As one might expect, a technical presentation on the topic of computer artificial intelligence following lunch didn't make the top 10 on the "Exciting Lectures List." However, when I deviated from the
agenda and started talking about the obvious need for one of the agencies to adopt a more stringent security policy, the mood quickly changed.

Graphic computer projections of their informant database, personnel grievance memos and portions of Interpol communications tended to generate the most interest in the group. Needless to say, those agencies are now believers in computer security.

Has your agency adopted a computer security policy? If not, now is the time and the first step might be to deal with the secure deletion of computer files. One thing is for sure, the price is right -- the DOS version of MICRO-ZAP is yours for free downloading and use.

Michael R. Anderson, who retired from the IRS's Criminal Investigation Division in 1996, is internationally recognized in the field of forensic computer science and artificial intelligence. Anderson pioneered the development of training courses in the processing of computer evidence.

He also authored software applications used by law enforcement agencies in 16 countries to process evidence and to aid in prevention of computer theft. He continues to provide software free of charge to law enforcement and the military. He is currently a consultant. P.O. Box 929, Gresham, OR 97030. < >.