INFO2 File: info2
INDEX DELETED TIME 17 03/07/2008 11:53: 50 2
0
0 12/31/1969 16:00:00 0
DRIVE NUMBER PATH SIZE C:\dumpster\Firefox Downloads\AdbeRdr812_en_US.exe
C 0
Figure 3. Deleted file recovery data.
retained includes path, file size, delete time/date, and unique recycle ID. Of course, one could recover this information with a hex editor, but it’s much easier to just parse it, as shown in Figure 3. In this case, I had emptied the recycle bin, sanitized it with Evidence Eliminator, and then deleted an Adobe Reader installer so that it alone is the only contained file. Note that I can recover the location of the file, the time/date deleted, the placement of the file within the recycler, and other information from the data recovered in the recycle bin. Until the recycle bin is emptied, this file is very much readable. But, even if the recycle bin is emptied, only this metadata is lost. The actual file data remains recoverable with a hex editor (unless the clusters have been reallocated to another file—which isn’t all that likely on high-capacity drives; see my August 2006 column for additional details).
Another interesting twist is that even if image files are deleted, the recycle bin has been emptied, and the registry and disk have been sanitized, the thumbnails of any image files that remain might still be recoverable if they were ever indexed by Windows Explorer
because the image index, THUMBS.DB, stays behind with the folder.
CONCLUSION
It is important that the computer user understand BRAP forensics because of its potential for invasion of privacy. Far from innocuous, browsers and applications software may reveal more of our behavior than we expect. In terms of subtlety, BRAP forensics goes beyond the older, more traditional areas of computer activity mining. Where a computer log provides information that is relatively objective and impersonal, BRAP forensics provides information that is subjective and personal. Think of it this way: knowing that someone logged into a computer and used a word processor is far less invasive than knowing that someone created a document for a specific person, visited a sequence of Web sites, viewed certain image files, saved the document, and then copied it to a USB memory stick with a known unique ID. BRAP forensics drills down to this level of granularity. And the small form factor of today’s removable storage media encourages the circulation of personal and private information.
What I find most objectionable is that the production of this data
residue is counterintuitive. The bottom line is that this residue exists for the convenience of myopic software developers who believe their vision of computer use is so incontrovertible that there is no need to entertain other points of view, such as those that put a premium on safeguarding personal privacy. How difficult would it be to offer the user complete control over the backup of non-system files and metadata? Or to allow users the option of browsing the Web without recording tracking cookies or URL histories? Or to create a file system where “delete” actually means delete. To the typical user, learning of these developer excesses retroactively is akin to learning that all of the world’s typewriters had been secretly producing invisible carbon copies for Interpol. Who would have imagined that anyone ever thought this was a good idea? While hardware-based encryption systems like BitLocker are an improvement, software use of personal information should follow the “need-to-know” paradigm. Encrypting data residue is never as effective as not storing it in the first place. c
HAL BERGHEL is associate dean of the Howard R. Hughes College of Engineering at the University of Nevada-Las Vegas, the director of the Center for Cybersecurity Research ( ccr.i2.nscee.edu), and co-director of the Identity Theft and Financial Fraud Research and Operations Center (www. itffroc.org).
References:
Archives