Digital Village
INFO2 File: info2
INDEX DELETED TIME
17 03/07/2008 11:53: 50 2
0
0 12/31/1969 16:00:00 0
DRIVE NUMBER PATH SIZE
C:\dumpster\Firefox Downloads\AdbeRdr812_en_US.exe
C 0
Figure 3. Deleted file recovery data.
retained includes path, file size,
delete time/date, and unique recycle ID. Of course, one could
recover this information with a hex
editor, but it’s much easier to just
parse it, as shown in Figure 3. In
this case, I had emptied the recycle
bin, sanitized it with Evidence
Eliminator, and then deleted an
Adobe Reader installer so that it
alone is the only contained file.
Note that I can recover the location
of the file, the time/date deleted,
the placement of the file within the
recycler, and other information
from the data recovered in the
recycle bin. Until the recycle bin is
emptied, this file is very much
readable. But, even if the recycle
bin is emptied, only this metadata
is lost. The actual file data remains
recoverable with a hex editor
(unless the clusters have been reallocated to another file—which isn’t
all that likely on high-capacity drives; see my August 2006 column
for additional details).
Another interesting twist is that
even if image files are deleted, the
recycle bin has been emptied, and
the registry and disk have been sanitized, the thumbnails of any image
files that remain might still be
recoverable if they were ever
indexed by Windows Explorer
because the image index,
THUMBS.DB, stays behind with
the folder.
CONCLUSION
It is important that the computer
user understand BRAP forensics
because of its potential for invasion
of privacy. Far from innocuous,
browsers and applications software
may reveal more of our behavior
than we expect. In terms of subtlety, BRAP forensics goes beyond
the older, more traditional areas of
computer activity mining. Where a
computer log provides information
that is relatively objective and
impersonal, BRAP forensics provides information that is subjective
and personal. Think of it this way:
knowing that someone logged into
a computer and used a word
processor is far less invasive than
knowing that someone created a
document for a specific person, visited a sequence of Web sites,
viewed certain image files, saved
the document, and then copied it
to a USB memory stick with a
known unique ID. BRAP forensics
drills down to this level of granularity. And the small form factor of
today’s removable storage media
encourages the circulation of personal and private information.
What I find most objectionable
is that the production of this data
residue is counterintuitive. The
bottom line is that this residue
exists for the convenience of
myopic software developers who
believe their vision of computer use
is so incontrovertible that there is
no need to entertain other points
of view, such as those that put a
premium on safeguarding personal
privacy. How difficult would it be
to offer the user complete control
over the backup of non-system files
and metadata? Or to allow users
the option of browsing the Web
without recording tracking cookies
or URL histories? Or to create a
file system where “delete” actually
means delete. To the typical user,
learning of these developer excesses
retroactively is akin to learning that
all of the world’s typewriters had
been secretly producing invisible
carbon copies for Interpol. Who
would have imagined that anyone
ever thought this was a good idea?
While hardware-based encryption
systems like BitLocker are an
improvement, software use of personal information should follow
the “need-to-know” paradigm.
Encrypting data residue is never as
effective as not storing it in the first
place. c
HAL BERGHEL is associate dean of the
Howard R. Hughes College of Engineering at
the University of Nevada-Las Vegas, the
director of the Center for Cybersecurity
Research ( ccr.i2.nscee.edu), and co-director
of the Identity Theft and Financial Fraud
Research and Operations Center (www.
itffroc.org).