Damon Hacker, Vestige President, is presenting to the SAME Mt. Tacoma Post & engineering students at the University of Washington-Tacoma on April 9.

Data Destruction (Part 4 of 4)

Articles

Data Destruction (Part 4 of 4)

Author photo
Vestige Digital Investigations, President, CEO and Founder
MBA, CISA, CSXF, CMMC-RP

Top 10 popular data destruction software programs

This blog is the last in our four-part series on Data Destruction.

Here are 10 popular Data Destruction Programs:

  1. BCWipe
  2. CCleaner
  3. Darik’s Boot & Nuke (DBAN)
  4. Disk Wipe
  5. Eraser
  6. Evidence Eliminator
  7. KillDisk
  8. Registry Mechanic
  9. White Canyon – WipeDrive
  10. Window Washer

Strengths & Weaknesses

Each of these data destruction programs has their own strengths and weaknesses. For example: some of these tools remove the actual data and some of them only remove references to the data but don’t actually touch the data itself, still others only scramble the metadata making it more difficult to locate the data – but again, leaving the data alone.

An analogy to help understand how data is stored and deleted is to think about a traditional library with books on the shelves and a card catalog.  Think of the card catalog containing metadata (similar to a Windows filesystem keeping filenames, dates of creation, modification, etc. in its Master File Table (MFT)).  Think of the shelves as the storage media (i.e. hard-drive) and the books on the shelves as being the actual file contents.  This library works a little different than the traditional, in the sense that patrons to the library are not allowed to go directly to the shelves or the card catalog; they must ask the librarian for assistance.  The librarian consults with the card catalog to determine the location of the book in question, retrieves the book and returns it to the patron.

But let’s say that at some point in time the librarian needs to “delete” a book.  For efficiency purposes, the librarian doesn’t go to the shelf and remove the book.  Instead, the librarian goes to the card catalog and simply “dog ears” the corner of the corresponding card – doesn’t even remove the card from the catalog because that takes too much energy.

That is similar to the process of deleting a file – the file itself is not removed, it is merely “marked for deletion” in the card catalog.  Now let’s pretend that another patron comes in to request that “deleted” book.  The librarian diligently refers to the card catalog and finds that the card has been dog-eared.  The patron is promptly notified that the book is no longer available, as it has been “deleted”.  Yet, the reality is that the book may still be on the shelf.  In fact, if the patron had access and the know-how, they could go to the shelf and find the book.  (They are now a forensic examiner).

One could imagine a scenario where the librarian needs additional space for a new book, at which point in time the librarian consults the card catalog and determines that the book is eligible for removal – at which point in time the book is physically removed.

In our scenario, you can imagine a time when both the card in the card catalog and the book on the shelf exist even though the book has been marked for deletion.  Both components could be recovered successfully.  You could also have a scenario where the book itself has been removed but the card in the card catalog still exists.  In that situation, the content itself is gone, but the card catalog provides proof of the file’s existence (along with other metadata such as date and time the library acquired the book (creation date), the last time it was checked out (accessed date), etc.).  Next, you could have a situation where the librarian needs space in the card catalog and removes the card but never touches the book on the shelf.  Therefore, in this case the content itself would be accessible even though the card catalog doesn’t show it in existence.  Finally – and this is the scenario that most people believe happens when they delete an item – is that BOTH the card in the card catalog and the book on the shelf are actually removed.  In that case the content itself is gone as well as evidence that the content once existed.

Data destruction programs work to remove one or both of these types of data (content and metadata) – but all are not created equal. Vestige has extensive experience reviewing, investigating and working with a wide range of these so-called “data destruction” applications. It is our experience that the effectiveness of each is all over the board. Some of the applications do a really good job of removing the information in the card catalog.  Some do a great job at removing the actual data but keep the metadata (card catalog). Others do a good job of removing all the content and then, believe it or not, there are some applications that don’t do a good job of removing either.

What’s important to know

When you’re using an application, whether it’s the ones mentioned above or others, to destroy data for the purpose of “security”, performing this kind of data destruction is a good thing.  After all, that’s what these data destruction programs are designed to do. But, it is important to understand whether the application actually removes the data in question or just “pretends” to do so.

Recognize from a forensic standpoint EVERY data destruction program leaves traces or artifacts behind that may have forensic evidential value.  That’s where forensic Experts like Vestige play a key role.  We specialize in uncovering not only digital content, but also the hidden artifacts that get left behind. (ie. when programs were downloaded, if they were used, how long they were used, how much data was deleted and much, much more).  It is also possible that the data isn’t completely removed because of the application that was used or that the evidence in question exists in multiple locations and missed by the destruction utility.  It’s with that in mind that I can’t underscore enough the importance of getting a forensic investigator involved early into your matter or investigation.

SERIES:

Data Destruction – Part 1: Is Data Really Gone from your Digital Device When Deleted?
Data Destruction – Part 2: Can you Permanently Delete Data on a Computer?
Data Destruction – Part 3: Can you wipe/overwrite data without using a data destruction program?
Data Destruction – Part 4: Top 10 Popular Data Destruction Programs (ABOVE)

By Damon S. Hacker, MBA, CCE, CISA, CSXF
President & CEO at Vestige Digital Investigations

For more information CONTACT US.