September 29th, 2005, 12:15 PM
Anyone think that Evidence Eliminator is not working
Anyone think that Evidence Eliminator is not working or does it not perform as thought?
This was a interesting article !
Can You Ever Really Erase a Computer File?
What if you use Evidence Eliminator?
By Daniel Engber
Posted Wednesday, June 29, 2005, at 3:24 PM PT
Robert Johnson, who used to be the publisher of Newsday, was indicted on Tuesday for possessing child pornography and for attempting to destroy evidence. A pair of incriminating movies were found on Johnson's office computer, even though he had apparently used a program called "Evidence Eliminator" to wipe 12,000 files from its hard drive. Can you ever really erase a computer file?
It's not easy. When you delete a file from a standard desktop computer, the file first gets moved to the "recycle bin" or the "trash," which means only that you've placed the intact data in a new directory. You erase the file when you empty your recycle bin. But even then, much of the information remains on the hard disk. Exactly how much depends on the type of computer you're using and which operating system you have.
Here's how it works: The information in each file you create gets stored on your computer's hard disk, where it's spread across multiple "data clusters," or chunks of space that each have a particular address. The computer keeps track of where to look for each file; pieces of a single document, for example, might be stored in clusters all over the disk. If possible, a computer will store files in contiguous clusters, so all the information is kept close together.
When you delete a file, all you've really done is tell the computer that it can reuse the clusters assigned to that file for something new. The data in those clusters remains intact, until the computer reassigns and overwrites those chunks of disk space with new files. Experts say that the original data can remain intact for weeks or months, depending on the particulars of the system.
To make things easier for computer-forensics specialists, standard Windows desktop machines even save basic information about the deleted file, like what it was called, how big it was, and which clusters it used. (Machines running Unix don't preserve quite as much information.) But even without every chunk of original data, specialists can scan for particular kinds of deleted files or pull bits of text from a deleted file that has been partially overwritten.
So, what do programs like Evidence Eliminator do? They first "delete" a file in the conventional sense, and then they overwrite it with zeroes, ones, or random data. Finally, they erase the record of where the original file was stored on the disk. More advanced programs might overwrite the original with something less conspicuous than a string of zeroes, like an ordinary text file.
But even if you do wipe your disk successfully—and overwrite each of your deleted files—traces of the original data remain. Writing to a magnetic disk is not as precise as one might think; when you overwrite a file, the new version doesn't completely cover up the old. The leftover data can be read out with certain imaging techniques, like magnetic-force microscopy and magnetic-force scanning tunneling microscopy. Computer forensics experts say it's possible to recover data beneath dozens of layers of overwriting, and privacy fanatics talk about wiping their disks up to 35 times over to be absolutely safe.
Explainer thanks Brian Carrier of Purdue University and John Mallery of BKD Consultants.
Daniel Engber is a writer in New York City and a featured member of cryingwhileeating.com.
September 29th, 2005, 12:41 PM
Maybe Robert Johnson can now sue the makers of Evidence Eliminator and claim lots of damages since the product clearly didn't do what it had promised.
September 29th, 2005, 12:55 PM
I was speaking with a forensics pro last week.
He didn't speak about privacy software per se but he did say that overwriting data is sufficient to destroy it from a police level investigation. It's making sure that everything is overwritten including slack space in sectors that is the trick. I would guess that Evidence eliminator erases data and overwrites it but does not destroy the slack space.
Recovering data from a multiply overwritten disks is one for the NSA or fiction rather than the police.
In this case it's morelikely he had a couple of files he forgot to shred. and partial evidence of many more in slack space. Operator error.
Evidence eliminator will probably have a disclaimer covering most eventualities.
September 29th, 2005, 01:31 PM
So, basically this guy deleted most of the evidence but forgot to delete a couple of incriminating movies too. But then I'm wondering how they knew he had wiped over 12.000 from his computer. Even weirder, how do they know that those files were dirty images too? How did they even know he used EE?
Or maybe this guy just confessed under pressure.
On the other hand, the article mentions Johnson's office computer and not his private home computer. So no matter what he did with that system, all office traffic has probably been logged by the office servers and they most likely used that information against him.
So not only did he collect childporn, he was also looking at porn at work! Pretty dumb if you ask me. So while his system could have been cleaned afterwards, he did leave a lot of footsteps that proved what he had been trying to hide...
September 29th, 2005, 02:01 PM
Evidence erasers (any product) will keep your spouse from reading old emails, viewing browser history, etc.. These (Windows) programs do two things.
One: The good ones clear temp files, index.dat files, media player history, browser history, cookies, and registry entries. Prevent browser hijacking and much more. After a typical week, I run a flavor of eraser (free one) and can recover anywhere fro 3 to 15 MB of space. (A good thing)
Two: If, for some reason the police are looking at your PC, when they see the eraser software you are immediately suspected of having something to hide. Which in most cases gives probable cause. So if you indeed have something illegal and the police ship the drives off to the pro's, the eraser software didn't do what it promised.
September 29th, 2005, 02:03 PM
So, does anyone have any knowledge of what WILL destroy all the data? (And still keep the disk usable. I know people are going to try to throw highpowered magnets in there, 2 gallons of gas, a blowtorch and a sledge hammer.)
I've been using eraser for sometime now with the highest level set. It will clear unused disk space along with cluster tips. The default for that is 1 pass... I just change it.
I don't have much to erase though... maybe some projects I work on for work, or some financial info that might have been imported into an excel spreadsheet... etc.
Anyone have something that is proven? I know we have several forensics gurus here.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
September 29th, 2005, 02:21 PM
Phish, I think that if someone has information of such value or sensitivity that they are looking for 100% data destruction with no possibility of recovery, they would consider destroying the disk everytime rather than take the risk of recovery.
If the value of the data asset is so great then an extreme measure like smashing the drive is acceptable.
They were probably able to recover fragments of files from slack space. Encase etc will show what it can find even if a whole file can't be recovered.
I'm wondering how they knew he had wiped over 12.000 from his computer.
Good point they will have had filter logs maybe and proxy logs certainly. Possibly fragments or whole files of incriminating evidence in shares or backups.
he was also looking at porn at work!
September 29th, 2005, 02:33 PM
Here's what I know.
Mount an encrypted drive and store all sensitive data on that drive.
Delete the files on the encrypted drive (PGP wipe) Then delete the freespace (again PGP)
Un mount the drive and erase the PGP drive itself.
You cannot recover the files that were on the PGP drive. And without a clean room and lots of really cool toys, you can only discover there was an encrypted drive.
In the clean room, you might be able to recreate the file structure, but you cannot get file content.
Again, if you are being investigated for a crime, the deleted encrypted drive is evidence that can be used against you.
So can you relaay delete, yes. But remember if you are being investigated, there's a reason. You've already done something to make someone suspect you.
September 29th, 2005, 02:56 PM
Evidence Eliminator keeps a log of everything it deletes by default, as far as I can remember. ( havn't used it since the days of win98).
I'm wondering how they knew he had wiped over 12.000 from his computer.
Having run the application though and let it do it's stuff, it in it's self is still running, it cant erase the trail it leaves, especialy in the swap file and in unalocated space.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
September 29th, 2005, 03:42 PM
It sounds like evidence eliminator is just doing a simple delete, followed by a 0 bit overwrite. You have to follow the practices outlined in this government standard if you want to make sure your wiping program is really wiping data- DOD 5220.22-M.
This is probably overkill, but you should never be able to recover something deleted to this level. If you are wiping the slackspace, original file space, as well as clearing empty drive space and doing 3 or 4 overwrites, like the following:
1) all 1's
2) all 0's
3) random 1's and 0's
4) random 1's and 0's
I would imagine that you will have a really hard time recovering the data.
As far as how legal is software that does this kind of wiping? It is totally legal, large corporations and the government require this type of wiping for extremely sensitive data. I think that there are far more good uses for secure wiping software than bad.
A quick google search turns up this educational whitepaper. A good read on the issue and it details the well known algorithms for securely wiping data and known issues- http://www.lib.iup.edu/comscisec/SANSpapers/mallery.htm