1 / 18

An Introduction to Secure File Deletion and Recovery Methods

Learn about secure file deletion and recovery techniques to prevent data loss, avoid financial impacts, and safeguard sensitive information. Explore common causes of data loss and uncover hidden data recovery possibilities.

kevinmryan
Download Presentation

An Introduction to Secure File Deletion and Recovery Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Introduction to Secure File Deletion and Recovery Methods Paul Godden

  2. The Importance of Data • Computers have changed the way people and businesses communicate and conduct business. What would happen to the productivity of an organization in the event of a system-wide data center failure? Data loss may be infrequent, but studies have shown that few business networks and fewer private PC’s are sufficiently and reliably backed up. Consider the computers you have regular use of, are you aware of the backup procedures (if any) that are in place for these machines?

  3. Financial Loss • Industry analysts estimated a loss of $11.8 billion in 1998 • These costs only include technical support, lost productivity, and the costs of permanent data loss. • The above amount does not include the cost of revenue losses, damaged reputations, and the negative effects that result from extended computer down time. Losing important files, or even just data from within files can be very expensive – it can cost an entire business.

  4. Common Causes of Data Loss Some of the most common causes of data loss, as indicated by a survey of member organizations of the Confederation of British Industry (CBI; 1998).

  5. DELETED FILES • The average user believes that once a file is deleted it is gone forever. • What really happens- • The operating systems deletes the first letter of the file • Then replaces it with a hexadecimal value • The file is still there, but the operating system no longer recognizes it • The file or document may still be relatively easily recovered, until it is overwritten (multiple times – and even then, it may be possible to retrieve using advanced and costly techniques)

  6. DELETED FILES • If the file cannot be found or has been overwritten to the extent that data recovery is practicably impossible, the information it contained may still be recovered in files that users do not intentionally create: • Slack space • Unallocated space • Swap files • Temporary Files • Printer Spool Files • Metadata • And even, under some circumstances, the contents of volatile Random Access Memory (RAM)

  7. Slack Space Files are stores in fixed length blocks of data called clusters. Rarely, do files exactly match the size of one or multiple clusters. The extra data storage space is called the file slack or slack space

  8. Slack Space RAM Slack –Randomly selected data from memory Includes: Information that may have been created, viewed, modified, downloaded or copied during work sessions since the computer was last booted. Drive Slack -What was on the memory before, used to round out the block size for the last cluster Includes: Previously deleted files Hello+++++++++++++++++++|------------------------(EOF) RAM Slack is indicated by "+" Drive Slack is indicated by "-“ EOF – End Of File

  9. Slack Space • On large hard drives, file slack can contain many hundreds of megabytes of data • Can include fragments of prior E-Mail messages and word processing documents. • Slack space may be recovered and viewed using tools such NTI’s GetSlack and Guidance Software’s Encase.

  10. Unallocated Space • Clusters that are not currently allocated by the operating system. • Can potentially contain all of the intact files, remnants of files, and subdirectories and temporary files that were created and deleted, but not yer overwritten.

  11. Swap Files • In Windows 3.x, Windows 95, and Windows 98 called Swap Files • In Windows NT, Windows 2000, XP, Vista and Windows 7 called Page Files • Size of swap files can range from 20 megabytes to multiple gigabytes, depending on the amount of system RAM installed • Can be temporary or permanent depending on the version of windows • Can be viewed using software such as Norton Commander or DiskEdit

  12. Temporary Files • A temporary file is a file that is created to temporarily store information in order to free memory for other purposes, or to act as a safety net to prevent data loss. • Temporary files remain open as long as an application needs them, once it is shut down, the files are deleted… but not always • However, this information remains on the hard drive until it is overwritten. • Microsoft states that Word 97, 2000, 2003 and 2007 can create between 15 and 20 temporary files during a single use – depending upon the number of open documents and what activities are performed. • The information in temporary files remains on the hard drive, even if the original file is not saved to the drive.

  13. Printer Spool Files Microsoft Windows allows for print jobs to be “spooled”, so that printing finishes faster and control of the system is returned to the user in a more responsive manner. This means that an application sends the file to be printed to the hard drive first and then to the printer . Meaning…. The entire file is copied to the hard disk drive, and the data it contains will remain until it is overwritten. Even if the file is never saved.

  14. Metadata • Information found in the printer spool can be read using forensic tools with a viewer that supports enhanced metafiles. • Metadata is automatically stored by Microsoft Office • Can contain information about you, your company, the network server, file properties, and document revisions.

  15. Recovery • Recycle Bin • File Undelete Programs • Hex Editors • Disk Splicing • Magnetic Force Microscopy • Recovery from RAM

  16. Prevention of Recovery • File Shredders • Disk Wiping • Physical Destruction Overwrite Data BCWipe Directory Snoop With Out A Trace M-Sweep RMD

  17. Techniques • Single Pass- Data is overwritten once with their 0’s or 1’s, or pseudorandom data • DOD Method- Data is overwritten as many as 7 times with 3 alternations of 0’s and 1’s, followed by one pass of pseudorandom data. • Guttman Method- Data is overwritten 35 times using Pseudorandom data • Takes into account the different encoding algorithms used by various hard drive manufacturers. Overwriting data only reduces the likelihood that it will not be recovered.

  18. Summary • There is a lot of information stored electronically. Sometimes that data is personal information that you may not want saved. • Businesses must decide to what extent they want to be able to recover data previously saved on their storage devices, and set up their computer systems accordingly. • Next determine how much time, effort, and money you or your business are willing to invest to ensure data recovery or to prevent data recovery. • Proper disaster recovery planning may save you or your business. • Remember just because you delete a file doesn’t mean it’s gone.

More Related