Friday, April 8, 2011

Digging Digital Data

Today, I wanted to take a look at what happens when you delete something from your drive, whether it be a hard disk or flash drive and how to recover information that may be accidentally deleted. Everyone has heard the horror stories of a company surplussing equipment, only to find that the equipment had confidential data still on it, so we are going to take a look at the deletion and retrieval of data.

In order to have a fresh place to start, I'm going to wipe my media (in this case a flash drive) clean. It should come from the factory like this, but there have been reports in the news about malware, etc. on everything from flash drives to digital picture frames.

Starting from Zero
We are going to start with a clean slate, by using Active@ KillDisk to wipe the drive of any data. It does this by overwriting all of the addressable locations on the drive with zeros.

Disclaimer:  Yes, I realize that this was only one pass and was using zeros, but it will suffice for what we are doing. IF YOU ARE LOOKING FOR A VERY SECURE METHOD OF ERASING THE DISK IN QUESTION, PLEASE PURCHASE THE FULL VERSION. which will wipe the disk to US DoD 5220.22-M security standards.

After installing the program, select the drive and click the “Kill” button. This will bring up a summary screen which you can continue on by clicking start.  After committing, you are then asked to confirm by typing “ERASE-ALL-DATA” in a text box.

Verifying the Disk
Next, I used Disk Digger to look through the physical disk for files. I not only scanned for deleted files, but for traces of files, by selecting the “Dig Deeper” radio button, then “Next”

For the file type, I left the default of all files…

At the end of the scan, nothing was found on the flash drive…

Next, I am going to save some data on this “new” drive. In this instance, this post that I am writing and the associated images will be saved on the drive.

I saved a Microsoft Word document, a text file with a list of links, an HTML file and a folder with images
After that, I highlighted them all and simply deleted them. We'll look at "permanent deletion" in another post.

Digging Data 

After deleting the data and viewing that the disk was "empty" in Windows Explorer, I fired up Disk Digger again and scanned the flash drive for any contents. We are going to perform the same "Dig Deeper" scan that we performed earlier.

When Disk Digger finished, it displayed a list of pictures that it had found. I was not able to view a preview of any .png file but .jpgs were easily viewable.


I then clicked on the documents tab and was able to preview the Word document that I had deleted earlier.

OK, but what about the other files? I clicked "Back" a few times and selected a regular "Dig Deep" scan which will find files regardless of the file type.

Here, we can see that other files, including temporary MS Word files and text files are still on the disk

Restoring Files
When the list of available files appears, we can simply select and right-click on the files name, then select "Restore Selected Files" and choose a directory to put the files in, then click "OK" and the file is recovered. When selecting a place to recover the files to, it's best to choose a place that is NOT on the media on which you are digging for data, because it may overwrite the next file that you may be trying to recover.

I hope that this not only helps someone who is needing to recover some lost data, but also serves to raise the awareness of people when disposing of old or surplus equipment to make sure that your data, stays your data.

No comments:

Post a Comment