General Discussion and News > Technology Troubles

A question about computer forensics

(1/3) > >>

James:
Anyone with knowledge of computers help me here? I have a bomber who wants to eradicate all traces of certain websites he has accessed on his computer. He doesn't want to wipe the memory clean - just those websites that may incriminate him. How would he go about this so that a forensic examination of his computer by the police shows nothing inciminating? Can it be done?

Lance Charnes:
It's hard to get rid of all traces everywhere -- if, for instance, he has to log in to a bulletin board (like this one), there will be a record at the server end. If he works from a computer with a fixed IP address (such as at work), he may be traceable if the site keeps records of accesses by IP. That's how SiteMeter and its ilk work.

On the client side, he can do something like the following:


* Clean the browser's cache (Tools --> Internet Options in IE V6, Safety --> Delete Browsing History in IE8), then...
* Run a program such as Eraser, which overwrites deleted files and unused space with random, repeated patterns of 1s and 0s. DoD uses Eraser-like tools to decommission magnetic media that held classified information. After a three- or seven-pass treatment with Eraser, any residual data is pretty much gone.
* If he's extremely paranoid, he can then run a defrag (Accessories --> System Tools --> Disk Defragmenter in WinXP), which rearranges the files on a drive so they occupy contiguous space. This ends up overwriting formerly unused areas on the disk (such as those occupied by deleted files) with live data.
Will this absolutely, positively get rid of every last scrap? Maybe. It will certainly force anyone who's interested to work really, really hard to find anything useful. Even then, they may not. If your malefactor is religious about this process, there may not be anything left to find. In that case, those interested parties will likely turn to the server and ISP end of the equation.

Lance Charnes:
I thought of another thing -- if your evildoer uses a modern browser (IE8 or the latest versions of Firefox or Opera), he'd use InPrivate browsing (IE8 name, don't know the name for the others). This creates a temporary cache for downloaded files, cookies, and so on, then deletes it at the end of the session. This eliminates step 1 in the list I posted before. The other steps are still valid.

wonderactivist:
I'm not so great with electronics myself, but my son is a complete whiz. Friends call him to fix their computers and he built our new computer for $250.  It's more powerful that the one we paid over $800 for. 

I'll ask him to review this tonight. 

Lucie

wonderactivist:
According to my son, when you delete something, it's actually still there. The computer simply removes it from the file system, but the block of data is still there until it is overwritten. (in my own non-computer lingo that means it can re-use that spot on the disk).  The info is still there and experts at the FBI or some police departments could definitely get to it. 

File shredders attempt to overwrite data but aren't particularly effective.  If the CIA, FBI or a large-city police department gets into them, the stuff IS STILL THERE.  The only way to get rid of it is to wipe the disc--reformatting it hundreds of times--to be certain. 

Sam says, "the best way would be to take a hammer to the hard drive...after reformatting hundreds of times."

FUN!

Lucie

Navigation

[0] Message Index

[#] Next page

Go to full version