Protecting Against Data RecoveryProblem DefinitionIf your laptop, computer, memory stick or PDA is sold, stolen or lost, hackers and identity thieves can easily recover thefiles that you think were deleted. These files are not necessarily erased from your computer despite the Recycle Binbeing empty. When your computer saves a file, it writes data on a disk (or memory stick) and takes note of the filelocation. When you delete the file, it is transferred to the Recycle Bin. When you empty the Recycle Bin, the computererases only the note about the previous file location, but file content is left intact on the disk until some other file iseventually written over it. The entire content of an erased file can remain untouched anywhere from a few seconds to afew years. Hackers can easily uncover and read it using public data recovery software.Many computer users trust the Recycle Bin. When they empty it, they think their files are completely removed from thecomputer. Some users, from individuals to international banks, have experienced the error of this common belief whentheir sensitive data was recovered by data thieves who had bought the old hard drive and easily recovered the "deleted"files.Most people would never throw a credit card into a public trashcan, but they do something similar with their computers.A 2003 study found that about 35% of the hard drives on the used market contained easily accessible confidentialinformation (see Garfinkel and Shelat).Emptying the Recycle Bin does not actually remove a files contents from the disc. When a computer saves a file it writesthe data on a disc (or memory stick) and makes a note of the files location. When you put the file in the Recycle Bin and"empty" it, the computer erases its note of the files location, freeing the disc space for the further use. The actual datais left intact on the disc until some other file is eventually written over it. On a large hard drive, it may be a long timebefore the space is used again, so a lot of data can accumulate on it over the years.A computer hard drive is like a library with a lazy librarian. When the director tells her to remove certain books, sheremoves them from the library catalogue but leaves the books on the shelves. Since her Director only checks thecatalogue, he never discovers the difference, but people with the patience to look through the shelves can read theofficially nonexistent books.There is a world market for used computers and hard drives. Discarded, donated and stolen computers are shipped todeveloping countries where they are stripped for reusable parts. Data thieves can cheaply buy large quantities of harddrives and examine them quickly. They use publicly available data recovery software that was designed to help peopleretrieve mistakenly deleted files or rescue data from damaged discs. Such software looks for old versions of the filecatalogues and scans the disc for file signatures. Unless new files have been saved on top of the old ones, the data canbe easily recovered. This is good if it was an important file that was accidentally deleted, but it is bad if it is confidentialinformation that could be used for fraud or blackmail.
Even files that have been overwritten by new files can be read with a machine called a magnetic force microscope. Usedby police, spies, and private security consultants, these instruments can detect the traces of previous data in the tinyspaces between the individual bits of the current data. The magnetic head that writes on the disc does not always lineup in exactly the same place, so small magnetized areas of the previously written data are visible at the edges of thenew, like the blurred edges of a poorly printed color picture. With specialized equipment and patience the original datacan be reconstructed.If you are selling or recycling an old computer you could protect your confidential information by removing the harddrive and physically destroying it. This is the safest method, but it substantially reduces the value of the computer.A better solution is to use data recovery prevention software. It is also a good idea to regularly clean laptop hard discsand memory sticks that could be lost or stolen.Discs cannot actually be erased. All the bits can be written as zeros, but traces of the files beneath will still be there.Cleaning a disc involves overwriting data on it several times, until no traces could be recovered. Usually alternatingsequences of numbers are used along with random numbers, instead of just zeros.Data recovery protection programs must figure out which parts of the disc must be overwritten and which parts must beleft alone, so the program does not damage current files. Two common methods exist. The first one, called low-levelaccess, scans the disc and examines everything it finds to see if it is current or inactive. The second method, called high-level access, uses Windows (or another operating systems) catalogue of files. High-level access has less risk of damagingexisting files because it uses the same index as the computer itself.How many overwrites are enough to make erased data unrecoverable? Security must be balanced with speed,practicality with paranoia. Overwriting a large hard drive can take hours, depending on the discs size, its connection tothe computer and the fragmentation of the file structure. On most of the hard drives made after 2000, 3 passes providescomplete protection against ordinary data recovery programs, and 5 passes is very good protection against magneticfield microscopes. One hundred percent security is of course unobtainable, but each additional pass adds a little more.In 1996 Peter Gutmann of the University of Auckland calculated that as many as 35 overwrites were needed to achieve ahigh level of security on older discs. But as discs have become smaller and faster, the surface area and depth used tostore each word of data has been reduced, so there is less area between bits for blurs of previously written data. Thismeans that modern hard drives need far fewer than 35 passes. US Department of Defense has published a standard of 7passes, which is more than enough for ordinary users.Ultimately, each user can decide how many passes are appropriate in his case. Good data recovery protection softwareshould give users the ability to customize the work and help them to make a correct choice.References 1. LAZgroup S.A. - IT Security Risks 2. "UK bank details sold in Nigeria" 2006 3. S. Garfinkel and A. Shelat "Remembrance of Data Passed: A Study of Disk Sanitization Practices" 2003 4. P. Gutmann, "Secure Deletion of Data from Magnetic and Solid-State Memory" 1996
AuthorLAZgroup - Business and Technology Solutions. “LAZgroup S.A.” is software research and development companylocated in the city Geneva of Switzerland. Our primary focus is the creation of new algorithms and methods to improvevarious business processes, through the improvements in security, efficiency and speed.