Hello everyone,

I would like to ask if anyone could please help me with the following questions.

If you have private information on an old computer, say a credit card number or whatever, and this information is erased using the standard windows delete process, then overwritten by files that are not private or that you may wish to share, (could by any file, word, pdf, jpeg or whatever) and then this file is burned to a CD or flash drive, then installed onto a new computer, are there still remnants of the private information associated with the old files installed onto the new computer ? When you copy a file, are you just copying the file or are you also copying everything that the file may have overwritten?

As I understand it, data is stored in clusters on the HD so perhaps the non-private data file would not be as large as the private data file and when the private data file is partially overwritten, then part of the private data would still be associated with the non-private file that could be recovered after the non-private file is transmitted to another computer. Or perhaps this is of no concern if only the file itself is being copied before the transfer and not also what the file has overwritten.

I would appreciate any help or feedback regarding these questions & concerns.

Thanks
John

Hello, John...man, you sure come up with some killer questions!

I understand what you're saying, and it did get me thinking. I'm not sure I have an answer for you.

In essence, what you're asking is if a certain part of a hard disk containing sensitive information such as a password is overwritten by say a JPG, then the JPG is copied to another media, can the password be retrieved from the other media as it could be by a data recovery specialist from the hard drive. I'm inclined to say it's not possible. The Copy code only asks for all the ones and zeroes contained in the JPG to transfer to the new media. Any other code transfer would alter the code of the JPG.

But I think you would need a data recovery specialist to give you a definitive answer, and I'm not one.

i don't mean to contradict hked. publicly available forensic software is is so sophiscated and easy to use that simple overwriting a file with more data isn't sufficient and in a clean room lab nothing is secure to a data recovery specialist.

i'm of the opinion that the only way to secure a hard drive is to totally destroy it. in fact in 1999 i recovered hard drive contents that had been corrupted by power failure, formatted and windows 98se reinstalled by using a program named tiramisu.

the best that can be done is is to use a disk wiping program

pay for
BCWipe
http://www.jetico.com/bcwipe3.htm

Paragon Disk Wipe
http://www.disk-wiper.com/

Quick wiper
http://www.quickwiper.com/solutions/quickwiper-vs-bcwipe.htm.

freeware
Darik's Boot and Nuke
http://dban.sourceforge.net/

Free Disk Wipe - Freeware
http://the-undelete.com/wipe_remove_delete_erase.php

Darik's Boot and Nuke may be the answer to your boot cd problem. the file is an iso and 2 MB.

Hi everyone,

Thanks for your replies.



That may well be true, but with regards to my question, I think the issue is not whether overwritten data on a hard drive can be recovered, but whether the private data overwritten with non-private data on the hard drive, can survive a transfer to a CD, DVD, or flash drive, and then to another computer. When a copy is being made, are you copying just the non-private information, or are you also copying the private overwritten information at the same time which would then survive the transfer ?

HKEd, you seemed to understand my question exactly.

DBAN and similar programs are pretty good for wiping the whole drive, and I agree the only way to be 100% sure is to physically destroy the drive.

However, my question comes into play if you have good non-sensitive files on the old computer that you want to transfer and/or share, which have overwritten private data. I"m interested in learning if the overwritten private data will survive the transfer to a CD, flash drive, or dvd, and then finally to a new computer. I know using a program like eraser http://www.heidi.ie/eraser/ to erase the private files in the first place should help, but I'm just curious to know the answer to the question as it pertains to a normal windows delete.

Once many years ago, I had a hard drive with credit card, bank records, and private email messages that went bad and you could not even get into it to wipe the drive, it was noisy and had physical problems. I had to return the drive to the computer manufacturer to get and exchange (back when Hard drives were more expensive). I put two fairly large magnets on each side of the drive overnight, then I moved the magnets back and forth on each side of the drive for a good while. You could feel the force of the magnets pushing away from each other with a few pounds of force so they were pretty strong. My thinking was that by moving the magnets I was rearranging the magnetic particles on the drive. I then put the HD in a microwave for a few seconds and the sparks were flying

I don't know if it really wiped the drive, and the drive was so damaged they might not have been able to recover anything in the first place. I bet the people that examined the drive thought it got struck by lightning

In any event, no unauthorized charges to my credit card were made, and as far as I know my identity, bank records, or social security # has not been stolen. If someone got the information they must have been honest.

The program at http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml is supposed to activate a feature already within some modern hard drives that will securely wipe them. If the feature is already within the hard drive I don't know why you need an outside program to activate it, they should just show a hot key on the BIOS screen with a couple of prompts for safety. This method is claimed to be better than DBAN and similar programs, but it' does not directly pertain to my question.

Perhaps a data specialist will be able to shed some more light on the question. This guy http://cmrr.ucsd.edu/people/hughes/ probably knows the answer but I did not email him direct thinking it was probably more appropriate to post in a forum.

Thanks again guys,
John

first i don't think there's any way to be sure that the data has been overwritten inside windows with another set of data. windows doesn't know where to write the data. the best practice is to delete private data files then run a disk wiper on the free space with at least 3 passes. then you can be relatively sure it'll not survive any transfer.

i won't answer if data can survive multiple transfers after deletion. only data recovery specialists can answer.

I have to agree with Ed that this is a killer question, and to find the answer you have to do some research on how the copy process works, how the files interact with clusters, and what’s the mechanism behind file transfer in different media among other things as there is no short answer for what you’re asking (sorry John, but you asked a fancy question and therefore you get a fancy answer).
Aside from that, securing a hard drive is not a major issue; you can erase it by using three passes, which is more than enough for the average user, using the Gutmann method which utilizes 35 passes to erase a hard drive, or a strong magnetic field like you mentioned before. Using these methods is more than enough to secure a hard drive and any recovery efforts after that will require very sophisticated methods that are not available to the regular user, not to mention the time involved.

What you really need to worry about is securing your hard drive while you are using it, as the possibility of getting a new one is not that high among regular users; once every few years which makes it ineffective for someone looking to steal your data. An easier way to steal your data is if someone puts a keylogger on your system, or a backdoor application that allows them to get into your system and do whatever they want. I even remember a few years back I was doing some online research on security, and I came across a website that allowed me to see the contents of my own clipboard, which showed me how vulnerable I could be on the Internet.

What you really need to concern yourself with is safe computing habits, having a good antivirus program, spyware detection, and avoid certain websites are among the things that keep your computer safe. One last thing, is that you mentioned viruses that cannot be erased using the format command, and I think that you’re referring to boot sector viruses; one simple method to get rid of them is to boot your computer using a Windows 98 startup disk, and then run the following command: fdisk /mbr; it’s that simple.

The answer *is* simple. Copying a file from one medium (harddisk, floppy, USB etc) to another removes *all* traces of the previous content of the source medium.

The copy process reads disk sectors (or clusters, but more acurately filesystem blocks) and writes that data to the new medium. In that transaction (of writing to the new medium) no traces are left from the previous medium. It could not / cannot since otherwise there would not be a 1:1 copy.

The *only* caveat to this has to do with sector/cluster/filesystem block sizes.
If your cluster is 2048 bytes in size, and you copy a 2000 byte file, what happens with the "unused" 48 bytes? My belief is that the copy program will only read 2000 bytes, and write those 2000 bytes to the new medium. The new medium may have 48 bytes of 'previous data' but I do not believe that it will be the 48 bytes of the previous medium.

Hope this helps,

ronald.

That’s the problem right here rknol, we need a *concrete* answer.

Another non-expert data recovery non-sepcialist entereth the fray

I would have thought it depended on the way the copy mechanism works. Supposing a data block, sector, call it whatever you will is 2048 bytes long and a file is 2000 bytes long.

This means there are 48 bytes over in that particular sector which just might have contained a password at some time in the past.

A copy routine can have 2 basic ways of working:

1) Complete sector-by-sector copy. In this case, only entire sectors are copied and thus the password will be copied whenenever the sector is copied.

2) Byte-for-byte copy. The copy algorithm would read the sector in containing the 2000 byte file and knows that there are unused bytes at the end. So it would grab a free sector from the target drive and copy only the required bytes. In this case, the password will not be copied.

The actual process is MUCH more complex than that. But a bit of searching has turned up this article here - very technical - but it may address some of the concerns.

No offense Angoid, but you don't know me...

I have confirmed that (at least in Windows XP Command Prompt) the copy command reads *bytes* from the file. That is furthermore clear by all system calls that applications can do: the "read()" command (and their variants).



This said, and confirmed, any system call that copies a file can never read more bytes than the file contains. If the file contains 10 bytes, the application will only ever get 10 bytes of data back (no matter what the OS does with the filesystem in question).

Those 10 bytes are being written to the new file on the new medium.

Yes, it is likely that the remaining bytes in the sector/cluster/filesystem block on the new medium contains old information (that was on the new medium) that is retreivable.

However, that was never the question posed by John.

He asked if copying a file would leave remnants on the new medium that could be uncovered.

Maybe my interpretation is wrong, but I got the impression that "copying" would be done in the Operating System (Windows, Mac etc).

Angoid, you are correct in that you could use a sector copy application ("dd" in unix/linux) or clone application (Ghost/Acronis) in which case the copied data could indeed contain the remnants.

John, if you mean "copy" inside the OS using regular OS programs/functions (not a third party application) then there is no residual data on your destination.

There are other ways of copying data, and those *could* very well copy residual data over.

Cheers!

ronald.

I think he was referring to himself, Ronald.



That was my thinking. But that was an educated guess on my part. Thanks for the clarification.

Thanks for the additional feedback guys and for your answer rknol / Ronald.

To clarify, I was only talking about using normal windows delete commands (no wiping programs) and normal windows copying methods (no special software).

The way I used the term "copy", I was mainly speaking of using a program like Nero (or the CD burning program that is part of windows) to transfer and/or "copy" the file from the original hard drive to a CD or DVD and from there onto another computer / hard drive.

Or, to use the standard windows copy and paste command, standard drop and drag, etc. to transfer the files from the original computer to a flash drive or any other portable storage media that allows copy & paste, and then onto a new computer.

The way I understood your answer rknol, there is no danger of the old overwritten data being recovered after the file is copied and/or transferred to the new storage mediums using the standard methods & storage mediums given above. I guess the type of portable storage medium being used is not important, since it's the way the file copy process works that keeps the original overwritten data from being copied along with the overlaying file that is being transferred to the portable media and onto a new computer.

Do I understand correctly ?

Thanks
John

You're welcome John, and yes you do understand correctly.

Regards,

ronald.