By: Danny Bradbury
Financial Post
May 29, 2007
When you drag an important file to the waste paper basket, are you sure it's gone? In most cases, it will still be languishing on the hard drive, fully readable by those with a little expertise -- and that has significant implications for security and compliance.
"When files are deleted, and even once they are cleared from the recycle bin, that does not mean they are unrecoverable," explains Case Jones, senior technical specialist at IT services and data recovery company Transparen Canada. "Deleting a file merely 'unhooks' the file from the file system, in many popular operating systems, and does not actually overwrite the file's contents."
Popular computing operating systems such as Windows don't really erase a file when they delete it. Instead, the operating system merely deletes a pointer to the data that the file held, giving it future permission to store new files in the old location. But file data is often scattered across different parts of a computer's hard drive, meaning it could take months or years for that data to be overwritten with something else. In the meantime, significant parts of that file's data will still be there.
This ghost data can have implications for corporate security, warns Bill Margeson, chief executive of CBL Data Recovery Technologies, which makes its living recovering data for corporate clients. "Organizations should not ignore the risk and potential embarrassment that may result if a hard drive and its sensitive business data end up in the wrong hands," he says. Companies driven by increasingly processor- and storage-hungry computer software refresh their personal computers every three years or so on average. A variety of things can happen to those old PCs; they may be donated to charity, given to existing employees, left lying in warehouses or even sold on eBay. If sensitive data leaves on their hard drives, companies could find others rifling through their corporate secrets.
Data wiping software does exist to solve this problem, Mr. Margeson says. "To be sure a file is permanently erased, the area of the hard drive's platter where that file is stored must be completely rewritten with new data," he explains. The most foolproof way to do this involves using cheap, readily available software that overwrites all 'deleted' data on a hard drive with new data. However, these can take hours to complete a task, which can often be unworkable for larger companies.
Some experts suggest taking hard drives out of computers altogether and taking a hammer to them to be absolutely sure data is unrecoverable. Hard drives are relatively cheap, so replacing them should not be too difficult.
The longevity of supposedly deleted data can be particularly useful when conducting forensic analysis in your company. Executives suspecting fraud can often find useful clues on employees' hard drives, says Jarrod Haggerty, a director in the forensic technical solutions division of PricewaterhouseCoopers' U.K. operation.
"Presuming that they have signed over the rights and we have the authority, I have done a lot of jobs where we go in at night and examine a PC's hard drive covertly," he says. "But that can be a risky thing. What we'll try to do more often is take an image of a hard drive covertly, through the company network."
Even if an employee knows an investigation is underway and tries to erase incriminating files, there are numerous ways to piece together information about what has been going on. "Almost anything you do on a computer is recorded in some way, either through logs, through meta data about files, or side effects from the actions taken," Mr. Jones says.
These side effects are many and varied. Very few employees fully understand the machinations of a networked computing infratructure. The files they try to delete may still be on the drive, or copies of them may have been retained on a central company computer. Documents created by software applications often contain information about the author, others who have opened and changed the document, and the date of creation and modification. They can provide an audit trail leading to the perpetrator, especially if they have been emailed or copied to a server.
Often, the very act of deletion may create computer records that can be used as evidence. Mr. Haggerty often encourages his clients to let employees know that an investigation is underway, so he can, after a short wait, see what they have tried to erase from their hard drives.
While potentially incriminating for a fraudulent employee, this persistent data can be good news for employees who need to get data back. Often, when a power surge, flood, or simply an accidental deletion has apparently wiped out your data, firms such as CBL and Transparen can get it back. The best approach to recovering data is to simply pull the plug on a machine. Even shutting down the system and restarting it can create new files that may potentially overwrite your data, and restarting a damaged drive can cause more damage that could render your data unretrievable.
Hopefully, fire, flood or fraud will never force you to call in experts who will pick over the remnants of your data. But there are ways to minimize the risk, Mr. Jones says. "The only way to ensure data will not be lost, and that it will be available, is to maintain frequent backups and to ensure the backups contain all the information needed to get operations back on track," he says.
Techniques such as mapping employee computers to networked drives make it easier to control and backup data at a central point. They also lay the foundation for data archiving, which will help ensure information is retained for compliance purposes.
