Go to Top

A rabbit hole full of data. And in it – a mole

Remember Alice in Wonderland? For most of us, the world of data is a wonderland — we don’t care how it works, we just want it to work. But I’m here to take you all the way down the rabbit hole of binary code to show you what’s hiding at the bottom. You’ll have to be vigilant — a mole could follow you down there when you aren’t looking. You make a mistake, he infiltrates your hard drive!

Who could be a mole?

Data thieves, IT investigators, forensic data experts – one thing they all have in common is that they’d follow exactly the same traces when going through your hard drive (I will describe these traces in this part of the course). All of these could be used either against you, or to your advantage (for example, if you accidentally lose your data, it would be retrieved in the same way). Only someone intent on hurting you, who would go behind your back and without your consent, would be considered a mole. Here are some sample situations that would call for your heightened interest in thoroughly erasing your data:

  • when you give away or sell your old hardware, including selling it through a middleman – as researchers at Kroll Ontrack have discovered, only 18% of those establishments use effective data removal procedures (80% of them only use the disk format tool, which isn’t effective at all)
  • when managing corporate hardware — each time a machine is passed on to a new staff member, sold off, put away or retired
  • safe data removal is also a natural phase in the life cycle of data and an important part of its maintenance, saving storage costs and preventing leaks

Naturally, having access to a functional computer grants you the most access to data stored therein. Never leave your computer unattended without logging out first. Even if you turn off your machine (clearing cached data and files used by the operating system), taking your hard drive apart and analysing it thoroughly could result in an information leak. This could happen even if you’ve deleted sensitive files beforehand. But let’s take it one step at a time.

All files that are created within your computers, smartphones and tablets — such as text files, spreadsheets, photos, videos, and system files (for example, logs of your browser sessions, logins and passwords) — exist physically within the data storage device. Those files are of course encrypted (you can read more about this in our Data Recovery ecourse at Ontrack Academy), but they’re also operating system-independent; this means that, given the right tools and know-how, they can be accessed without going through the operating system login and user account.

PLEASE NOTE: Open-source Linux distributions are some of the most popular hacking tools out there — they make a lot more things possible than even the most sophisticated professional tools for Windows.

Where can your data be stolen from?

Your hard drive surely contains tons of files, some of which you know to be sensitive or important. Of course, you can delete them whenever you wish. But each of those files might have been physically written several times into several different parts of your hard drive.

“Most users have no idea what types of data exists on their hard drives, and even less know where their data is physically stored. But it’s crucial to know that deleting a file doesn’t remove every trace of it from the hard drive — copies might still exist in different parts of it or within the processing memory”.

Robin England, Research and Development engineer at Kroll Ontrack

Here are some of the locations that could provide valuable info to a malicious hacker:

  1. Temporary files and system files that contain copies of recently used and updated files. Usually, those files are erased when you shut down the application that created them, but they’re saved when an error occurs (this happens so that those files can be later retrieved on relaunch). When those files don’t get deleted, they can potentially be used for data recovery — even when the original file has been deleted
  2. Virtual memory– aids processing memory when the amount of running processes and data becomes too much for it to handle. When virtual memory becomes engaged, a paging file (called pagefile.sys) is created on your hard drive (the hard drive is a mass memory storage unit, unlike the microprocessors of the mainframe which are faster to process data but that don’t permanently store it and have a lot less storage space). The pagefile.sys file contains data from the processing memory that can be processed more slowly. Paging files can be written into every partition and they can potentially contain some very interesting info, such as logins and passwords
  3. Similar types of data can be retrieved from the hiberfil.sys file, which is created when the machine hibernates – when your computer goes into the so called ‘sleep mode’. This file contains an image of the processing memory’s state at the moment the hibernation began
  4. Print spooler files– used for processing and queuing up of documents (such as text editor files, graphic files, spread sheets, etc.), these can be written into your hard drive and used to restore previously deleted files

Many users have little-to-no idea about how to wipe this data, so they just never do it. This is a serious and potentially perilous mistake. But it gets worse — deleting those files doesn’t really guarantee safety. Why? You’ll find out in the next part of the series.

See you soon!

P.S. If you want to share any questions, doubts or comments about this series you can do so in the comment box below.

, , , , , , , , ,