Cyber Security

Gone doesn’t mean forgotten

Mike Harris Mike Harris

If you are one of the many people who has lost important work when their computer has frozen, or if your computer has, without any obvious reason, decided that the long document you have saved is no longer legible, it may surprise you to know that computers are, in fact, really bad at deleting information. Of course, if you are someone, like a fraudster who wants information to be deleted, this is a significant problem.

Modern computers are designed to store data as quickly and reliably as possible. They are built to optimise speed and save data rather inefficiently. Computers are designed to ensure data is preserved, they are not good at getting rid of it when it is not needed any more. The reasons are quite complex, but in essence, if you delete something on your computer, it isn’t really gone. It takes too much time for the computer to erase data, so it usually does not do it.

Cyber security examples

Computers can store a lot of information. Think of a big bookshop – say Waterstones in Belfast - the data storage capacity of any of the cash registers in those stores is without doubt a multiple of what can be written in the books on every shelf of the shop. If you were to save every word in every one of the nearly 8 million books in Trinity College Library as Microsoft Word files, they would fill around 12,000 Gigabytes of storage – 12 Terabytes. Samsung now sell a 15.5 terabyte hard drive which is about the size of a packet of cigarettes.

Modern computers have so much storage they really do not need to “recycle” space by deleting data. This may be a problem for many people. It represents a potential threat to peoples’ security and privacy. However, it allows forensic investigators, like me, to do our jobs.

Do you use your computer to browse the Web? Well it will usually preserve or “cache” the contents of the websites you visit, even if you use private browsing. You might delete this cache - private browsing does it automatically – but the data isn’t really gone. It is still on the disk and it can be brought back. If you did a Google search on your computer three years ago, the chances are it is still in there somewhere. How about your Word documents? Even if you write a letter, print it and shut the computer down without saving it, the text can still reside on your computer. Windows preserves it in case the computer crashes unexpectedly.

Do you have a backup of your iPhone on your computer or on your iCloud? You may have one and simply not know about it. That backup does not just contain your songs, it also holds SMS messages, emails, WhatsApp messages, pho­­­tos and much more. The photo you took with your iPhone is not just a picture. It contains embedded information that can tell us when the photo was taken, the GPS location of where it was taken, what camera settings were used and much more. If you have used a USB stick on your computer recently, we can tell you the make model and serial number of the device, what files and folders were on it, when you used it and for how long.

Conclusion

As you might imagine, in an investigation all this material can be invaluable. IT forensics has become central to many criminal and civil investigations. 

Therefore, while you may see this inability to delete data as a problem, for us it often provides the solution, enabling us to quickly identify the key facts and issues so clients can make important decisions.