I downloaded some music from Rapidshare and when I unpacked the container files with Winrar, found that it wasn't music at all but illegal stuff. Wish I hadn't bothered now!
I'm in a quandary as to how to delete them properly. Windows Help says use Shift-Del to permanently delete files - well, I did that but I'm not satisfied that they've really gone. I'm guessing that maybe the only safe way would be to wipe the hard drive completely and reinstall everything.
That's going to be a massive job, so I wondered if anyone can please suggest an alternative?
Regards robbo
Because, IF it was music THEN it would have been legal? 😯
This should do, if it's a NTFS drive, and it is probable you have it already (it depends on the OS you are runnning)
http//
http//
cipher /W<drive>
or
cipher /W<path to directory>
(or use the script linked to on the somacon page)
Basically when you delete a file what you actually do is to only remove a pointer to the area where the file is stored.
This area then becomes "free", and usually if you do a defrag, it will be overwritten, this way you are sure that anything that is marked as "free" in the drive or directory you point the utility to is overwritten.
jaclaz
Thanks very much - that'll save me a lot of bother!
Oh the music, well, it was all classical stuff that many people post on there to share.
Thanks again and regards
There are two areas to watch when you delete a file. The data area becomes part of the disk free space. I may be overwritten by a defrag, or filling the disk with a dummy file.
The other area is the directory entry. These can be harder to overwrite, and you probably best looking at specific tools. Short files are actually stored in an NTFS directory.
However, the $logfile may still contain references for them. ie removing the data is easy, removing any signs of the data having been there is difficult.
Thanks mscotgrove.
Phew, its fraught with danger isn't it?
At least to an amateur like me.
Well, just out of curiosity, would it be possible for me, or any other casual user of the computer, to access these deleted files, that is (I'm learning fast) ones that have been sent to the unallocated area using the 'Shift-Del' method - I believe you call it data mining? Or would a person have to buy specialist software to do that?
A casual user would struggle to find it, However a professional with the correct software ie encase, ftk etc….. would be able to find it. you can download file shredding software that basically before moving the file to be re-written replaces it with a series of 0s and 1s.
If this file was genuinely accidentally downloaded and had been named something else I wouldn't worry about it. No one will be coming to get you )
Well, just out of curiosity, would it be possible for me, or any other casual user of the computer, to access these deleted files, that is (I'm learning fast) ones that have been sent to the unallocated area using the 'Shift-Del' method - I believe you call it data mining?
I thought data mining was the process of manipulating and examining data, normally in the form of a tabulated data set, to find patterns and trends in order to make predictive models to help with business decisions. Is that right or does data mining cover more than just that aspect?
Also, with the deletion thing, from programming most of the time you try to free up as much memory as possible, deleting as many unused variables as possible as they go out of scope, why does an OS maintain data that has, in the most likely case, been consciously deleted by a user. Furthermore why is the average user not informed that this data can be retrieved after you press delete. A large portion of private data could be accessed on an old computer thrown out as trash and most users would be none the wiser. Doesn't make sense to me? Has anyone got an idea about the motives behind this?
Sorry to throw so many questions in the one post.
The operating system does not 'maintain' deleted data, it just un-indexes it. It does not move it to an unallocated space, it just marks the space unallocated.
To find data in these areas, the normal; term is Data carving.
If the space was to be overwritten, then deleting a 4GB file could take a noticable time, rather than in an instance. Shredding software has to do this, and may take a considerable time to shred thousands of small files, or several very large files. For 99.99% of users, it does not matter that old documents, photos do still exist on the hard drive.
The operating system does not 'maintain' deleted data, it just un-indexes it. It does not move it to an unallocated space, it just marks the space unallocated.
To find data in these areas, the normal; term is Data carving.
To be even more "direct", as I see it, if all the fuss is about a file that has been deleted and you know what file it was, is not even "Data Carving", but simply an "UNdelete".
This may help to clear the issue
http//
In other words, in most cases you can "undelete" a file i.e. recover not only the file, but also most of it's name, I see it as a "special, easier" subset of data carving where one also looks at "fractions" and "fragments" of deleted files.
This may be of interest to you
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5150
(layman's analogies wink )
jaclaz
Thank you mscotgrove for the quick reply.
I get the idea behind it now and it makes sense that most users wouldn't care about old documents etc.