Robert Johnson, who used to be the publisher of Newsday, was indicted on Tuesday for possessing child pornography and for attempting to destroy evidence. A pair of incriminating movies were found on Johnson’s office computer, even though he had apparently used a program called “Evidence Eliminator” to wipe 12,000 files from its hard drive. Can you ever really erase a computer file?
It’s not easy. When you delete a file from a standard desktop computer, the file first gets moved to the “recycle bin” or the “trash,” which means only that you’ve placed the intact data in a new directory. You erase the file when you empty your recycle bin. But even then, much of the information remains on the hard disk. Exactly how much depends on the type of computer you’re using and which operating system you have.
Here’s how it works: The information in each file you create gets stored on your computer’s hard disk, where it’s spread across multiple “data clusters,” or chunks of space that each have a particular address. The computer keeps track of where to look for each file; pieces of a single document, for example, might be stored in clusters all over the disk. If possible, a computer will store files in contiguous clusters, so all the information is kept close together.
When you delete a file, all you’ve really done is tell the computer that it can reuse the clusters assigned to that file for something new. The data in those clusters remains intact, until the computer reassigns and overwrites those chunks of disk space with new files. Experts say that the original data can remain intact for weeks or months, depending on the particulars of the system.
To make things easier for computer-forensics specialists, standard Windows desktop machines even save basic information about the deleted file, like what it was called, how big it was, and which clusters it used. (Machines running Unix don’t preserve quite as much information.) But even without every chunk of original data, specialists can scan for particular kinds of deleted files or pull bits of text from a deleted file that has been partially overwritten.
So, what do programs like Evidence Eliminator do? They first “delete” a file in the conventional sense, and then they overwrite it with zeroes, ones, or random data. Finally, they erase the record of where the original file was stored on the disk. More advanced programs might overwrite the original with something less conspicuous than a string of zeroes, like an ordinary text file.
But even if you do wipe your disk successfully—and overwrite each of your deleted files—traces of the original data remain. Writing to a magnetic disk is not as precise as one might think; when you overwrite a file, the new version doesn’t completely cover up the old. The leftover data can be read out with certain imaging techniques, like magnetic-force microscopy and magnetic-force scanning tunneling microscopy. Computer forensics experts say it’s possible to recover data beneath dozens of layers of overwriting, and privacy fanatics talk about wiping their disks up to 35 times over to be absolutely safe.
Explainer thanks Brian Carrier of Purdue University and John Mallery of BKD Consultants.