System Spy Test for you

Discussion in 'privacy problems' started by CloneRanger, Sep 30, 2010.

Thread Status:
Not open for further replies.
  1. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    @ the Cloneman

    I've already uninstalled DS. Have you/could you test BleachBit?? Do you know the shred settings BB uses??
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    :D

    Black entries are still normally visable files to anyone via the usual methods. The Red ones are the hidden ones that only special tools like DS can find.
    Why ?

    I have, that's why i've posted what i have about it :p Plus in here - https://www.wilderssecurity.com/showthread.php?t=283005&highlight=BleachBit

    I "believe" they are single pass overwrites !
     
  3. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    I downloaded the picture and wiped it with r-wipe and could not find it. So then I downloaded it again and just deleted it. I still could not find it.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ caspian

    No RED entries at all Anywhere in your comp with DS ?
     
  5. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ caspian

    Yes i thought you must be able to see plenty of them, so thanks for looking again and posting some screenies. Obviously those are just a small sample of what's still lurking in there. I notice several go back as far as 2007 !

    Surprised you didn't find ANY remnats at all of "CanYouReadThis", but if ya didn't ya didn't ;)

    At least it goes to show people that they do have all manner of references of file names in their comps, that they probably thought they didn't, and had long ago been deleted :D

    :thumb:
     
  7. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    I am disappointed that I was unable to find it since I just deleted it and did not wipe it. I was hoping that the software would detect it, because it must be there, right?
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,624
    Location:
    USA
    Caspian, if you did not secure delete it then it should be in your recycling bin directory. Did you check it?
     
  9. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Caspian, I would imagine that if you run a program called Recuva (by Piriform) or Restoration (by Brian Kato) you would have no trouble at all finding and displaying the deleted file.
    Deleting a file simply removes the header information. The body of the file is left intact, but the space it occupies on the disk is available to be over-written.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,624
    Location:
    USA
    When you delete a file from the recycle bin it is only removed from the directory. There is a pointer at the beginning of your disk in the directory to tell the computer where the file is located on the disk. When the pointer in the directory is deleted your computer no long knows the file is there. Instead it reads the file as free space. The file will then eventually be overwritten by data.
     
    Last edited: Oct 8, 2010
  11. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    Restoration did not work. But Recuva did!! I checked deep scan and it actually showed all of the pictures. You could actually see them, unlike the other two products.

    With the other two, I looked for the name and it just wasn't there. So with the software posted in this thread (can't remember the name) I used the filter to pull up all of the deleted files. Then I purged them to get rid of the names and content. Then I download and deleted the gif again. Still no luck. So I ran all of my cleaners again and downloaded the gif, deleted it, and restarted my computer. The deep scan in Recuva takes a long time but I could actually see the gif! So I wiped the gif in Recuva and repeated those steps and used R-wipe to wipe the file. It was not recoverable. no name or picture could be found.

    Are these programs doing the same thing that Encase does? I have heard people talk about it.
     
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    Okay then. So just because one of these programs doesn't see it doesn't mean that it is not still there are your hard drive. But as far as it being overwritten? What if you have a 650G hard drive and store everything on an external hard drive?
     
  13. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Firstly, don't get the terminologies "Deleted" and "Erased" (also known as secure deleted or shredded) mixed up, just in case you think they are one and the same. They absolutely are not. Deleted removes the header information, leaving the body intact, as stated by Cutting_Edgetech. Erasing actually overwrites the file in its entirety, one, three or more times, depending on the program used and the user preferences.

    Read/write operations are taking place frequently when the computer is on. Nevertheless, it could be some time before a deleted file is overwritten, and even then, my understanding is that there are certain computer forensics specialists that can extract a file even if it has been overwritten. (Most notably police forensics labs.)

    The success of such an operation probably rests on a number of factors, including how long the file sat there undisturbed before the overwrite. (I've read that a file that has sat undisturbed is more likely to be recoverable than one that has been erased immediately. I read it on the internet. Must be true. ;) )

    To eliminate a file from the hard drive it should really be erased, not deleted. Even a one pass overwrite (erasure) is going to make it, for the average user, impossible to recover. (I don't know about the forensics lab people. Maybe.) To eliminate files that have been deleted in the past is more of a turkey shoot, but using a "wipe free hard drive space" option in a program like Eraser should do it. It takes a lot longer, though, especially if you're going to be wiping free space on a 650G drive that is a long way from full up. A heck of a lot longer.

    A program like Recuva or Recovery (I've had success with the latter) will see files on the hard drive, if they don't, the file can probably be considered as gone.
     
  14. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    Yes I am aware that a file needs to be wiped. But I have heard that a computer can make extra copies or something like that. Recuva was pretty interesting when I enabled deep scan. Took a long time though. And I had to reinstall Returnil because it messed it up.

    I am not familiar with "Recovery". Do you have a link?
     
  15. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    Oh I see. I think you meant to say "Restoration" instead of "Recovery". Thanks for the link.
     
  17. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Yes. Sorry, my bad, become confused.
     
  18. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Occasionally I've done work for the Crown, the background work of gathering evidence to further build a case to go to court. R-Wipe&Clean is one of those on the 'proverbial list' of tools that hopefully is not found on a computer because it is so very thorough. CyberScrub is another which was mentioned, up to tools such as WinHex, Crypters and TrueCrypt like. Then occasionally it's luck due to user error, laziness or unfamiliarity with a program that helps. It's not just files that can be damning but file names, time or obfuscation with maybe some corroborative attestation.
    I deleted the gif then used R-Wipe&Clean and found nothing with Directory Snoop or WinHex.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.