Assessing Trace Evidence Left by Secure Deletion Programs

  • Paul Burke
  • Philip Craiger
Conference paper

DOI: 10.1007/0-387-36891-4_15

Part of the IFIP Advances in Information and Communication book series (IFIPAICT, volume 222)
Cite this paper as:
Burke P., Craiger P. (2006) Assessing Trace Evidence Left by Secure Deletion Programs. In: Olivier M.S., Shenoi S. (eds) Advances in Digital Forensics II. IFIP Advances in Information and Communication, vol 222. Springer, Boston, MA

Abstract

Secure deletion programs purport to permanently erase files from digital media. These programs are used by businesses and individuals to remove sensitive information from media, and by criminals to remove evidence of the tools or fruits of illegal activities. This paper focuses on the trace evidence left by secure deletion programs. In particular, five Windows-based secure deletion programs are tested to determine if they leave identifiable signatures after deleting a file. The results show that the majority of the programs leave identifiable signatures. Moreover, some of the programs do not completely erase file metadata, which enables forensic investigators to extract the name, size, creation date and deletion date of the “deleted” files.

Keywords

Secure deletion trace evidence Windows XP FAT12 file system 

Copyright information

© IFIP Internatonal Federation for Information Processing 2006

Authors and Affiliations

  • Paul Burke
    • 1
  • Philip Craiger
    • 1
    • 2
  1. 1.National Center for Forensic ScienceUniversity of Central FloridaOrlandoUSA
  2. 2.University of Central FloridaOrlandoUSA

Personalised recommendations