Contribution to Book
Assessing Trace Evidence Left by Secure Deletion Programs
Advances in Digital Forensics II
(2006)
Abstract
Secure deletion programs purport to permanently erase files from digital media. These programs are used by businesses and individuals to remove sensitive information from media, and by criminals to remove evidence of the tools or fruits of illegal activities. This paper focuses on the trace evidence left by secure deletion programs. In particular, five Windows-based secure deletion programs are tested to determine if they leave identifiable signatures after deleting a file. The results show that the majority of the programs leave identifiable signatures. Moreover, some of the programs do not completely erase file metadata, which enables forensic investigators to extract the name, size, creation date and deletion date of the “deleted” files.
Keywords
- secure deletion,
- trace evidence,
- Windows XP,
- FAT12 file system
Disciplines
Publication Date
January, 2006
Editor
Martin S. Olivier and Sujeet Shenoi
Publisher
Springer
Series
IFIP Advances in Information and Communication
ISBN
978-0-387-36890-0
DOI
https://doi.org/10.1007/0-387-36891-4_15
Publisher Statement
A paper from the 2nd IFIP International Conference on Digital Forensics, held at the National Center for Forensic Science, Orlando, Florida, January 29-February 1, 2006.
Citation Information
Paul Burke and Philip Craiger. "Assessing Trace Evidence Left by Secure Deletion Programs" New York, NYAdvances in Digital Forensics II Vol. 222 (2006) p. 185 - 195 Available at: http://works.bepress.com/john_craiger/33/