Protect your privacy by knowing how to secure delete files from your computer.
How Snoops Use Forensic Software
Adversaries determined to examine your device for trace data use specialized forensic software to thoroughly scan it for hidden trace information as well as long ago deleted items on your storage media.
All devices, whether desktop computers, laptops, tablets, smartphones or removable storage media such as USB memory sticks, are routinely examined by forensic software experts hired for contractual, civil, employment or matrimonial disputes.
Sometimes the expert is hired to access your device after hours, acquiring a copy (image) of your storage media and examining it later off-site without you ever knowing.
Learning about how forensic snooping software works will help you to understand why a number of the techniques outlined on this site are so important including clearing trace data, encryption and data wiping.
[ Jump to: Snoop Your Own Computer | Detailed Example | Best Secure Delete Tools | Recap ]
How Forensic Software Experts Find Digital Evidence
Generally speaking, the forensic software experts first create an exact physical duplicate of the device’s storage media, called a disk image or bitstream.
An exact physical duplicate means a bit-for-bit copy and therefore includes not only your original items and data files, but also all the trace data discussed earlier, including deleted files, Registry information, paging and hibernation files, memory dumps, temporary artifacts, hard drive indexes and even its file slack and bad clusters.
More About: Clusters – A cluster refers to the minimum amount of physical space on a storage media device allocated by an operating system. For example, a desktop computer’s hard drive has millions of clusters.
Typically, the forensic software packages are as expensive as they are sophisticated.
The packages most used by experts can cost in the thousands of dollars and require professional training on how to use them. The features of expert-level forensic software include disk image creation and the ability to perform powerful searches of internal, external and other storage media, and may also include capabilities such as file decryption, password cracking and steganography detection.
How to Snoop Your Own Computer
These are the leading forensic software applications on the market:
- Fred (aka Forensic Recovery of Evidence Device) http://www.digitalintelligence.com/products/fred/
But they are super expensive!
If you wish to get a taste of what it is like to poke around your own desktop computer or laptop to see what can be detected and perhaps recovered, you can try the app Directory Snoop.
Directory Snoop may not be full-fledged forensic analysis software in the purist sense, but it is a powerful utility that lets you analyze your storage media at a detailed, technical level (right down to the cluster level).
Plus, it is affordable and allows you to find and examine lots of hidden and trace data.
Directory Snoop also gives you the ability to purge (delete) some of this trace data or recover it in the case of deleted items. This is a superb personal product. It is not free but you can use it free for a trial period before deciding whether to purchase a license.
To see how this tool can find sensitive trace information embedded in the clusters of hard drive storage media, see the following in-depth illustration.
Detailed Example of Permanently Deleting Files from Computer
Top Tip – This section is for advanced users, so if you find the materials a bit complicated, jump ahead to the Recap section at the end.
Using a practical example, this tutorial demonstrates how to permanently delete files and, in fact, to eliminate any trace the files existed at all.
For the demonstration, I saved and then deleted on a USB stick a video clip named STRIPPED.WMV. This item could just as easily represent a document about a medical condition you have, your personal budget, a confidential report, your dairy, items from your erotica stash or whatever else you consider private.
Below I use a file recovery (undelete) app to illustrate that the now deleted video is easily found and recovered. In other words, by deleting the file “normally” it could be easily undeleted.
I again saved the video clip to a USB stick, but this time I properly deleted the video with a wiping app. The video should now be wiped and beyond recovery by conventional undelete apps. To check this, I use the same file recovery (undelete) app to confirm whether the wiping has truly worked.
However, it is important to understand that even wiped files still leave behind an empty directory entry (its file name) and sometimes old file names alone can be enough of a threat to your privacy.
With the wipe of the video clip now confirmed, to address the risk of empty directory entries, I then move on to purging its old file name (purge the empty directory entry) from the storage media’s master index so that no trace of it exists.
Finally, for ultimate privacy, I wipe the storage media’s free space using multiple passes so that there is no trace or risk of recovery even from sophisticated adversaries using the best forensic software that money can buy.
Let’s get started ….
* * *
Using a widely available and free data recovery (undelete) app, the deleted video is easily found (see screenshot). Depending on whether any new data has overwritten the space on the storage media previously occupied by the video, it may be fully recoverable. This is usually a function of how long ago the item was deleted and how large the storage media.
As explained in the summary above, for the next steps, I again saved the video clip to a USB stick, but this time I properly deleted the video with a wiping app. This makes the video beyond recovery by conventional undelete apps.
However, even though the video is wiped its old file name is left behind in the storage media’s master index. To address this risk, we need to purge its empty directory entry so that no trace of it exists.
Observe in the next series of screenshots as the relevant directory entry is purged using my recommended wiping app. The app easily locates the directory entry and, with a few selections, purges the directory entry.
. 
. 
Figures: Selecting the directory entry for purging and then confirming the purge
As you can see in the screenshot above, the name of the deleted item (the directory entry) is now purged from the drive’s index and replaced with a question mark (?).
Now let’s re-run the undelete app to see if it can reveal the existence of the deleted item.
Even with the widest search possible on the USB stick, the undelete app finds no trace of the deleted video; this is because the directory entry is now gone.
The undelete app can no longer find the record of the deleted item. This means that the deleted item is safe from, not only discovery and recovery, but also detection by conventional undelete apps. However, until the drive’s free space is wiped, more powerful forensic software could probably detect the previous existence of and perhaps even recover the video in part or in its entirety.
This is why, for sensitive items and data, you should always, in addition to wiping the specific items, also wipe your drive’s free space – demonstrated in detail further down – to ensure that the data is beyond recovery from powerful forensic software.
Purging All Your Empty Directory Entries
Good wiping apps, including those I recommend, make it easy to purge all empty directory entries from storage devices. This is illustrated in the next series of screenshots.
After the mass purge of empty directory entries from the USB stick you can now use a file recovery (undelete) utility to confirm that no record remains of the deleted items or folders; that is, that all of the empty directory entries were in fact purged. This is shown in the next screenshot.
Congratulations! All trace records of the names of deleted items and folders have been eliminated from the USB stick. Of course, you can and should apply these same techniques to as many storage devices, especially computer hard drives, in order to keep your entire system clear of this hidden trace data risk.
Wiping Your Drive’s Free Space
It may be great that widely available undelete utilities may not be able to find and recover your previously deleted files and folders. But until the relevant drive’s free space is wiped, sophisticated forensic software probably could detect and perhaps recover (in part or in whole) your deleted items, even with these items’ empty directory entries purged.
Therefore, you should also take the extra step of wiping the free space on your storage media.
Wiping the free space of a storage device (the same USB memory stick as above) is shown in the next series of screenshots. If you are using a different app, the screens will look different but the same general steps and concepts will apply.
Once the wipe is complete, all traces of the former files and folders will be eliminated and beyond recovery, even with sophisticated forensic software.
Secure Delete Tools
The best and easiest way to eliminate the traces of your activities from devices is to use tools specifically built for this purpose.
Secure delete apps (sometimes called privacy cleaning, eraser, washing, wiping or scrubbing apps) are tools that eliminate all of this trace information left behind on your device, helping keep your privacy intact.
Many of these apps do the job at a single click. There are dozens of such apps to choose from for all devices, some of which are free.
If you don’t think you need a tool to eliminate trace data, think again! Perform the checks earlier in this post to see what trace information may be on your device for others to discover.
Ask yourself, if someone used those simple techniques what would they find?
With many free apps available for just about every device on the market there really is no excuse for not using a privacy cleaning app.
Whichever app you choose, free or premium, make sure that it is adequately supported and frequently updated. After installing the app, spend a minute to set it up, selecting the sources of history records you would like it to cleanse including from Windows, your web browser and other apps. Good choices are the apps you use most frequently for your sensitive activities and might include your video player and image viewer apps.
Perform an occasional privacy “audit” on your device (including those steps found in the links above) to see if any new sources of trace data are showing up. If so, update your settings accordingly. You can clean up after each sensitive session on your device or, if you like, schedule regular cleanings or have the app clean up automatically at every start-up and/or shut down.
Best Secure Delete Apps
Using a specially designed app is the easiest way to clear unwanted trace data from your devices. Most privacy cleaning apps provide lots of choice about what you can cleanse from your device.
CCleaner
CCleaner is the industry-leading (meaning over 1 billion downloads!) free tool with a premium counterpart. It allows you to quickly and easily clear history records from Windows and web browsers as well as popular Internet and multimedia apps.
It also includes drive wiping capabilities (free space or total drive wiping of 1, 3, 7 or 35 passes) but no file shredding features.
BleachBit
BleachBit (free) is a powerful yet simple app, appealing to novices and advanced users alike.
BleachBit enables you to secure delete unwanted trace data from the sources you would expect and from a wide range of apps. It is also available as a portable distribution, meaning a version you can run from a USB memory stick. It’s the history clearing app that Bruce Schneier uses. Enough said.
Figure: Selecting options in BleachBit for cleaning sources of trace data
Privacy Eraser
Privacy Eraser Free and its premium counterpart Privacy Eraser Pro are some of the best privacy protection apps around. It has a clean and intuitive interface and has features to remove the trace data left behind by your web browser, operating system and hundreds of apps by virtue of dozens of plugins available.
Privacy Eraser also allows you to build and add your own custom items for cleaning, if needed. As a bonus, it has built-in file shredding and free space drive wiping capabilities, and other handy tools.
It also comes in a portable version that you can run from a USB memory stick.
Figure: Privacy Eraser makes it easy to get rid of trace data on your device
Privacy Eraser Free has a clean and intuitive interface with features to remove the trace data left behind by your web browser, operating system and hundreds of apps.
In one easy, intuitive interface you can clear all those pesky sources of trace data on your computer. It covers all the basics such as your browsing history, cache, search history, auto complete and any cookies you want cleared.
But it goes much further, clearing Windows recently used item records, temporary files, system artifacts and other sources of trace data on your computer that can reveal what you have been up to.
Privacy Eraser Free comes preloaded with a long list of default items you can select to clear including the traces left by a variety of popular apps used for playing videos, viewing images, sharing torrents, opening documents, etc. Further, it also allows you to build and add your own custom items for cleaning, if needed, so you never have to worry about not being able to clear a potential source of trace data.
In addition, PEF has built-in file shredding and drive wiping capabilities enabling you to secure delete (wipe) digital items, files and data on your disk drives and other storage media. The free version accommodates single-pass overwriting, while its premium version Privacy Eraser Pro (below) can accommodate wiping methods from 1 to 35 passes.
Privacy Eraser review bottom line: as you can see, PEF has a lot of powerful features for a free app, covering all your trace data removal needs and providing decent file shredding to drive wiping too.
Go to Privacy Eraser Free Site >>
The Pro version has all the same features as the free one (in a different, more traditional display).
However, if you need the added security of being able to permanently delete digital items beyond any chance of recovery, Privacy Eraser Pro lets you conduct file shredding and drive wipes of up to a whopping 35-passes.
Even more so than PEP, PEF is fully customizable, offers the ability to schedule cleaning sessions, and its robust plug-in support means that a plug-in will almost certainly exist for all your apps, from the most popular to even the most obscure.
Privacy Eraser Pro is available for a free 30-day trial.
Download Privacy Eraser Pro (free 30-day trial)
Wrap-Up: Recapping the Lessons Learned
The demonstrations above are head-spinning. Your hard drive leaves behind all kinds of traces that can come back to haunt you, even if you are deleting items and emptying your trash.
These materials covered why and how to delete data beyond recovery and to leave no trace that the files even existed in the first place. The concepts were reinforced with concrete, step-by-step demonstrations.
To recap, the best way to protect your devices from privacy breaches is a combination of the following:
- wipe (rather than merely delete) any items you wish to truly secure delete files permanently
. - purge empty directory entries from your storage media devices’ master indexes to get rid of the old (deleted) names of items and folders that were deleted, moved, renamed and wiped
. - wipe the free space on your storage devices to permanently eliminate risks from empty directory entries as well as from file slack
. - in addition, you should also keep in mind:
- the importance of using a clearing history traces app to clear the most obvious sources of trace data from your device such as the history and activity records kept by your web browser and other apps and
. - the benefits of embracing on-the-fly full disk encryption and, ideally, saving your private items to encrypted media or even using a fully encrypted operating system
- the importance of using a clearing history traces app to clear the most obvious sources of trace data from your device such as the history and activity records kept by your web browser and other apps and