Amateur Magicians at Work
In our line of work, we see plenty of would-be magicians trying to make incriminating data vanish. They hope to baffle us with off-the-shelf tricks and wipe away digital evidence. The reality is, there’s only one Houdini, and these folks shouldn’t quit their day jobs.
Most people misunderstand how and when data is truly deleted. It’s not like pouring out a bucket to get rid of the contents. Instead, it’s more like setting the bucket down empty until something else fills it. The old data sticks around until it’s overwritten by new data. That’s why simply deleting a file doesn’t mean it’s gone.
When a drive is wiped properly, its data is replaced, often by random characters or repeated symbols like “0.” Fun fact: when you buy a new hard drive, it isn’t actually blank. It’s filled with “0” characters. Something always occupies the space.
Tools That Clean and Leave Clues
Plenty of programs promise to tidy up your system or delete unwanted data. Tools like CCleaner or BleachBit are well known. Sometimes they’re used for simple maintenance, but in our cases, they often show up when someone is trying to erase traces of wrongdoing.
Typical files wiped by these programs include:
- Temporary internet files
- Browser history and cookies
- Recently opened documents lists
- Log files and miscellaneous system caches
But here’s the catch: these files may be deleted, yet not immediately overwritten. That means if we access the device soon afterward, we can often still recover them.
Even After the Cleanup, Evidence Remains
Even if we don’t get access right away, all is not lost. Running these tools often creates new evidence of their own. Installing and executing a cleanup program leaves traces that can be tied to a timeline, showing either long-term harmless use or suspicious timing.
For example, maybe the software was installed years ago and regularly updated. Or maybe it was downloaded and run the night before the computer was scheduled for forensic review. We’ve seen both scenarios. Needless to say, the latter usually points to deliberate cover-up attempts.
The Telltale Steps of Covering Tracks
Let’s break down what usually happens when someone tries to clean up data:
- They search for the program, leaving traces in browser history and cache.
- They download and install it, which creates download records, program folders, and registry entries.
- Shortcuts and supporting files appear throughout the system.
- They run the program, generating evidence of execution.
- Files are “cleaned up,” meaning they’re deleted but often not yet overwritten.
Many of these tools also have an explicit overwrite function. CCleaner, for example, can rename files it overwrites to something like ZZZZZZZZZZZ.ZZZ, turning spreadsheet.xls into a telltale string of Zs. This is a clear marker that wiping was performed.
Uninstalling Doesn’t Erase the Story
Sometimes the final move is to uninstall the program, hoping to erase all traces. While some evidence is lost, plenty remains. Those earlier steps leave behind a trail. By piecing together these digital artifacts, we can build a detailed timeline that often dismantles any claims of “we didn’t try to hide anything.”
Once we break down that story, it opens the door to obtain more evidence, which we’ll explore in our next post. That way, when the would-be magician tries to pull a rabbit out of their hat, you’ll already have the ace you need.
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.