What the FBI and IRS
don't want you to
Your hard disk is more
incriminating than a
diary if you fail
to clean it regularly.
Updated October 22nd, 1998.
Lee Adams. All rights reserved.
the authorities love your computer. Most people don't realize how easy
it is to recover incriminating data from your computer. Even a local sheriff's
department has software for snooping around your hard disk. Here's what they can
1. They can recover files you thought you erased.
can recover files you thought were overwritten.
3. They can recover
files created without your knowledge.
4. They can recover remnants
of the Windows swap file.
5. They can recover names of Internet
sites you visited.
6. They can recover your old email messages.
temporary files. You probably didn't realize that every time you print
a document, Windows writes a temporary copy to disk. It "erases" the
file when it's finished, but an undelete utility can recover the file.
swap file. Windows creates this file whenever memory gets tight.
Investigators can often recover documents, data, personal information, and
passwords from months ago. A binary sector editor can view the data in
the swap file, often named win386.swp.
Many notebook and laptop computers use a hibernation file to save the contents
of RAM when the rechargeable battery runs low. You'll want to delete, shred, and
recreate this file. For example, if you're using an IBM ThinkPad, look
for a file named pm_hiber.bin, in addition to the Windows swap file.
it for yourself. See for yourself what investigators can find on your
computer. You can download a free demo copy of Expert Witnesstm,
a forensic data acquisition program for Windows 95 at
This is the same software cops use. It's got a point-and-click
interface that anyone can learn to use. It allows sector-by-sector viewing of
your hard disk, including hidden files, previously "erased" files, the
Windows swap file, unallocated disk space, and file slack (the space between the
end of the file and the end of the cluster). The software provides a
record of the chain of custody of the evidence (that's polite talk for
the data on your computer). The software can even save your entire
hard disk as evidence.
& CounterSpy is not affiliated with this product.)
& CounterSpy recommends that you take a methodical approach to
sanitizing your computer's hard disk.
wish to consider downloading the following applications. Each is designed for
use with Windows 95. Some of the names mentioned are trademarks.
(NOTE: Spy & CounterSpy is not affiliated
with any of these products.)
Shredder: Shredder is designed to run in
the background while you work with your personal computer. Shredder intercepts
all disk accesses and completely wipes a file before allowing an
overwrite. Shredder also wipes the Windows swap file at the end of each
work session. This secures your system against undelete utilities and sector
editors. You are safe from investigators who are using file slack recovery and
Windows swap file readers.
NOTE It takes a much stronger magnetic charge to completely overwrite and
obliterate a pre-existing charge. This is a polite way of saying that
overwriting a file still leaves subtle magnetic traces of the previous data.
Intelligence agencies and security services use magnetic force scanning
tunneling microscopes to detect these traces. Shredder can protect against this
threat. It can also protect you against investigators using an electronic
microscope with spin detectors.
useful feature is Shredder's panic mode. If you're at your computer when the
goons kick the door in, simply press your secret keystroke combination and
Shredder instantly shreds a preselected list of sensitive files. Shredder will
also get rid of any so-called history lists that your browser makes, as well as
old email. You can download a free demo copy of Shredder from
HEdit: This hex file-editor is useful for
inspecting the files on your hard disk. You can check both the hexadecimal and
ASCII contents of any file, including the Windows swap file (named win386.swp on
most systems). You can also use HEdit to alter the contents of any file on a
byte by byte basis. To download a free trial version of HEdit, set your browser
This freeware program is ideal for encrypting groups of files on your hard
disk. It can also be used to create standalone self-decrypting message files
that you can send to correspondents by email. File Vault uses the Blowfish
encryption algorithm, which is resistant to NSA attack. Included with File Vault
are the DiskWipe and FileWipe utilities. DiskWipe scrubs the free space on your
hard disk. FileWipe permanently erases a file so it cannot be read with either
an undelete utility or a sector editor. To download File Vault, set your browser
to http://www.alcuf.ca/fv.htm. You can
also download an encryption-enabled text editor called VGP from
Pretty Good Privacy is a public-key encryption program that uses a
combination of prime numbers and one-way math functions. When used correctly,
it provides strong protection for your confidential documents and email
messages. You can use it to encrypt files on your computer. You can use it to
send encrypted email to recipients you've never met. Or you can use it to
digitally sign your email so recipients can tell if it's been tampered with. PGP
is available in a variety of freeware and commercial versions in standalone
configurations or as plug-ins for various email programs and word-processors.
The US government restricts the export of this and other encryption software
outside the USA and Canada. If you're in the USA or Canada, you can download the
freeware version of PGP version 5.0 from
The commercial version of PGP version 5.5 is available at
http://www.pgp.com. The online user's manual
tells you everything you need to know. PGP's international download site is
Sam Spade: This freeware program is for
all intents and purposes a hacking toolkit. Its powerful features
give you the power to trace the source of spam email (and others who may have
forged the header of the email message). You can also ping every server in a
domain, sweep for IP addresses, and track down server ports. Some of these
functions are considered to be a crack attack by the server
administrators. You can download a copy of this hacker's dream-tool from
RPK InvisiMail: This shareware program
provides hands-free email encryption. It sits between your email
software and your ISP. The software automatically exchanges public keys with any
of your correspondents who are also using InvisiMail. Otherwise, it sends out
your email as plaintext. Invented by an American cryptographer, RPK was
developed in New Zealand, outside the prying eyes of the FBI et al. Hence RPK is
not subject to any heavy-handed export restrictions (or forced inclusion of trap
doors for use by US Government spooks). InvisiMail is based on the RPK
mixture generator, whose exponentiation math is as strong as PGP's. The
patent-protected algorithm is available for inspection. (They're offering a
US$10,000 reward to anyone who can crack RPK.) You can download a free-trial
version of InvisiMail from http://www.invisimail.com
This is a freeware program that does three things. First, you can use it
to permanently erase files so they can't be recovered by so-called undelete
utilities. Second, you can use BCWipe to clean the free space on your hard disk.
And, third, you can use it to wipe the Windows swap file on your hard disk.
Wiping the swap file is important. Personal data and passwords from three months
ago can still be sitting there. The FBI and IRS routinely recover a significant
amount of evidence from suspects' swap files. To download BCWipe, set your
Simply run the downloaded .exe file to install the software.