Jump to content
Piriform Community Forums
benben

LAW ENFORCEMENT & CCLEANER

Recommended Posts

A quick message for all CCLEANER users - have just had my personal computer (along with a bunch of others belogning to other folk that were taken from the office we all work in) returned to me by law enforcement.

 

And guess what?

 

CCLEANER was obviously no prob's for them to overcome - a lot docs' deleated with CCLEANER over the preceeding 6 - 2 months prior to confiscation, and which had therefore been cleaned out (or so I thought) by CCLEANER repeatedlytime and time again, had been recreated - and accidentaly left in a forensics folder. As this had happened on a number of personal computers, not only mine, we suspect that the forensic examiner made a mess of things i.e. doubt very much they deliberately put files back on the HD that had been deleated a long time back.

 

While admittedly CCLEANER makes no claim about been able to defeat forensic examination by cops, I thought it might interest folk - been there, done that - it may stop the wife and nosy collegues rom receovering doc's/files/folders etc etc ... it wont stop the cops!

Share this post


Link to post
Share on other sites

With the tools they have it's of no real surprise to me. Short of completely destroying a hard disk by incineration there's just about always the possibility of recovering files.

Share this post


Link to post
Share on other sites

Were you using the secure file deletion method? If you only use fast delete then files can easily be recovered.

Share this post


Link to post
Share on other sites

Sometimes those types of recoverable data may just be very useful so unless you are not giving it away, I think there is a reason why they should remain in there.

Share this post


Link to post
Share on other sites

I'm not to sure what to make of this post. Forensic examination under a microscope is seriously expensive. Which means if you was destroying sensitive data of that significance for the police forensics to get your hard drive under a microscope for what ever reason they have taken your data away then what possible would be going through your mind to use ccleaner???

 

A good friend of mine who trained with a company called Vogon (data retrieval), which use hardware for recovery, and during his training they were told about some of the higher profile crimes/forensic data recovery cases they had dealt with in the past.

 

He was told due to the way hard drives write data to disk software based utilities can never fully clean a hard drive. They can however make it extremely difficult and expensive, Charged 100k for a medium sized job.

 

Criminal forensic data recovery cases done in a lab/clean room, Can produce a conviction on over written data. This is because hard drives write to magnetic data there's normally over spill of data either side of the data track, by either formatting or using software to erase the data track you are still left with this over spill which in their lab they could recover enough data to use in court and win cases.

 

That level of data recovery is incredibly expensive though,

 

And in his words, I don't mean any offensive in this statement but it will get the point across about when they will use a microscope.

 

 

"cases he told us about were business crimes/fraud ect. involving lots of money not some nonce abusing the internet."

 

 

Bottom line is the only completely safe way of disposing of data is completely destroying the magnetic platters in the hard drive.

Share this post


Link to post
Share on other sites

Strange, Vogon/Ontrack actually sell a software data eraser tool. And on their website is this.....

 

'Physically destroying the hard drive is the best way to make sure the data is gone for good. Fortunately, there are other safe ways to ensure data is securely erased. Data-erasing software products will overwrite data, with a single pass usually being sufficient. Military norms, however, require that a drive be overwritten several times. In these circumstances, even Ontrack's data recovery engineers would be unable to recover useful data. The cost to attempt such a recovery would also be tremendous.'

 

There's nothing I can find on Vogon's site that indicates that they can recover data from overwritten sectors at any cost

 

The O/P's post is stating nothing new, as he says CC isn't, and has never claimed to be, a secure data eraser.

Share this post


Link to post
Share on other sites

It's just my crappy writing of the sentence.

 

"They can however make it extremely difficult and expensive, Charged 100k for a medium sized job."

 

was aimed at under a microscope, which he was told as part of his training

 

nothing to do with them self, sorry

Share this post


Link to post
Share on other sites

If the police raided without warning there was no time to disable and delete all System Restore Points,

and this could provide evidence without "forensic" tools.

 

The police are unlikely to confiscate all the computers in a company unless :-

1. they suspected serious crime; and

2. they hoped to obtain a conviction.

 

I may have been watching too much television, but I have the opinions that :-

The computer would be shut down and NOT be rebooted,

The drive(s) would NEVER be written to, but disconnected cloned, and only the clones would be searched for evidence.

If evidence is found on the clones, it COULD be argued that this was caused by the examination,

and then the original preserved drive is available for independent expert witness examination.

There is no possibility that the police would pollute the integrity of the prime evidence by writing on the disc.

 

Additionally, regardless of any requirement for a conviction,

if a new folder is created on the original drive and "deleted" files are recovered and copied to the new folder,

these copies will be using up the "free space" from which they were being retrieved,

so every file that is retrieved will have a good chance of over-writing the clusters and preventing recovery of more deleted files.

 

I believe this all started as a hoax.

Either BenBen is pulling our leg,

or perhaps a police man was playing an April Fool's day joke on the office.

 

Alan

Share this post


Link to post
Share on other sites

 

The computer would be shut down and NOT be rebooted,

The drive(s) would NEVER be written to, but disconnected cloned, and only the clones would be searched for evidence.

 

 

 

My first comment at what to make of this post is summed up perfectly above.

 

I seriously think this is just a wind up.

Share this post


Link to post
Share on other sites

 

While admittedly CCLEANER makes no claim about been able to defeat forensic examination by cops, I thought it might interest folk - been there, done that - it may stop the wife and nosy collegues rom receovering doc's/files/folders etc etc ... it wont stop the cops!

 

There are too many unknowns here...

 

- Windows version + Service Pack #?

- Single Hard Drive or Raid? Or are they Trim SSD Drives that the Trim command wasn't used, or Non-Trim SSD Drives?

- Did you have System Restore enabled?

- Did you run quick erase, or secure? If secure, # of passes?

- Did you set CCleaner to secure wipe the free space? And if you did set it to, did you then enable it? You have to set it to AND enable it in CCleaner...

- Did you enable the right options in CCleaner? IE, auto complete entries, etc, erase "everything"?

- Perhaps they were able to use the registry to check for certain things. Did you note if you have programs that use the registry to store data?

- Version of CCleaner used? IE, 1.41? 2.08? What version?

- Do you use any drive state programs such as Microsoft Steady State, or alternate "system protection" programs similar to Sys Restore in functionality?

- Do you use any folder locker/encryption programs that you tried to "hide" files in?

- Did you try to wipe the C: drive, or all the drive(s) involved? What drive(s) were the data on?

- Harddrives can mark sectors bad that start failing to produce good read or write patterns. Law enforcement may be able to still read from these areas if they are not completely "dead".

 

CCleaner will NOT erase secret stashes of files that you hid somewhere on the drive because it cannot tell what is what. It only knows the areas that Internet trash accumulates & regular standard areas that may cause problems.

 

Arrrr! This is a headache! Could you please provide more information? It is so hard to try to understand what could have went wrong with just a simple "CCleaner did not work!" I just want to know if it was CCleaner or if it was some other overlooked problem.

 

Help us help you, man, provide us more information, please!

 

Regards,

Don

Share this post


Link to post
Share on other sites

I know i linked you to this thread to read my opinion on forensic data removal but was it necessary to bump a 4 month old thread that was started by a blatant troll who never come back?

Share this post


Link to post
Share on other sites

MrDon. Jajajaja :D

A bit late don't you think?

 

Maybe... I sometimes forget to check the date of someone's post.

 

Idea... If the forum can automatically change the color somehow of posts that are over 2 weeks old with no replies, for example, then this would provide a very good visual alert.

 

Or alert a user when they click the Reply button "Hey, this post has not been responded to in over 2 weeks. Are you sure you want to proceed"?

 

Just an idea... May help stop a lot of "mistakes" up here.

Share this post


Link to post
Share on other sites

If you wanted a discussion on secure file deletion why not just start your own thread? I assume you could post as long as paragraphs as you like then since it's your own thread. Peoples own choice to read it or not :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×