I recently had a chance to talk with an FBI agent who works with computer evidence. Here are some of the things I took away from the conversation. A lot of his job is fairly easy because most criminals have no idea how a computer works. I asked if he ran into any type of encryption very often and he said it was very rare. There was only one case where someone was using encryption and he said it was completely luck that they were able to catch him because he hadn’t chosen a very good password.
Now I’m not telling you this so you can go out and start a life of crime. But the things that make Mr. FBI Agent’s life easier also make the life of identity thieves a lot easier.
So what do criminals not know about computers?
What happens when you delete a file?
When you hit the delete key on your computer to make a file go away, it doesn’t actually go away. On most operating systems, it just marks the file as being in the trash and you can get it back from there. So if you empty your trash it goes away right? Nope. When a file is deleted from a hard drive, the file isn’t actually erased. The operating system just marks that part of the disk as free space, but it still contains all the data it originally contained. Overtime, that space is going to be filled up with other data, but it could remain around a very long time. It is trivial to read the data in this unallocated space.
Where do emails reside?
Normally when you send an email it resides in at least four places. It is on your computer, your mail server, the recipient’s mail server and the recipients computer. For investigators this is ideal because chances are it can be recovered from one of those places without having to do anything difficult. With cell phones and multiple computers it may reside in twice as many places.
Keep in mind that when you send an email, it might turn up as evidence in some type of court case if there is a lawsuit involving the recipient. Recent lawsuits have provided us with a much better idea of some of the inner workings of some large companies like Microsoft.
What is a cache file?
When you view a web page, the page is downloaded and “cached” or temporarily stored on your computer. However, it doesn’t instantly disappear once you are finished using the page. The FBI agent showed several examples where he was able to view emails sent via webmail and look up search history by looking at these cached files.
Using the same password is stupid.
The FBI agent gave the example of a case that he had solved by finding the cached email that came from a dating site. The email contained the password for the site. He found that same password was used for all kinds of other things and dramatically opened up what he was able to find on the computer.
He made the point that you should be very suspicious of any site that turns around and emails you your password in clear text. At the very least make sure they aren’t emailing you the same password you are using for your banking accounts.
Thanks for the information. It is very useful.. Computer security 101
Craig Thomas says
Good post. Information people should know. With password, I tend to have the same core password with increasing versions of difficultly – added numbers/caps in random places etc that way the importance of whatever I use the password for corresponds to the password I use – that way I can remember the password pretty easily too.
Thanks. This is highly informative. I always thought once you deleted them from your trash, they’re gone forever. So question, if you clear your cache, could they still recover your browser history?
I know we shouldn’t be using the same password on all our accounts, but it just makes thing easier to remember. Even if I jumble up the words, numbers, etc like Craig suggested, unfortunately, I’d still screw that up.
Mark Shead says
There are pieces of software that will create and remember unique random passwords for each site you visit. You use one password to secure all of them. This is generally a pretty safe way of creating passwords because it insures that each site has only one password and knowing it won’t let them get into one of your other accounts.
Yes even after you clear your cache, the information from that cache can easily be recovered until the computer writes over it. OS X has a feature where you can write over the blank space on the hard drive with a bunch of 0’s. That should make it pretty hard to recover–as long as you actually get everything deleted. Many operating systems keep things in multiple places. Also OS X has a “Secure Empty Trash” that should delete things AND overwrite them. You can get this by Command right clicking on the trash can.
Richard | RichardShelmerdine.com says
I’ve always known that a file never fully disappears when you delete it. There are certain software packages yo can get though that wipe data forever, or so they claim.
Regarding emails, what if you spoof/hide your IP address, can they still trace you? I don’t like my IP address being known when I send out emails, is there any free way of spoofing/hiding my IP address that you know of?
Mark Shead says
If you send a message through Gmail using a local client (Apple Mail, Eudora, Outlook, etc.) the headers will show your ip address. If you log into http://www.gmail.com and send the email from there, it will not show the ip address of your computer in the headers.
So generally if you don’t want to show your computer’s ip address, webmail is the way to go. You may be able to cover it up by using a special mail server that won’t pass on your ip address, but I’m not sure where to point you in that regard.
Thanks for your reply.
So if I create a new account, log on and send an email from http://www.gmail.com, there’ll be no way to trace it back to me? Also my IP address won’t be stored in the four places mentioned in the above article?
Mark Shead says
Well there is a pretty good chance that Google will have a copy of your ip address and they could be forced to turn it over under a court order. But as far as I’ve been able to see in testing, your ip address will not be part of the email headers if you send it from your gmail account using the web interface.
The ip address for Google’s gmail service would be stored in those four places instead of the one for your personal computer. Your ip address will still show up in Google’s logs, but those aren’t easily accessible to the average person.
If you are concerned about this, the best thing to do is to send yourself a message and look at the “raw source” of the email to see what all comes through.
proxies dont necessarily hide you. All anybody (hacker or otherwise) has to do is exploit your browser in ways that your real IP address is sent to them and your proxy bypassed.
(there are ways to protect yourself against browser exploitation however).
Alex | Folienfaq says
Many thanks for these information. I always wondered what (really) happen when I delete files.
Megan Zuniga says
These have all been highly informative, how safe is this software that remembers the password? What if someone has access to it?
Mark Shead says
1Password encrypts the passwords using a master password. As long as no one has your master password, they can’t get to your other passwords.