Digital Security and Privacy for Human Rights Defenders

2.3 Information Backup, Destruction and Recovery

Abstract

A backup strategy should include: the files to be archived, the frequency of updating the archive, location and storage of the archive. Simply deleting data from your computer is not sufficient to make it unrecoverable. Sensitive information needs to be wiped from your computer.
It is good practice to wipe temporary files, Internet cache and free space on your computer.
Take good care of your computer’s physical environment.
If you lose a document, do a thorough search of your computer using the Windows search function and analyse your hard disk with data recovery software.

Two important issues to consider when working with information are how to duplicate it and how to destroy it. Computers allow these two processes to be performed quickly and efficiently, and it is, once again, human error and carelessness that are the commonest causes of malfunction of systems. This chapter will explore the theory behind replicating your computer-held information, restoring lost data and erasing unnecessary or sensitive information without the possibility of recovery. It will also describe good practice in this area.

Information Backup

Important documents are usually duplicated. The American Declaration of Independence was originally produced in 251 copes. People make photocopies of their passports, tax returns and driving licences. Manuscripts are copied before being sent to the publisher. These are all precautions against the loss of documents and information in them. Computers make duplication a very easy and rapid procedure. Numerous programs will create an identical copy of the original information base and store it in the location of your preference. Gone are the days when the loss of your little address book resulted in painstaking search for the forgotten phone numbers, and that, as you will see, is both a blessing and a curse.

The need to create a backup copy of your computer files is often superseded by the belief that ‘nothing will go wrong’. We rely on ourselves and our computers not to forget, lose or damage the information.

Information loss occurs on a micro and macro levels. You can lose just one document through a program malfunction or a virus. You can also lose the entire contents of your computer through a hardware malfunction or a malicious damage. Always have a backup strategy for all scenarios.

Backup strategies

Consider the type, quantity and frequency of backup for your information. You may wish to carry around a USB memory stick with a copy of all your documents. If your computer has a CD-writer, you can backup a lot of documents, photos and audio files on a weekly basis and keep a copy at a separate location. If you have a server computer in your office, it requires a periodic backup not only of the documents users store on it, but also of the software and system settings.

Frequent access files

This file type refers to the working documents you need to have access to at all times. These files are constantly updated and you need to have the latest version available.

The most applicable device here would be a USB memory stick. It is small, has no moving parts (therefore less prone to damage than a floppy disk) and usually provides sufficient storage space for many documents. You should be able to synchronise the content of a folder on your home/office computer to the USB memory stick²².

Backup frequency: daily.

Non-frequent access files

This is a collection of your entire document archive, built up over time. Files are infrequently created and updated. It may not be necessary to keep the latest versions of every file, but a backup is still essential.

The most efficient device to use as a backup medium in this scenario would be a re-writeable CD-ROM drive (CD-RW). It will allow for up to 800MB of storage space and you can overwrite the previous archive with the current one, only having to look after one or two CDs at a time²³.

Backup frequency: weekly.

System

To prevent a long process of restoration in the event of a computer crash or malfunction, you should periodically make a copy (image) of your entire computer. This is an advanced option, probably suited for your systems administrator or someone who looks after your computer. A system backup includes all the installed programs (and their licences), system registry, device drivers, etc. It could take days, sometimes even weeks, and cost a lot of money to restore your computer.

One way to perform this backup would be with a tape drive. These are quite expensive and usually do not come as standard with your computer purchase. The other option is to buy a removable hard drive and perform the backup onto it. A full system backup usually requires specialised software, known as disk imaging. It can be also done by using the Windows built-in backup functionality that you can access by going to Start > Programs > Accessories > System Tools > Backup. In case of fire or other disaster, it is essential to keep a copy of the system backup away from the computer premises.

Backup frequency: monthly.

For the sake of security, do not create too many backup copies. If you cannot overwrite a CD on a weekly basis, make sure you properly destroy the outdated versions. This way, your backup files would be harder for an attacker to find, and you won’t get confused as to which CD contains the latest copy of your documents.

Information Destruction

It is virtually impossible to completely erase all information stored on your computer without resorting to cutting, burning or breaking into tiny pieces the data- carrying device. Whilst you may think that Windows has emptied your ‘Recycle Bin’, this is not true. We must take necessary precautions to make sure that the data no longer wanted on our machines is properly deleted.

Between 2000 and 2002, researchers Simson Garfinkel and Abhi Shelat of MIT purchased a large number of second-hand hard disks from various dealers through the online auction house eBay and examined these for any residual information they contained. They found an alarming quantity of data, for example: - internal company memos relating to personnel
- lots of credit card numbers
- medical information
- e-mails
and many-many more.²⁴

Data recovery is a growing industry, and many firms and government agencies have become incredibly advanced at salvaging lost and damaged data. Another element of our information security is the need for human rights organisations not only to keep sensitive information safe, but to destroy it properly as well. This section will examine the process of permanently deleting unwanted information from your computer.

Data deletion

There is no computer function that can delete information. Strictly speaking, computers can only write new information to the hard drive. When you choose to delete a file in Windows, you are simply telling the computer that this space is now available to be overwritten with new data (we will call it unallocated space). Windows removes the file icon and the name reference from your screen, thereby making you believe the file is no longer there. It does not remove the actual data from the hard drive. You can compare this to removing the label from a filing cabinet, but leaving the files still in the drawer. Until you have overwritten the exact physical space on the hard drive with new data, the information is still there and is easily visible with the help of simple software.

Multiple copies of your document are created
every time you edit it

Let’s imagine that you are writing a large report. It takes you a week of work, several hours each day. Every time you press ‘save’ before shutting down your computer and leaving for the day, Windows creates a different copy of this document and stores it on the hard drive. After a week of editing, you will have several versions at different stages of completion on your hard drive. Windows does not look for the exact physical location of the original file and overwrite it every time. It simply puts the latest version in unallocated space on your hard drive. This can, of course, lead to problems when you need to erase all traces of this document from your computer.

Removable Devices

It is not only hard drives that store our digital information. Floppy disks, CDs and USB memory sticks are used frequently for file storage and movement between different computers. These are also susceptible to holding on to information that we have previously deleted. CDs have been known to contain recoverable information even after they were cut into pieces.

It seems that, apart from burning the device to ashes, the data can still be recovered. Some system administrators are given the task of destroying old company’s hard drivers with a hammer. Others tried to erase the contents of CDs by putting them in a microwave for several seconds. There are, however, certain tools that can prevent the majority of intruders from retrieving our deleted information, without resorting to heavy machinery and kitchen appliances. These, mind you, do not make the recovery process totally impossible, yet in most cases they will make the task prohibitively expensive.

Another Windows feature that - unbeknownst to you - stores your personal documents is the swap file (also known as paging file). Windows uses the swap file for the ease of operation. At its simplest, it is a part of the hard drive Windows assigns to itself to handle all your current operations. When you switch the computer off, the swap file retains all the information previously on it. Even if you are using encryption software, your files will not be stored encrypted in the swap file. It is advisable to disable this feature (you should have at least 256MB of RAM in your computer to replace the swap file’s functionality) or to use a wiping tool to securely delete information on the swap file before shutting down the computer25. To disable the swap file on Windows 2000 and XP:

Select: Start > Settings > Control Panel > System
Click: Advanced tab
Click: Performance
Click: Virtual memory (advanced > virtual memory for XP)
De-select: the swap file option or set it to ‘0’.

If your computer is a laptop, disable the hibernation feature. It may take you 30 seconds but will greatly decrease the risks of access to information on your laptop.

Select: Start > Settings > Control Panel > Power Options
Click: Hibernation tab
De-select: Enable Hibernate

Wiping

The non-violent solution to destroying old data on our hard drives is overwriting it with other random data. This method is known as wiping. You can wipe a single file (and all its previous instances) or you can wipe the ‘empty’ space on your hard drive. The latter action will find all presently unallocated space (or space not used by current files) and overwrite it with random data. Experts agree that at least one random pass is necessary to prevent recovery of your information. You must be aware that it is not only your documents that should be wiped, but also other files used by Windows and collected whilst you use the computer and browse the Internet. This should include your Windows swap file (if you haven’t disabled it yet). Make sure to wipe the following file types from your computer (some wiping software will do this automatically for you – see footnote on previous page):

Temporary Windows files	Favourites
Temporary Internet files	Swap file
Internet log files	Temp files
Cookies	Recent documents
History

Wiping guidelines

If you decided to erase all traces of previous and temporary files from your computer, you can perform the following steps, using one of the wiping software programs provided in the Digital Security Toolkit project, or by sourcing it yourself.

Make sure you have a backup of all your user documents, licence files and Windows registry.
Close down all unnecessary programs and disconnect from the Internet.
Wipe the temporary folders of all content
Delete all unnecessary user files and empty the ‘Recycle Bin’
Wipe all the free space on your computer (could be done overnight)
Get into the habit of wiping all the temporary files (and swap file) before shutting down your computer.
Perform a free space wipe on your USB memory card or floppy disks.

Wiping software such as BCWipe and Eraser can integrate with Windows and allow you to wipe files or the ‘Recycle Bin’ with two simple mouse clicks. They can also wipe temporary files and free space on your computer or USB memory stick.

Information Recovery

Files that have not been wiped can be recovered. Some tools at our disposal can perform searches of our hard drive or other media device for lost, damaged or corrupted files. In the worst case, there are many organisations that have sophisticated techniques for recovering lost data. Simply search the Internet using the keywords ‘Data Recovery’.

Prevention

Keeping your system from crashing and losing your documents will require a careful approach to its environment and stability. First of all, consider physical damage. Do not drink or eat, or perform any number of other functions that could potentially cause physical damage around your computer space. Due to the complex nature of electric circuity, computers do not react well to water or magnets. Keep your computer away from the ground, lest heavy footsteps or jumping should shake it. Secure your computer from electricity surges either with stabilisers or with fused sockets. You may consider purchasing an alternate battery supply (UPS). It is best to ask an expert in a computer shop for a more detailed description of the above items and how they can prevent your computer from being damaged.

On the software side, apart from maintaining a backup procedure, make sure your operating system is properly installed and updated. The same applies to your virus cleaner and firewall. Keep in mind that every time you install a new piece of software you stand a slight risk of destabilising your system. Some software programs conflict with each other and could make your system unstable.

Recovery

As a first step, you should carefully search your computer for the missing/lost file. It may not be deleted, but simply misplaced by you or by a program error. You can use the Windows search function to search the entire hard drive(s) for the file name. Perform a search on all recently modified files (e.g. files modified in the last day). Sometimes, a program crash causes the file name to become corrupted and unrecognisable. The ‘modified date’ stamp (and size of file) could be your hint to recovering it.26

The Windows search function can be launched from Start Menu > Search > Files & Folders

Next, you should set the criteria for the search including file name, size of document, date modified, etc. If your original document cannot be found by its name, you could look into automatically created ‘temp’ files, judging by the date the file was last accessed and its size.

Some software can recover lost files²⁷ by taking advantage of the inability of computers to delete data (as mentioned above). The recovery program performs an exhaustive search through all the hard drive sectors, looking for files and parts of files that are salvageable. If you cannot recover the necessary data with this technique, you may wish to consider paying for a professional service. These services have considerable skill in salvaging lost information, but they are expensive. Yet, most people only realise the value of their information once it has been lost.

22
Use a program like Allwaysync (http://www.allwaysync.com) to perform synchronisation

23
Use a combination of the archiving program Freebyte (http://www.freebyte.com) and a CD burning program DeepBurner Pro (http://www.deepburner.com). Both can be found on the Digital Security Toolkit CD

24
Remembrance of Data Passed: A Study of Disk Sanitization Practices, Published in IEEE Security & Privacy, vol. 1, no. 1, 2003 By Simson L. Garfinkel and Abhi Shelat, Massachusetts Institute of Technology

25
See wiping tools Eraser (http://www.heidi.ie/eraser) or BCWipe (http://www.jetico.com/bcwipe.htm) that can also be found on the Digital Security Toolkit CD

26
Also see Graham Mayor’s guide on What to do when Word crashes http://www.gmayor.com/what_to_do_when_word_crashes.htm

27
Handy Recovery http://www.handyrecovery.com/ also available on the Digital Security Toolkit CD;
also see http://www.officerecovery.com/freeundelete/

top of this page

Front Line 2007. Please contact Front Line with any comments or suggestions.