PC for sale? Don’t leave a trail !

PC for sale? Don’t leave a trail!

Ever since World Wide Web dropped into our lives in 1991, rapid growth has taken place in the personal, professional, and CRIMINAL use of computers/digital devices. Considering our current society, interaction with electronic devices is inevitable. Most of us interact with them hundreds or may be thousands, of times a day. And most of these devices are “smart” enough to retain information about who you are, and where you were, when you interacted. In essence, the article will discuss about ‘footprints’ that these smart devices leave.

Looking at the share of Operating System (OS) used in entire world, Microsoft Windows contributes a major share of 90.6% and hence we would be predominantly eyeing windows systems. Every footprint that the OS leaves would be a great asset/evidence to the examiner to correlate the actions of any person. OS usually keeps a track of the activities that you do. For example when you are trying to edit a Microsoft word document, there is another hidden copy of it created in the same location and this file may or may not get deleted upon closing the original document. Similarly there are many areas where an investigator can find the activity of any user on the system.

It is essential for users to know that valuable pieces of sensitive and confidential information is stored in Windows Artifacts. Windows artifacts can include Windows file systems, registry, shortcut files, hibernation files, prefetch files, event logs, Windows executables, metadata, recycle bin, print spooling, thumbnail images etc.  These artifacts can be used to recreate and restore the account history of a particular user. For instance, let’s think of what happens when you delete a file? Do you think the files gets erased and the data is lost? No, actually the files just gets delinked but the data along with its metadata still remains in the media, which is a treasure trove to the investigator. Similarly windows keeps a track of many critical details such as File system info, OS info, Startup Items, Time zone Information, User accounts, deleted files, formatted partitions, Network share drives, Browsing history, USB devices connected, applications installed and uninstalled along with their license keys, email ids and passwords etc with or without user’s knowledge.

It can be concluded that Windows users leave a lot of tracks on their machine when they perform their daily tasks. These tracks can be mined by forensic analysts and used as evidence. Lastly, it can be inferred from the context of our discussions that even people who sell their second-hand computers on online websites should be watchful because sensitive information can easily be leaked to curious shoppers.

Views by Venella Reddy

Rate this article: 
Average: 5 (1 vote)
Article category: 


Good article and eye opener for all those using Microsoft OS. Think twice before you dispose your system under "Buy-back Scheme". The industry accepted best way of destroying the data (sanitization) is using wiper/evidence eliminator/ shredder tools, which satisfy the Departmrnt of Defence (DoD) standard  5220.22-M method (can we rely on this standard?). In my view (Law-Enforcement standard) the best way is crushing the drive to fine granular size, beyond Scanning Electron Microscope detection capability. By using SEM, one can read the magnetic particle orientation.