Windows® PCs are like most of our homes - customizable to our tastes, yet offering the cost benefits of mass production. Unfortunately, the architecture of both makes it fundamentally impossible for add-on products to transform either one into a secure system that automatically protects its contents. You can buy strong safes to secure your valuables; and strong encryption can secure your data, unless it's bypassed.

Original equipment door locks are easily defeated, like the "encryption" options in non-export-controlled software. You can add high-security locks, but skilled intruders will bypass them by removing the hinges, crushing your door jamb or just cutting through the wall. You can also buy software to encrypt your data with strong ciphers, but many programs you use to work with that data (and Windows®, itself) will leave un-encrypted copies on your hard disk, and intruders will bypass the encryption.

These "temporary" copies of your sensitive data have been deleted and are invisible to Windows® (and to DOS), but can be recovered with forensic software, whether or not you use "access control" software on your PC. (Your disk is "accessed" through a connector that matches the plug on any PC's drive controller cable, not just yours.)

Forensic software was developed for computer evidence recovery by law enforcement organizations. It is designed to

(1) extract an "image" of an entire hard disk into an evidence file;
(2) allow query-based searching of that evidence file; and
(3) provide an evidentiary custody trail that will withstand court challenges of discovered evidence.

These three capabilities are also necessary for electronic discovery in civil litigation. Sued organizations can use it themselves, to control the discovery process. When ordered to turn over relevant computer evidence to a plaintiff, they offer him/her an independently-certified evidence file, to avoid access by outsiders to their systems.

NOTE: Commercially available examples of such forensic software are DRIVESPY from Digital Intelligence, EnCase from Guidance Software and Expert Witness from ASR Data. Recommended procedural standards for the application of forensic software in law enforcement are published by the International Association of Computer Investigative Specialists ( IACIS ). An overview of the process of lawful Electronic Discovery for civil litigation is available at the U. Buffalo School of Law's Computers and Law web-site.

The evidentiary custody trail capabilities are of less interest to criminals, but can be useful in proving to clients the authenticity of the fruits of contracted espionage.

Some versions include a capture utility diskette, run on a seized computer from the DOS prompt, and using the same kinds of sector-level disk reading functions found in disk utilities software. Others are integrated Windows packages designed to avoid possible "booby traps" on the seized machine by running on an evidence computer that is connected to the disk controller connector of the seized computer's disk.

Any professional quality forensic software will include the capability to gather into the evidence file sensitive plaintext from

(1) disk slack (unallocated clusters of sectors previously allocated to deleted files, such as TEMP files, and not yet overwritten by new files);
(2) file slack (the tail of the last cluster occupied by a file too short to have overwritten all the sensitive data left by a previous file);
(3) the swapfile used by Windows® virtual memory management;
(4) boot sector slack (the tail of sector zero, the boot sector); and
(5) partition slack (the remainder of track zero beyond sector zero).

Some also include the capability to search the slack space in the compound files of applications such as MS Word® and MS Excel®, although simple text editors such as Notepad® can directly read any sensitive text from deleted files which has been scavanged into such OLE container slack.

Commercially available forensic software has spread far beyond the law enforcement community. Consequently, specific countermeasures against software-based disk data recovery attacks are essential to the cryptographic protection of data stored on Windows® PCs and laptops. Misapplying e-mail encryption software in an attempt at file storage security is far worse than no encryption at all - it's an INFOSEC placebo.