http://ow.ly/6FCBC
An article by Craig Ball, Esq. on his blog Ball in Your Court.
This article discusses the fact that deleted data on a hard drive is sometimes recoverable. As the author writes, "“You can get anything back from a computer, can’t you? Even the deleted stuff!”
I get that that a lot, and tend to respond, “Pretty much.” My lawyer side wants to add, “but it depends.”"
The article discusses a recent development by Microsoft, "Microsoft has been gradually integrating a feature called Volume Snapshot Service (a/k/a Volume Shadow Copy Service) into Windows since version XP".
The article goes on to state, "Volume shadow copies are old news to my digital forensics colleagues, but I suspect they are largely unknown to the e-discovery community. Though a boon to forensics, volume shadow copies may prove a headache in e-discovery because their contents represent reasonably accessible ESI; that is, much more potentially probative evidence that you can’t simply ignore. So, for heaven’s sake, don’t tell anybody."
The author goes on to point out, "What you need to know now is that much of what you might believe about file deletion, wiping and even encryption goes out the window when a system runs any version of Windows 7 or Vista Business, Enterprise or Ultimate editions. Volume Shadow Copies keep everything, and Windows keeps up to 64 volume shadow copies, each made at (roughly) one week intervals for Windows 7 or daily for Windows Vista. These aren’t just system restore points: volume shadow copies hold user work product, too."
P.S. Deleted often doesn't mean "gone".
No comments:
Post a Comment