I got a Jury Duty summons.

[MrBogosity]

The way to make sure you get caught? Use one of those file shredder programs to get rid of the evidence- all it does is move it to a hidden partition on the hard drive, which is accessed by a passkey the FBI already has. The most common name coming up in this? Sony Entertainment.

I call bullshit on this. Eraser, the most commonly-used one, is open-source and if it did ANYTHING like that it'd show up plainly in the source code and people would have hit the roof LONG before now. Plus, the program would have to somehow create its own partition on the disk, which it wouldn't be able to do if the disk is already fully partitioned (as most are). I wouldn't put it past the FBI and prosecutors to lie about this the way the Copyright Enforcement Group lies to people's ISPs about the files they (haven't) downloaded (one time they accused a network printer of downloading a movie illegally; someone else tested it with a custom Bittorrent client which was completely incapable of doing anything other than connecting to the tracker, and he got a notice).

[BogosityForumUser]

I call bullshit on this. Eraser, the most commonly-used one, is open-source and if it did ANYTHING like that it'd show up plainly in the source code and people would have hit the roof LONG before now. Plus, the program would have to somehow create its own partition on the disk, which it wouldn't be able to do if the disk is already fully partitioned (as most are). I wouldn't put it past the FBI and prosecutors to lie about this the way the Copyright Enforcement Group lies to people's ISPs about the files they (haven't) downloaded (one time they accused a network printer of downloading a movie illegally; someone else tested it with a custom Bittorrent client which was completely incapable of doing anything other than connecting to the tracker, and he got a notice).

Interestingly enough, there is a way to hide a file system on the disk, such that most programs cannot overwrite it.  It is called the Host Protected Area.  However, there are severe limitations on it.  For example, you only get one and most OEM computers have one set already for diagnostic and theft purposes.  But as I said, most programs cannot read it, but there are ones that can and most are open source.  The biggest sign you suddenly had one created or overwritten is if the OEM diagnostics didn't work or your hard drive suddenly shrunk in size.  And if you are truly paranoid, you could get a live CD and check it yourself (but be careful because writing changes can make your computer unbootable).

What the people probably meant is the technical definition of the file existing.  A file exists as long as the data is physically there or a file system reference to them, it "exists" on the hard drive.  So, if you use one of those erasing programs and it doesn't get (or you forget to get) the MRUs, thumbnail caches, trim your SSD, a directory entry or hard link, the journal, your backups and a few more places, they can get away with saying that it is still on your disk.

[MrBogosity]

What the people probably meant is the technical definition of the file existing.  A file exists as long as the data is physically there or a file system reference to them, it "exists" on the hard drive.  So, if you use one of those erasing programs and it doesn't get (or you forget to get) the MRUs, thumbnail caches, trim your SSD, a directory entry or hard link, the journal, your backups and a few more places, they can get away with saying that it is still on your disk.

There are several ways some or even all of the file's data blocks could be left behind after shredding. You mentioned SSDs; most of them use wear-leveling which make it almost impossible to overwrite specific blocks. Even absent that, you have shadow files and earlier versions left behind, and they might be using blocks the shredder doesn't know about; even erasing your free space might not get all of those since the OS might still consider them to be in use.

Then there are issues like .torrent files being left behind even if you erase the downloaded files themselves; I'm not sure of the rules of evidence on this issue, but they might use them as evidence you'd downloaded them in the past.

But really, we're talking about people getting the physical computer or drive and scouring it for whatever they can find. That's entirely different from what they can see from outside on the Internet. The idea that these shredder programs put it on some sooper-seekrit place on the disk that the FBI can access remotely just smacks of the kind of paranoia they like to instill to make you afraid to try it.

[dallen68]

There are several ways some or even all of the file's data blocks could be left behind after shredding. You mentioned SSDs; most of them use wear-leveling which make it almost impossible to overwrite specific blocks. Even absent that, you have shadow files and earlier versions left behind, and they might be using blocks the shredder doesn't know about; even erasing your free space might not get all of those since the OS might still consider them to be in use.

Then there are issues like .torrent files being left behind even if you erase the downloaded files themselves; I'm not sure of the rules of evidence on this issue, but they might use them as evidence you'd downloaded them in the past.

But really, we're talking about people getting the physical computer or drive and scouring it for whatever they can find. That's entirely different from what they can see from outside on the Internet. The idea that these shredder programs put it on some sooper-seekrit place on the disk that the FBI can access remotely just smacks of the kind of paranoia they like to instill to make you afraid to try it.

Oh, no sorry. I didn't intend to say they could access it remotely. They have to have physical possession of the device. From what I gathered, they remove the media from the device and mount it on their hardware...and then whatever software they have pulls up all the deleted files, log ins, keystrokes, and a few other diagnostics things I don't recall at the moment. The one drawback they mentioned is if the user remembered to defrag the drive after, then there's a chance of the data being over written with new data. 

As far as what you've downloaded in the past, they can just ask your ISP for that information. And then of course, there's varying levels of co-operation on that. But as far as evidence goes, it's actually of limited value, because all it says is that someone on your IP address accessed the file.