Sec. Hillary Clinton, the FBI, BleachBit and your Data
By Pete James, Managing Director, Computer Forensics at Precision Discovery, Inc.
It’s not often that computer forensics enters the discourse of presidential politics, but if you’ve been paying attention to the race, you may have heard mention of BleachBit, a tool that reportedly was used to delete email files from Hillary Clinton’s email server. Several of our clients wanted to know what BleachBit does. So we took a dive into the BleachBit tool and here’s what we found.
BleachBit is one of a class of data-wiping tools designed to delete files from a computer and – ostensibly – remove all traces that the files ever existed. The BleachBit website states you can use it to “Clean Your System and Free Disk Space.” In our test, we set out to use BleachBit to do just that: delete files and free up disk space.
We then wanted to see how effective BleachBit is at removing all traces of the files. So we used our computer forensic tools to see if we could find any evidence of the deleted data after we used BleachBit.
So what did we find?
We found traces of files even after deletion using BleachBit.
Even after deleting a file with BleachBit and the file gone from view, we wanted to see whether any metadata related to the file remained. To do this, we first deleted a picture file using BleachBit. Next, we created a forensic image of the drive that contained the deleted file. Then, we used digital forensic software to analyze the drive image.
Even though the picture file was deleted using BleachBit, we were still able to see some of the exchangeable image file format (EXIF) information about the deleted file, including: (1) the name of the camera that took the photo, (2) the name of an image manipulation software program used and (3) the date/time and geographical location of when the picture was taken. We compared this information to the original file and verified that the information was accurate – it described the original picture file that we deleted using BleachBit. Even though the file was indeed deleted, this trace evidence of that photo still remained on the hard drive. Below is a screenshot of a computer forensic software program showing some of this information.
What else can we find out about the file?
Next, we wanted to see how BleachBit affected the Master File Table (MFT). The MFT and the related LogFile are large files on your computer that track the name and details of every file that was created, moved, renamed and deleted from that drive.* Often, even if a file is completely deleted, evidence of the file’s existence may still be on the computer within the MFT.
To test this, we created some files on our subject computer. Below is a screenshot of the LogFile’s “file created” listing showing the locations of the files we created and the date and time they were created.**
We then ran BleachBit to delete these files. We discovered that the “file created” listing remained.
Below is a screenshot of the MFT file listing showing the files after we deleted them using BleachBit. As you can see, the filename was changed to generic characters, but the MFT still recorded the date and time the files were deleted. So it appears here that BleachBit does a good job of removing the name of the file within the MFT, but still leaves a telltale trace that some files were deleted.
Does BleachBit leave any trace to show it was used?
You may also be wondering how the FBI knew that BleachBit was used. The answer is that BleachBit itself leaves traces. In our forensic analysis, we saw that BleachBit left evidence that it was installed, executed and used to delete data. Below is a screenshot showing the folder where BleachBit was installed, along with the date and time BleachBit was installed.
Even if someone deletes the Bleachbit application or other type of data-wiping software, information contained on the computer’s hard drive may show that such software had been used.
What if you want to find out more information about the deleted files?
As we’ve seen, BleachBit does a pretty good job of deleting files. But what if you want to recover data deleted by BleachBit or other data wiping software? Do you have any options? That’s where a computer forensic expert can help.
Finding the deleted files
Even where a program like BleachBit does a good job of deleting or “wiping” the data from the hard drive, a full computer forensic analysis can often locate a copy of the file.
Just because a file is deleted doesn’t necessarily mean that all copies of that file were deleted, too. It is entirely possible to find a copy of the file somewhere else. For example, a forensic examination can determine whether the file was saved during a prior backup. The examiner can also determine whether the file was emailed, saved to an external hard drive, uploaded to cloud storage or downloaded remotely.
The computer forensic examiner may be able to find evidence of these instances and piece the puzzle back together and find the actual deleted file.
Files today are not static. They are dynamic in the sense that users want them available instantly from anywhere and on any number of devices. With this convenience comes the difficulty of permanently and truly deleting all copies of a file.
Finding programs run
A computer forensic expert will examine the registry, MFT and other artifacts and be able to tell you details about the programs that were run and possibly provide you with more information about the specific files you are interested in.
Where the data is legally obligated to be preserved, such as a litigation hold or compliance, evidence showing the application of data wiping software such as BleachBit may be just the evidence you need to prove data spoliation.
BleachBit is not the only software available for wiping data from your computer, nor is its purpose necessarily nefarious. The reason why a person is using wiping software is an entirely different question and something that computer forensic experts take into consideration during their investigation. These applications have been available for many years and serve the need to securely wipe confidential files from computers.
I hope that this article is helpful in showing not only what BleachBit can do, but also how computer forensics can help your case. If we identify that data-wiping software was used on a computer, that isn’t the end of the investigation – it’s only the beginning.
*The Master File Table (MFT) and related LogFile and UsnJrnl files are present on every drive formatted NTFS. NTFS is a very common file structure and has been in use since the mid-1990s. These files contain metadata related to every single file on the drive. The MFT is neither easily accessible nor easy to manipulate.
**Created date/time refers to the first time a file appears on a volume.