Depending on the seriousness of the crime and the skill of the criminal, computer forensics experts generally rely on four basic tools when searching for incriminating data: file undeleting programs, hex editors, magnetic sensors, and electron microscopes.

File undeleting programs

File undeleting programs, readily available in utility programs like Norton Utilities, are often sufficient to catch novices or people unfamiliar with the way computers work. As described previously, they work by renaming undeleted files (if they have not yet been overwritten by your system) so that your system will recognize them again. These programs only work if the files have not been overwritten on your hard disk, so undeleting programs are a relatively weak forensics tool.

Hex editors

If the suspect has deleted files and has overwritten them on his or her hard disk, you can always use a hex editor to view any data stored in (or deleted from) both files and disk sectors. A hex editor allows you to peek at the physical contents stored on a disk, regardless of the boundaries of files, directories, or partitions. Hex editors are often used to crack copy-protected software, study how computer viruses work, or in the case of forensics, identify and retrieve information that can't normally be accessed by the operating system.

To understand how hex editors can work, you need to know that all information saved on a hard disk gets recorded in tracks, which are concentric rings on the surface of each hard disk platter, like the rings in a tree trunk. Each track is subdivided into sectors, which typically holds 512 bytes of data. These disk sectors are particularly important because they store the keyboard buffer. Figure 19-4 shows a hex editor at work. Hex editors read this physical medium directly and don't rely on operating system services to read "files."

Click To expand Figure 19-4: A hex editor like VEDIT can display the hidden contents of any disk sector or file.

For some great online information about how computers work, visit Charles Kozierok's "The PC Guide" at

Forensics experts generally use a hex editor to search for evidence in specific parts of a disk—trying to use a hex editor to examine an entire hard disk would be like scouring the inside of a skyscraper for fingerprints. Still, hex editors can often recover some or all of the data in a deleted file that you might not otherwise be able to access. To see what a hex editor can find on your hard disk, download and try one of the following:

Hex Workshop



Magnetic sensors and electron microscopes

Every file you save leaves magnetic traces on the disk it was saved on. By measuring the changes in magnetic fields on a disk, forensics experts using magnetic sensors can reconstruct part or even all of a deleted file—or they can use an electron microscope (expensive, but available to many governments).

Electron microscopes can measure tiny changes in magnetic fields that not even overwriting a file can completely obliterate. Because each time the computer overwrites a file the disk heads may not be aligned directly over the file, fragments of the deleted and overwritten file may remain, which an electron microscope can detect.

Disk splicing

No matter how many times you overwrite a file, or format and partition a hard disk, traces of your original data may still remain. File shredders simply make it progressively more expensive and difficult to retrieve data, but not impossible.

Under the illusion that they'll have complete protection, many people burn floppy or hard disks, crush and mangle them, cut them into pieces, pour acid on them, and otherwise physically manhandle them so that there's no possible way they could ever be used by another computer again. Unfortunately, physical destruction of floppy and hard disks still can't guarantee that your data will be safe, since government agencies such as the FBI and CIA practice a specialized technique known as disk splicing.

With disk splicing, someone physically rearranges the pieces of a floppy or hard disk so that it is as close as possible to its original condition. Then they use magnetic sensors or electron microscopes to scan for traces of information still stored on the disk surface.

Obviously, disk splicing is a time-consuming and expensive procedure, so don't expect that your local police force will have the knowledge, skill, or equipment to do it. But if you've destroyed evidence that involves national government agencies such as the NSA, CIA, or FBI, don't expect a mangled disk to hide your secrets from the prying electronic eyes of rich and powerful government agencies either. In fact, the American government even has a special laboratory called Computer Forensics Laboratory (, located in Linthicum, Maryland, that specializes in retrieving information from computers, no matter what condition the hardware or disks may be in.

The ultimate lesson is that if you don't want to risk having certain information retrieved from your hard or floppy disk no matter what precautions you may have taken, don't store that information on a computer.