How Can an Employer Recover Information I’ve Erased?

Question: I just saw this article where a company did a forensic investigation of one of their employee’s computers. How do they find searches and network activity if one clears their cookies and uses CCleaner?

There’s so much more to your computer, as well as your activity history, than just cookies and whatever tools like CCleaner can clean.

So much more.

I’ll review a few of the more obvious ways employers can recover or collect information about your activity. Realize, though, it’s not with the intent that you be able to hide what you’re doing, but to illustrate the futility of even trying.

Cookies and CCleaner

Cookies are, effectively, small data files left on your computer by some of the websites you visit. As you might imagine, while the contents of the files might not be useful (they’re specific to each site), the fact that there exists a cookie from a specific site means your web browser has at some point fetched a page from that site. In other words, it’s one way to see where you’ve been.

Tools like CCleaner can easily and quickly clear cookies.

In addition, such tools also clear other traces of activity, like your explicit browser history, temporary files, the contents of your browser’s cache, and much more. I’ll refer to them as an interesting first step to removing some traces of your activity.

But they’re in no way complete or foolproof.

Resurrecting data

The easiest thing to overlook is the fact that deleting a file doesn’t delete its contents. Unless the data is actually overwritten by subsequent writes to the disk, there’s a possibility it can be recovered and restored. This is what “undelete” is all about — the attempt to recover files that have been deleted.

Simply clearing your cookies or history or whatever else data-cleaning tools might remove does nothing more than delete the file(s) containing the information. There’s a chance the files could still be recovered with an undelete tool.

The only way to avoid this is to ensure that the data is overwritten after it’s been deleted. CCleaner and similar tools have something called a “free space wipe” which does exactly that: it overwrites all the free space on your hard drive with random data, rendering what was there practically1 unrecoverable.

That may still not be enough to erase all of your tracks, however.

Data you’re unaware of

Windows is an incredibly complex operating system, as are many of the applications that run on it, including web browsers. It stores information in places you might not know about, or in places you know about — like the registry — but have no way to remove. Even so-called registry cleaners only remove or correct certain types of information, and are more about the health of your system than removing evidence of your activities.

Even the paging or hibernation files could be analyzed by someone knowledgeable to collect or infer information about what the computer was used for, where you visited, or what you did.

There’s simply no way to know that there isn’t some amount of evidence of your activities left somewhere.

So, honestly, the only way to truly remove all evidence of your activity from your computer is to erase it completely. There are two approaches: using tools like DBan to literally erase the hard disk, or to reinstall Windows from scratch, ensuring you do a reformat of the hard disk as part of the process, and a free space wipe when the install is complete.

Both of those things are likely to trigger warning signs from an employer.

Besides, they may still not be enough.

Your computer isn’t needed to keep tabs on you

When we think about tracking and evidence of our activities, we immediately think of all the data that’s stored on our device.

While I’m sure your company would love it if you left all your tracks on the machine, it’s very possible that they don’t need ’em.

Remember, they provide you with your internet connectivity and local networking. That means they can monitor where you go, what you do, and what you access from another computer, such as their internet gateway.

Corporate Network Internet Access

They don’t need access to your machine; all they need do is monitor your online activity through the devices they control.

And it’s not your computer, to boot

Finally, it’s important to realize that when you use a computer provided to you by your workplace, it’s not your computer. In most jurisdictions2, you don’t have a right to privacy on workplace-provided equipment.

The most obvious implication is that your employer has a right to snoop on what you’re doing by examining your computer or monitoring your internet traffic.

More concerningly, though, your employer could install spyware on your machine, or interfere with the “privacy” implied by https secure web sites. That means that even if you completely erase what’s on your computer, they may have already collected information about your activity and sent it to their own servers for storage and analysis.

Trust. It’s complicated.

Honestly, it really all boils down to trust.

You may or may not trust your employer not to spy on you, but it’s important to realize that they can. Much of how you use their equipment could be recovered forensically.

Similarly, they may or may not trust you to use their equipment according to their rules and guidelines. Once again, it’s important to realize that they have ways of verifying their trust in you.

I can’t say how much invasive spying or forensic analysis is common, and I certainly can’t say how much is ethical or justified. What I can say, though, is that it’s possible, and that if you have any concerns at all, you should act as if your employer can monitor every little thing you do with their equipment. It’s by far the safest thing to do.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Video Narration

Footnotes & references

1: Sadly, there are no absolutes. For example, there’s a very small chance that data overwritten on magnetic material could still be recovered through extensive (and expensive) forensic analysis.

2: Remember, I’m not a lawyer, and none of this is legal advice. If you need legal advice, get an attorney.

25 comments on “How Can an Employer Recover Information I’ve Erased?”

  1. “Even so-called registry cleaners …..and are more about the health of your system” – Perhaps the word “allegedly” should be used somewhere in that sentence :P

    Reply
  2. More concerningly, though, your employer could install spyware on your machine, or interfere with the “privacy” implied by https secure web sites. That means that even if you completely erase what’s on your computer, they may have already collected information about your activity and sent it to their own servers for storage and analysis.

    That statement is pretty much the bottom line. Some companies install key-loggers which is apparently legal for them to do. With those, every keystroke including deletions and corrections, and more such as screen-shots, are recorded and sent on to them. So there’s absolutely nothing you can do after the fact because they may already have all of the data.

    Reply
    • As they are the owners of the computer you use, they have the right to install any application they want to, including key-loggers and any other monitoring application or devices.

      Reply
      • …but… they should also inform every employee of the fact.

        Forwarned is forearmed to the employee.

        The upshot is, unless stupidity reigns supreme with an employee, less problems and less to see by the employer (usually the IT team though)

        I call that a win/win. Employee is less likely to go to sites they shouldn’t (but remember there ain’t no cure for stupidity) therefore less chance of pernicious malware on the system. Employer therefore has less issues to deal with and time savings is $ savings.

        Reply
    • Can you please tell me why the word “through” was thrown into the sentence: “More concerningly, through, your employer…”? It doesn’t seem to fit the intent of the sentence.

      Reply
  3. My employer tracks what I do on my computer … and they make it known. As you log in to Windows, they put up a message box to tell you. But then, my employer has a lot of information that should not be disclosed, either on purpose or accidentally.

    I appreciate my employer making it known that they monitor my actions. While they do have the right, I don’t think employers should do it surreptitiously.

    Reply
    • And remember that this applies to the USofA. Other jurisdictions, i.e. countries, will have different laws. Some better, some worse, some totally diabolical.

      Reply
  4. Don’t forget automated backups.
    If your employer is serious about safety, he should have automated backup at least on a daily schedule.
    Add all the logs kept on each computers as well as router logs and server logs.
    Your activity traces are not only on the computer that you use, they are all over the company’s systems.

    Reply
  5. Our company for a time used Spector CNE now called something different but i dropped the practice due to little or no enforcement after breaches of policy and sometimes law, we commenced using it due to a few staff stealing critical information. It’s an interesting dilemma. The software recorded EVERYTHING, screenshots every 30 seconds, key strokes , sites visited, facebook and other chat systems all recorded. We used to put up a warning message as you logged in to the workstation or laptop that informed the user that everything was recorded, i even showed people what we could see and capture.. Yet still people would download porn, set up drug deals, spend the day on gambling sites , unbelievable but sadly true. As is said we stopped using it costly and little benefit with no enforcement.

    Reply
  6. I have read that even if you ‘delete’ a file and then overwrite it with another file or random data, the original file can still be recovered by forensic analysis. I find this a little hard to believe but am just curious (nothing to hide) about how true this is?

    Reply
    • When data is written to an HDD, it doesn’t write it in exactly the same location. It can be off by a tiny offset. Sometimes forensic analysis can find those tiny traces and determine what has been overwritten. That’s why some wiping programs overwrite up to 30 times. SDDs can’t be retrieved that way but that’s not saying someone won’t come up with a method to retrieve overwritten data in some other way.

      Reply
  7. Hi Leo or Mark,
    Leo I hope you are feeling better! Rest and get better!!! And get the 2 pneumonia vaccines recommended by the CDC!! And Mark you have been a great help also!!!! Note: This is my PC. I’m retired so no employer!
    What do you do when your PC can’t see the printer driver?
    Running Windows 7 Home Premium 64 bit on a Dell XPS 8500 Tower PC
    I have the correct printer driver on my Desktop.
    Listed below are the steps that I took to update the printer driver:
    > Control Panel
    > Devise Manager
    > US Bus Controllers
    > Right click “USB Printing Support” and select “Update Driver Software”
    > A new Window Pops up – Select “Browse My Computer for Software”
    > click “Browse” and select “Desktop”
    > Scroll down and the driver does not show.
    Now I even put it into a folder – the folder does show but then the driver in the folder does not show. So how can you install this driver?
    Your Friend,
    Mike Wilhelm :-)

    Reply
  8. Boot Linux from a flash drive and you don’t have to worry about deleted files or key loggers. Router logs could still be a gotcha.

    Reply
    • Many companies use hardware keyloggers which can’t be bypassed that way. And standard company security usually blocks booting from anything but the installed OS. Use your phone and access the internet via your mobile carrier. Don’t go through the company’s network to access the internet and you should be safe.

      Reply
  9. You can also be blamed for your computer usage while you are away from your computer. Never ever leave your computer while you are logged in. Entering a password after every break is easier than finding a new job.

    Reply
  10. As far as the ability of the employer to do something like this, it’s a sad commentary. In my working life, I always had one rule when I hired someone: ‘If you don’t trust the people you hire, hire people you CAN trust.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.