Did You Know Deleted Data is Not Really Deleted?

Many of you have heard or seen what has got to be one of the biggest court trial to hit the media since OJ Simpson’s. Casey Anthony (whose known as “Tot Mom” in the media) is on trial for the murder of her 3-year old baby daughter, Caylee Anthony. I haven’t followed the case all that much in the past but now that the trial has officially started (about to end as I write this), I have been hooked since midway through the prosecution witnesses took stand. Anyways, I thought the trial wouldn’t involve any technical details such as bringing in digital forensic evidence and whatnot but boy was I wrong! Computer forensic evidence basically played one of the biggest parts of this trial and so many viewers get to see first hand what happens when someone thinks they’ve outsmarted their computer and the law!

Here is a very vague explanation of what happened without going into the boring details:

  1. The Anthony’s home HP desktop computer was seized by local law enforcement to be searched and examined.
  2. Search terms for “Chlorophyll”, “How to make Chloroform”, “Neck breaking”, and other terms for products on how to put together a home-made chloroform solution was found on the computer. Cindy Anthony (Casey’s mom) claimed that she deleted some of the Internet search history. This is significant because chloroform samples were found in the trunk of Casey’s car, which was supposedly used to dispose her daughter’s body in the woods.
  3. Cindy Anthony took to the witness stand and stated under oath that she was the one who typed in those search terms on the computer at those given dates and time. She was a nurse at that time and had reasons to look up those medical terms.
  4. Cindy declared that she left work early that day, even though she said her time card reflected differently as she could work from home, and performed those searches.

Perjury is a No NO

On Friday of July 1st 2011, the state prosecutors bought in two employees of Gentiva (former workplace of Cindy) along with two computer forensic specialist who did work on the Anthony’s HP computer.

CindyFirst, we’re going to focus on the chief compliant officer (CCO) of Gentiva. Think of this guy as the one responsible for making sure that a company is following all the rules and if a legal matter arises (such as this one), he’s the one to contact. The CCO brought work records with him proving that Cindy Anthony was indeed at work during the times those searches were made on the HP computer. Cindy had thought and said to the court that the computer records were most likely deleted by the company and no longer available. She even dared the prosecutors to “check them if they want”. Well, they called her bluff and they can now charge her with perjury (lying under oath) if they decide to go that far. Here’s a couple of interesting things:

  1. Cindy must have been really ignorant to challenge the prosecutors to obtain records and challenge her testimony. The search terms made on the computer is one of the biggest evidence against Casey Anthony. She would have been crazy to think that the prosecutors would not call her bluff. The search terms can prove premeditation (not being an accident) in the murder.
  2. Believing that your work history would have been deleted only after 2-3 years within leaving the company is pure ignorant, especially if you work in the medical field. A professional company retains huge amounts of work data conducted by their employees for years, just in case something like this occurs. You can be sure that once Gentiva heard of Cindy Anthony’s involvement in this trial way back in 2008, they made sure to have her records on hand in case they are called upon by the court. Gentiva would have committed reputation suicide if they could not produce the records needed to prove that Cindy was or was not at work on any given day.
  3. The CCO stated that Gentiva workstations would auto-lock after a period of 15 minutes if there is no user input or interaction. In my opinion, this is not very secure. If a user walks away from his/her workstation and forgets to lock their workstation, there is a 15 minute time window for anyone to use that workstation under the same user account and perform malicious acts. In highly secured environments, this time window should be less than 5 minutes. Group policy should take care of it!

The second witness called to the stand was Cindy’s former supervisor at Gentiva. She clearly testified that it was illegal for anyone to mark down on their time sheet/card hours they were working at Gentiva but was actually not. Cindy testified that although the records show that she was at work, it was okay for her to be elsewhere such as being at home because she was on a salaried pay. The second mistake Cindy made was claiming to be allowed to work at home on her own computer. Her supervisor cleared this up by rebutting that statement. Cindy Anthony had no way to VPN (virtual private network) into Gentiva’s network nor could she have logged on to Gentiva’s website to conduct her work. Why in the world did Cindy thought she could get away with this? Did she honestly believe that no one from her work place could prove her wrong?

The third and fourth expert witness brought to the stand were the juiciest of them all. They are the “geeks”, if you will, that examined the HP desktop computer. Basically, they testified that they found no search terms of “Chlorophyll” was ever found from the “supposedly” deleted Internet history. This counters what Cindy initially said when her searching for the term lead to the searches for “chloroform”. Another huge blow was the fact that Cindy claimed that the “neck-breaking” searches were not manually typed into a Google search but was the result of a Youtube popup video of a skateboarder breaking his neck. Well, that proved to be a lie as well. The expert stated that after looking at the deleted data, he found a specific search string for those two terms and that only a human could have entered those search terms in Google. Interesting facts:

  1. When Cindy was initially asked which browser she used to enter those search terms, she could not give a specific answer. It sounded as if she had no idea what a browser even is. We are then led to believe that she somehow had the ability to delete the Internet history. Doesn’t something seem completely off here?
  2. Cindy thought that she could get away with lying since if you deleted something from a computer, it’s completely gone and could never be recovered. Wrong. The expert witness did a pretty good job explaining how deleted data could be recovered without giving too much technical details to confuse the jury.
  3. How the results for the neck breaking search terms was recovered in my opinion was due to how the computer was rarely used by the Anthony’s. Casey was always out and about partying no doubt, the brother didn’t live there and both Casey’s mother and father didn’t do much on it anyways for times they did use it. One of the main methods of making deleted data unrecoverable is to overwrite it with new data. Because the computer was rarely used, not enough new data had been entered or saved to overwrite the deleted history space on the hard drive.

What’s the Point of All This?

There’s two reasons why I wrote this article:

PerjuryThe first is my pure anger at how no perjury charges will likely be brought against Cindy Anthony. A lot of people say  rarely do the court go after perjury charges because it’s a huge waste of time, money and resources and the fact that it’s really hard to nail someone with that charge. Really? Then why the heck do we have to swear an oath prior to testifying? If all a person have to do is throw in a few “if’s” and “maybe’s” to get away with perjury, what does that say about our judicial system? In this case, I strongly feel that Cindy damn well knew whether she made those searches or not on the computer. With such a big event going on in your life, there is no way in seven hells that you “may have” made those searches. Because of her lying, the prosecution have to bring in more witnesses and waste more time and money in rebutting her testimony. Can that really go unpunished? Some people even go as far as showing sympathy for Cindy and defend her lying because she is a “grieving” mother. If her false testimony got her daughter set free and she was indeed the murderer of her three year old daughter, would you then grieve for her because a baby-killer is let loose? How does this look in the future for witnesses who take the stand? They would not be scared to lie because nothing will be done about it. It honestly makes me sick to the stomach and causes me to lose faith in our judicial system.


The second reason is due to me wanting to remind everyone, once again, that our data is not truly deleted from our hard drive! Because this trial is followed closely by millions of people worldwide, exposing Cindy for the liar she is about her computer searches allows these people to learn about how a computer doesn’t really delete data like how they would like to think. One have to ask why this would concern a law-abiding citizen. In many scenarios, if you didn’t do anything bad or have anything to hide on your computer, why the worry? Well, that certainly is true but have you ever thought about what would happen if a stranger got a hold of your laptop or desktop computer? The amount of information recovered from your deleted history might surprise you. In fact, I’m sure there are people out there right now buying used hard drives off eBay and running file recovery tools on them in hopes to find something valuable. I remember there was a guy who once recovered top secret military blueprints using the exact same method. Luckily, he wasn’t a malicious user and reported his findings. Anyways, I’ve already written articles in the past regarding this matter so I hope you’ll take the time to read them if this subject matter interests you. Sorry Cindy, you should have read them as well because then you would have learned on how to securely delete your data. Oh wait, I’m not sorry at all!

How to Securely Delete Data on your Computer

Prevent Deleted Files from Being Recovered

How to Securely Wipe your Hard Drive

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)


  1. Wow this article is amazing. I learned something new after reading it. Speaking of deleted files being recovered, I read an interesting article about this on this website http://www.techyv.com/article/brief-guide-about-delete-and-recovery-files
    I just would like to share this for all. Thanks!

Speak Your Mind


(humans only, please) *