Advice

If you are arrested simply for possession of extreme pornography featuring consenting adults, we want to hear from you and see how we can support you, contact us.

For advice about what to do if you are arrested, see here. http://www.backlash-uk.org.uk/rights.html

CLEANING YOUR DISKS – START HERE

A number of concerned experts collaborated to produce advice about electronic images that might fall under this untested law.

BACKGROUND

Anyone who possesses material that is classed as ‘extreme pornography‘ after January 26th 2009 will be committing a crime. In the (probably unlikely) event that the police investigate you, they will take your computer and any other computer data storage and investigate it for signs of illegal material. After that date, it is perfectly legal to have once had such images, but you must not own them any more, or have searched for or downloaded them since then.

It is clear that, for any material that will be illegal in January but isn’t now, it’s enough to have made an honest effort to delete it. If you can’t yourself, with your knowledge and your software, retrieve it, that counts as deletion, even if someone else with special software could retrieve it.

This is a bit of a Catch-22, because if you look like you know how to do more, you’ll be expected to do it. Also, we must all find and delete all our images that would break the law. If the police find more than one or two that you’ve missed you could be in trouble. And software that can find traces of deleted images can also (in theory) be used to retrieve them, thus allowing you to ‘possess’ them again. Don’t panic, just keep reading.

Before we weigh in, this is aimed at Windows users. We don’t have the expertise to help Mac users but will try to find it, and welcome serious offers of help. UPDATE Here’s a good article on secure erasing on a Mac.

If you run Linux, your job is much easier. We don’t have ready-made Linux pages but are happy to advise you if you contact us at Backlash.

NOTICE

Deleting risky images before January 26th is legal and responsible. These pages aim to show you how to do this. They are NOT intended to help you cover traces of potentially illegal browsing and downloading after the 26th, nor to hide data after it becomes illegal. Nothing here is intended to do this, or is likely to be much use for it. We can’t and won’t advise on illegal techniques.

ABOUT THESE PAGES

The pages linked here were created by IT and forensics professionals and user reviewers. The contents are free to copy and host elsewhere in materially unaltered form. They are a work in progress and subject to minor changes, so please check back for the latest version.

Do contact backlash-uk if you spot a mistake or can suggest improvement or clarification, and especially if you can provide information on other Windows versions or other operating systems.

IF YOU HAVE GIGABYTES OF IMAGES,

many of which are likely to be illegal, it might be best to start from scratch with a new computer or at least a new hard disk. Maybe you can save your non-risky personal and data files to backup (to CDs/DVDs or a flash drive/memory stick) and completely wipe your hard drive with special software. You will then need to reinstall everything. You will need the CDs that came with your computer and by following their instructions you can restore it to its state when you got it. You then need to reinstall and configure all software that you had put on it since. This is easier said than done, a tedious job and an expensive one if you need to buy new software, but is the safest way of having a clean PC. If you need to do this and you’re not tied to Windows, you could consider moving to Linux.

If you’d rather find and delete all risky images, read on.

TECHNOPHOBES

Whether you yourself can retrieve deleted files depends on your level of computer knowledge. If you’re someone who just uses a PC or laptop for basic tasks, without any special knowledge, you would be expected to know how to use the normal Delete function and to empty the Recycle Bin. For some people, this may be the best option. You could follow complicated instructions for running deletion software, but having such software might make a court believe that you are more of a computer expert than you are. If the prosecution find material that you’ve missed or you’ve failed to remove well enough, they might possibly believe that you intended to hide and retrieve it.

CONFIDENT COMPUTER USERS

For people who are happy finding and installing new software, and who probably already use some system software, it will probably be obvious to a police investigation that you might know how to hide files in a way that you could retrieve. In such cases, it might be wise to remove images in a way that police forensic software won’t be able to recover. We will recommend a couple of simple and free software tools to do this. As this is file erasing software it might be taken as evidence that you have something to hide, but if you might have had ‘extreme pornography’ and you ran it before January 26th, you have a perfectly valid excuse. It isn’t file recovery software, which might be taken as evidence of an attempt to hide and retrieve files.

TECHIES

If you feel thoroughly at home with computer principles, we will suggest software that can do some of the forensic recovery tasks that the police would run. This will show if you have any retrievable image files anywhere. If you can’t find them*, nor can they. This obviously leaves you open to to suggestions that you have it to recover ‘deleted’ files, so it would be wise to end by deleting the software.

*Don’t be scared by the stories of files still retrievable after many overwrites. This just doesn’t happen in practice. Even if these experimental and theoretical techniques were available, the police don’t have the equipment to do them.

EVERYBODY

But whatever level of expertise you have, everyone needs to have tried their best to delete illegal images, so we all must start by searching for anything that might be illegal on all our data storage.

START HERE

Here and in linked pages, we will show keyboard keys like this Ctrl. When there is an exception, something to note, or something that applies just to some people, we show it like this TECHIES. When we give text or options as shown on Windows Explorer or program windows, it appears like this.

TECHIES If you’re a confident computer user or an out-and-out techy, look at the Eraser page and decide if you want to download and install Eraser. If you do, install it now and come back here. There are a few places in other pages here where you’ll see the TECHIES sign and here you’ll use Eraser instead of a normal delete.

EVERYBODY Whether you installed Eraser or not, now is the time for the big search for image files. For Windows XP and older, go here to learn how. For Vista, go here.

Now if you do all the steps on the search page, this will delete or erase image files themselves, and a few other things like thumbnails and internet cache and history. Those people who don’t know a lot about computers will have done all that could be reasonably expected of them to get rid of files that weren’t illegal before January 26th, and can stop here.

The rest of this page is therefore just for TECHIES

Ccleaner

If you’ve downloaded files from P2P or newsgroups, the programs you use to do it are likely to leave traces of what you downloaded. For “extreme porn”, so long as you did this before January 26th, this should not be a problem. But if you’d rather try to remove everything you can that might make the police interested, you’ll need to do more. Ccleaner is another free program that removes many types of file and registry entry. Details are here

Checking using data recovery

Lastly, there could always be image files that an application has cached and failed to delete, or images embedded in other files, or something that you’ve just missed or for whatever reason has failed to be wiped. If you want to look for all image data, in live files or deleted, you can install a program that does ‘data carving’. These are written with two purposes, for individuals to recover files that have been deleted in error, and for computer forensic purposes. Both can serve our purpose well.

Of course, if you install a program that can recover lost data, you are open to suggestions that you’re using it to retrieve data that you can claim was deleted. In practice, nobody in their right mind would do this, as much data would not be correctly recovered if at all, and what was usable would be under constant threat of being made unreadable if you ever wrote to that partition again. But in court it would be your expert witness’s word against theirs. So it’s one to install, run before the 26th, and then erase. If you want to use this method, you need to create a spare partition large enough for the recovered files, and will then need to wipe it or destroy the storage medium when you’ve finished. If you’re OK with this, brief details are here.

Anything else?

There may be other places where some trace of your having accessed images might remain. Ccleaner is wise to many sorts of application data, but there are more. If you’ve used a photo editor it may have saved image data in its native format. Newsreaders may cache messages in the form they were received in, b64, UU- or yEnc encoded, and these won’t show up in standard data recovery tests but might do in the police’s tests (which tend to use EnCase which has some extra tests and is far from free to buy). In these cases you need to be aware of any programs you’ve opened risky image files with, and look at its application data. To take the case of XP and older Windows, make sure ‘view hidden files’ is enabled (in any Windows Explorer window’s Tools/Folder Options/View tab) and check in the install folder e.g. under C:Program Files[your-program] and in C:Documents and Settings[your-user]Application Data[your-program].

If you want you can uninstall the program. You could wipe the install and application data folders but this wouldn’t remove any registry data, so using the program’s recommended uninstall method is best (usually Control Panel’s Add or Remove Programs). But this of course will do a simple delete, so you must be sure to do a final unused space wipe at the end.

Then again, when you understand the principles there are always more ways to do what’s needed. You might want to take a look at your Registry for any incriminating keys. To do this in XP and older Windows, from the Start menu select Run…, type regedit in the Open: box and Enter. In the regedit panel, Ctrl f will give you a search box which will work at any level you’re at, from My Computer downwards. You can use this to search for any string, such as .jpg. Use F3 to step through the entries, which will find in this case file associations to applications and .jpg in any recent file lists. Right-clicking gives you a Delete option. Closing regedit appears to apply any changes, but it’s a bit risky to make changes. You can seriously screw up Windows by corrupting your registry, and we’re not sure if regedit doesn’t save previous versions somewhere – which might give you the option of rolling back, but rather defeats the aim of deleting the data. All in all, maybe it’s best to use this to find anything dodgy, and use other means (e.g. uninstall and reinstall the relevant application) to remove it.

Lastly

Did we say this before? Yes we did, but we’ll say it again. The last thing of all that you do is to check that you haven’t created any new thumbnail cache files, and then erase unused file space.

Comments are closed.