Users certainly contribute to the decline of deleted data by running programs and by saving and creating files. But computers also have the power to destroy. In the background, processes are steadily eating away at the prior state of the computer. Despite this we found that deleted information can be surprisingly resilient against destruction: while everyone knows it's easy to lose data that you want to keep, less known is that data can be quite hard to destroy completely. Behind the scenes, systems produce multiple copies as they move information through a variety of locations.
In chapter 7, "Persistence of deleted file information", we show that large amounts of deleted file content and meta data can survive intact for extended periods of time, and provide a roughly estimated half-life for deleted data on file systems.
Chapter 8, "Beyond processes", shows examples of persistence of information in main memory. Different classes of data survive in very different ways, including decrypted content of encrypted files. Hardware platforms and operating systems can create important differences in persistence, and we finish the book discussing the tenacity of memory and the difficulty of clearing it through software.
This is perhaps the most challenging and unusual part of the book. The experiments often took several months before we had enough data to draw any conclusions. In particular the experiments with main memory might be the most impractical if not challenging to use in investigations. The results, however, are of general importance, for they provide a deeper insight into the complexity that is inherent in what might seem like a simple investigative situation.