Detecting if someone used a disk wipe / secure erase program

I was recently on a tech call to try and recover some missing files from a small office that had a laptop returned to them from an employee that recently left, but apparently deleted all of their work files. I was unable to find any ms office documents and was wondering if there were any programs that can detect if a disk wiper was used? As this is a small office, they won't be sending the drive away for any expensive file recovery services (they'll live without the files), but they were curious to see if the employee had used a disk wipe program.

Any ideas?
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
No, most wipe utilities do a combination of things, all 1's all 0's alternating 1's and 0's and random... so you couldn't tell one from the other. Windows also has it's own wipe utility, cipher.exe which will over-write once with random data. You can run it as much as you like to get multiple wipes. Doesn't matter if they did really, you could never actually tell, maybe they just hit the delete button, and then defrag'd the HD, that would likely over-write the empty places those files used to be, especially if the HD was very fragmented. You can run recovery software, but you should never boot or install programs to the drive you want to recover data from, things will get overwritten that way. Take the HD out, use something like: that adapter to read the HD. use a program like: to scan the HD to see if you can recover the data.
Again, unless as stated above, you find the utility they used using software like I linked to, you will never know if they used a utility or if they simply hit shift+delete (by passes recycle bin) and then defragged the HD.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I can not imagine a situation where you would know unless you could find the actual disk wipe program installed.  
Lee W, MVPTechnology and Business Process AdvisorCommented:
I suppose you can "guess" based on the configuration of the laptop when it was returned... but there are plenty of programs that can do a "file wipe"
Although you could use a tool like FTK, it appears you are looking for a quick fix. I would suggest removing the drive, loading it onto another machine as an external drive, then run a tool like PC Inspector File Recovery. That app in particular can recover "lost files" and you can see deleted applications.

IF they used a wipe program that they installed, like cCleaner for example, they had to uninstall it and therefore couldn't wipe it, which would leave it potentially available for recovery.

You could perform this inside an hour and get an answer to your client.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.