SEARCH FOR IMAGES

1. Look out all your recordable media

Any Flash drives, memory cards and sticks, CD-Roms and DVD-Roms, internal and card memory from digital cameras and mobile phones, backup tapes and disks, old unused computers and old hard disks that came out of them. Anything that contains digital storage. It's pointless cleaning up your main hard drive in your computer if you have files elsewhere that you've forgotten about.

If you're ABSOLUTELY sure there can be nothing suspect on something you can ignore it. If not, you need to go through the sections 4 and 5 below for each of themIf you have enough space on your main hard disk it makes life easier to copy them (or restore backups) onto it. Create new directories or folders and copy them into them. If you copy them all to your hard drive, you can search through all files in one go - much quicker. Though at the end you will need to bulk-wipe or physically destroy these media if they had anything risky on them.

The alternative to copying them all over is to connect them one at a time and repeat sections 4 and 5. At steps 4.6 and 5.6, select the drive as described there.

2. Encrypted data, hidden data, data not in partitions

If you have ever deliberately hidden images or encrypted images, this makes things harder. This page doesn't cover these situations, and we'd assume that if you have done this you know how to undo it. Delete them if they're not safe, and make everything visible that might possibly be unsafe and check them as in sections 4 and 5 below.

3. Compressed files

Every PC contains compressed files that contain many other files. Many of them come with Windows and with other software, but you can also download other sorts from usenet news and file-sharing, and these might contain something suspect. Files with the suffix .cab are almost certainly OK. Ones with the suffix .zip and particularly .rar may be files you've saved or downloaded and will need checking if you don't know what they are. Ones you've downloaded are likely to be somewhere under the My Documents directory, unless you have ever deliberately chosen to save to other directories. To find these, in section 5 below, include *.zip *.rar in the list in step 5.12.

As with encypted data, ignore them if you're absolutely sure they're innocuous. If you're not sure, either delete them or decompress and check them. If you decompress, make sure that you delete the original compressed file if there's anything risky in it.

4. HOW TO FIND ALL IMAGE FILES

Note This applies to Windows XP. Older versions of Windows may be close enough for this to be useful.
Windows Vista is quite different. Instructions for Vista are here.

1. Double-click on the My Computer icon on your desktop
2. Double-click on Local Disk (C:) (or the disk you are checking)


3. Press Ctrl and f together


4. click on Pictures, Music, or Video

Note Older versions of Windows don't have this option. If so, skip the rest of this section and do step 5.10 when you do the next section.

5. click on Pictures and Photos, and Video. These boxes should be ticked and the Music one empty.


6. click on Use advanced search options


7. click on More advanced options

More items appear. You may need to scroll down to see them all.

8. Click the boxes for Search hidden files and folders and Search tape backup
9. Now the boxes Search system folders, Search hidden files, search subfolders and search tape backup should be ticked, and Case sensitive should be empty. Click the boxes to change them if not.


10. Now look at the toolbar with icons and the words Back, Search, Folders in it. The right hand icon looks like a tiny folder. Click it

a drop-down box appears, with options starting with Thumbnails


11. click on Thumbnails
12. Go back to the left-hand panel. Click the Search button at the bottom right
13. ...and wait

Thumbnails will start to appear. Even on a new little-used machine there will be thousands. Most will be buttons and sample files for programs. You need to scroll down through the whole lot checking .........

Some images won't display a thumbnail but only an icon for the file type. These are in compressed folders. If you've followed the instructions in 3. above they can be ignored. You can check the titles to make sure, they'll give a good clue to whether they are innocuous or might need checking.

Any images which you feel are risky you should select and delete as in section 6 below

5. HOW TO FIND NAMED FILES

Note This applies to Windows XP. See the Note in section 4 above for other Windows versions.

1. Double-click on My Computer
2. Double-click on Local Disk (C:) (or the disk you are checking)


3. Press Ctrl and f together


4. click on All files and folders
5. click on Use advanced search options


6. click on More advanced options

More items appear. You may need to scroll down to see them all.


7. Click the boxes for Search hidden files and folders and Search tape backup
8. Now the boxes Search system folders, Search hidden files, search subfolders and search tape backup should be ticked, and Case sensitive should be empty. Click the boxes to change them if not.
9. Now enter any files you want to find in the box under All or part of the file name
10. If you're running an older version of Windows and couldn't search for image files above, you need to include all the filetypes that you need. The main types are
    *.jpg *.jpe *.jpeg *.gif *.png *.tif *.avi *.mov *.mpg *.mpeg *.mp4 *.wmf *.asf *.flv
    Copy and paste these into the box as a single line. Then do steps 4.10 and 4.11 above.
    If you were able to search for images in section 4, you only need to search for thumbnail cache files as described below.
11. Click the Search button at the bottom right
12. ...and wait

Files will start to appear. When finished, the left hand panel will say how many it found.

13. Any images which you feel are risky you should select and delete as in section 6 below

You need to check for one other type of file, which holds cached thumbnail cache files. These are created whenever you explore a folder that has images in.
Do the steps in section 5 again, but in place of the image files in 5.10, paste in
Thumbs.db ehthumbs.db Thumbcache*

Select all of these using Ctrl and a, and delete as in section 6 below.

6. GETTING RID OF FILES

You need to select the files in Windows Explorer that you want to delete.
Make sure the Explorer panel has focus by clicking on its top bar.
To select a file, left-click it once.
To add another file, hold Ctrl and left-click it
To add a set of files, Ctrl and left-click the top one, and Ctrl Shift and left-click the bottom one.
To unselect a selected file, Ctrl and left-click it again.
To unselect all, left-click any file without holding Ctrl. This drops all the selected files. If the file you last clicked is now selected, click it again to unselect it.
To select all the files in the panel, hit Ctrl and a. You can Ctrl left-click to unselect any you want to exclude. When all the files you want are selected, you can delete them. Simply press Shift and Delete (or Shift and Del) and the files will be deleted without going into the Recycle Bin.
In practice you'll have a lot of files to check, so you'll select and delete one or a few at a time. You don't need to select all of them at once.

TECHIES: Instead of Shift-Delete, if you installed Eraser, right-click on any of the files selected and select Erase from the context menu that pops up. Also on the Eraser page there are instructions on how to erase thumbnail cache files.

7. EMPTY THE RECYCLE BIN

Double-click the Recycle Bin icon on your desktop. It will open in an Explorer panel.
Click on File in the bar at the top left, then select Empty Recycle Bin.

TECHIES: if you installed Eraser, instead of Empty Recycle Bin, right-click the Recycle Bin Desktop icon and select one of the options - either Pseudorandom Data 1-pass or any of the 3-pass or 7-pass options if you prefer.

8. DELETING INTERNET TRACES

TECHIES: if you installed Eraser, go to the Eraser page to erase them instead. The Ccleaner program (instructions here) also gives a way to clear internet data and much more. For others, read on.

If you use Internet Explorer, there is an option to delete various types of internet records. This varies in different versions, but all can be found under the taskbar that starts File Edit. Click on Tools, then Delete Browsing History if it exists, or if not on Tools.

You'll probably get the option to delete Temporary Internet Files, Cookies, History and Form data. Click on the delete button for each. It's probably best not to click on Delete passwords unless you are very security conscious and you have saved all your passwords elsewhere.

The Firefox browser's Tools option is called Clear Private Data but is otherwise very similar.

back to the main forensics page

© Copyleft backlash 2009
www.backlash-uk.org.uk/fr_search.html .

backlash Uphold the Human Rights Act

Shooting the Messenger

The internet is a convenient scapegoat for society's ills.

The UK government is to legislate how best to imprison potentially many people for viewing content on the internet.

How should governments regulate the details of our personal lives and control individual expression ?

Preserve Individual Freedoms

Backlash campaigns to ensure the right remedies are applied to the right problems.

Whilst doing so we preserve hard won individual rights and liberties.

See no evil.

The government doesn't want you to view certain images. And will send you to prison if you possess them. Even in the privacy of your own home.

• Home
• Legal advice
•     Your Rights if arrested
•     What the law says
•     What constitues "extreme"
•     What is "possession"
•     Government advice
•     Police advice
•     CJIA case monitor
•     Other cited cases
•     How to clean a computer
• The legislation
• News & Rapid Rebuttals
• Media coverage
• Opposing this law
•     A QC's Legal Opinion
• How you can help
•     Donating
• F A Q
• About Us
• Contact Us
• Site Map