Most Mac users can tell you that you have two options when deleting files: a simple delete or Secure Erase. The default in 10.7+ is a simple delete whereby the deleted file is placed into the User’s Trash. The file may be rescued by way of the “Put Back” option or deleted from Trash, also known as a double delete, and the files are kicked out into unallocated space. Most of the time this is what you encounter during an exam. However, a User may change the settings so that files are automatically securely erased when deleted. Secure Erase, by the way, is just what it sounds like – the file is overwritten.
To change the default delete setting a User only needs to open “Preferences” found in the Finder drop menu.
Next, the User chooses the “Advanced” tab and Secure Erase is a check box away! Checking “Empty Trash Securely” enables it. For now this option is unchecked by default in OS 10.10.
During a forensic exam on OS 10.10 you may check this setting by going to:
<User> | Library | Preferences | com.apple.finder.plist
If you have Xcode installed you can open the plist is a format that is easy to view. Xcode is a free download from the App Store.
Check the “EmptyTrashSecurely” value. If the value is set to YES then automatic Secure Erase is enabled.