RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

From: Troy Larson (ntevidence_at_attbi.com)
Date: 06/27/03

  • Next message: N407ER: "Re: Locking down a user" 
    To: "'Robinson, Sonja'" <SRobinson@HIPUSA.com>, "'NC Agent'" <NC_Agent@kueppers-familie.de>, <security-basics@securityfocus.com>
Date: Fri, 27 Jun 2003 12:42:19 -0700

    Sonja,

    I would be very interested (actually, surprised) if any software tool could
    recover any data after only one overwrite. It is my understanding that
    software is limited to the capability of the drive--and the hard drive
    itself isn't going to see data once it is overwritten. The overwritten data
    is noise to filter out to prevent data corruption.

    I am familiar with the research that you mentioned (we must run with the
    same crowd). My only point was that unless you needed to worry about
    someone spending money for an expensive, hardware-based data recovery, one
    pass should be sufficient. (I don't want to do 7-31 passes on a 160GB drive
    unless I really, really have to.)

    Thanks for the excellent points.

    Troy

    > -----Original Message-----
    > From: Robinson, Sonja [mailto:SRobinson@HIPUSA.com]
    > Sent: Friday, June 27, 2003 6:23 AM
    > To: 'Troy Larson'; 'NC Agent'; security-basics@securityfocus.com
    > Subject: RE: Digital Evidence Question - What is an effective
    > Windows hard -disk search tool?
    >
    >
    > According to information I received at an HTCIA meeting about
    > 3 months ago, as well as some reading that I have done, 31
    > times is now what is recommended. I can't locate my notes
    > that had the speaker's name in the piles on my desk but he
    > was from NY State Dept. of Health I believe and in charge of
    > info security. They had performed a number of tests on a
    > number of different wiping utilities (30 or so). They
    > specifically stated that although their tests were obviously
    > not exhaustive since there are a myriad of tools out there,
    > that s/w such as Maresware DeClafy and a few others
    > (somewhere in my notes) were the best because not only did
    > they wipe the drive completely, but it did the MBR's and even
    > did past the EOF Flag at the end of the drive. They also
    > spoke about shredders, magnets, etc. and the pros and cons of
    > each. It was a very good training session and brought up a
    > lot of interesting points and dialog. 7x was the de facto
    > standard for
    > D0D. I am not sure if they have adjusted their requirements.
    > 7x times was recommended to ensure that the full clusters
    > and sectors were completely overwritten. I agree in many
    > instances 1 wipe is sufficient depending upon what data you
    > are trying to conceal, i.e. confidentiality and depending
    > upon whether you are resiisuing the drive or selling/diposing
    > of it. I also agree with you that MOST tools will not
    > recover past one wipe however, there have been arguments
    > stated in this thread that it is recoverable and
    > theoretically it IS possible although you are correct it is
    > generally more difficult. I wipe mine to the original D0D
    > specs currently, 7x. I will be testing FTK, Encase, R-Studio
    > and some other generally available tools over the next two
    > weeks or so, as time permits. I will be testing against a
    > regular format, gdisk, and BCWipe and perhaps some others. I
    > will post a summary of the results when I have them.
    >
    > Sonja Robinson, CISA
    > Network Security Analyst
    > HIP Health Plans
    > Office: 212-806-4125
    > Pager: 8884238615

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

  • Next message: N407ER: "Re: Locking down a user"

    Relevant Pages

    • RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?
      ... recover any data after only one overwrite. ... > they wipe the drive completely, but it did the MBR's and even ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: Interesting One reading a 30x over-written drive
      ... I believe that DoD recommendations is to completely overwrite the drive ... As stated in other posts this does not mean "deleting the ... original data is then too hard to hard recover. ...
      (Security-Basics)
    • RE: Interesting One reading a 30x over-written drive
      ... formats/data fills you are afraid someone will employ what must be tons ... standard and I can't find anything in any of my references. ... I believe that DoD recommendations is to completely overwrite the drive ... original data is then too hard to hard recover. ...
      (Security-Basics)
    • Re: recovering overwritten file
      ... Apparantly professional recovery companies can recover "overwritten" ... saving another file does not overwrite the location. ... > Thats why they call them Flash drives. ... >> Microsoft MVP Windows Shell/User ...
      (microsoft.public.windowsxp.general)
    • Re: Permanent Deletion
      ... "Deleting" a file (whether from the recycle bin or directly if you bypass ... There are third-party programs that can sometimes ... at least very difficult to recover). ... you can use to overwrite deleted files, even they are't perfect; ...
      (microsoft.public.windowsxp.configuration_manage)