RE: Hard Drive Forensics Question

---

• From: "Murda Mcloud" <murdamcloud@xxxxxxxxxxx>
• Date: Tue, 7 Oct 2008 10:37:20 +1000

---

Which is more likely to appear on a normal hard drive that has not
been tampered with or set up: Entire blocks of 0s, or random malformed
data?

In the case of the OP, I get the feeling that if someone examined the drive
they could easily draw the conclusion that the drive had been 'tampered'
with either way. Whether there were 0s or randoms on it.
It still doesn't matter which method you use. No-one is going to get any
data from it but I just wanted to see why you said random data were better.
I don't agree that your reason makes it 'better'.
As Ansgar pointed out, finding a credible report on data recovery from a
zeroed(if that is a verb) drive is impossible.
You can always take the challenge if you believe otherwise:

http://16systems.com/zero/index.html


And I still don't understand why you said:

Delete it so as to be able to write over it again. Multiple write-overs

ensure that no data may be recovered.

My lack of understanding may be because I'm not seeing what benefit you are
trying to gain from the 'deleting'. I thought that you could overwrite
something without the need for first deleting it but perhaps you know
something that I don't.

-----Original Message-----
From: Razi Shaban [mailto:razishaban@xxxxxxxxx]
Sent: Monday, October 06, 2008 11:25 PM
To: Murda Mcloud
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Hard Drive Forensics Question

On Mon, Oct 6, 2008 at 7:00 AM, Murda Mcloud <murdamcloud@xxxxxxxxxxx>

I won't reply to the first part, as I feel that it doesn't really need
much more elaboration.

And why do you feel that random is better?

If it is actual files that are copied, they may be recovered.
Depending on the nature of those files, opinions could be made either
way. If it's random data, nothing can be retrieved and they are left
with nothing to work with. If they are accusing him of wrong-doing
that he is innocent of, he should leave them with as little as
possible to work with, in my opinion.

Maybe I should have asked, "Why do you feel that random is better than
something else eg 0's?"

I don't think it matters whether it's random or not-overwrite something

and

it's overwritten. Which means it's unrecoverable. Some apps will

overwrite

with random numbers. Eg DBAN
If someone sees a pattern in the hard drive after I do
dd if=/dev/zero of=/dev/hdax
because it's not random they would be right. It's not random. However,

can

they see any files I had on there before? No.

Which is more likely to appear on a normal hard drive that has not
been tampered with or set up: Entire blocks of 0s, or random malformed
data?

--
Razi

---

• Follow-Ups:
  • Re: Hard Drive Forensics Question
    • From: Matt

• References:
  • Hard Drive Forensics Question
    • From: Matt Perry
  • Re: Hard Drive Forensics Question
    • From: Larry Offley
  • Re: Hard Drive Forensics Question
    • From: Razi Shaban
  • RE: Hard Drive Forensics Question
    • From: Murda Mcloud
  • Re: Hard Drive Forensics Question
    • From: Razi Shaban
  • RE: Hard Drive Forensics Question
    • From: Murda Mcloud
  • Re: Hard Drive Forensics Question
    • From: Razi Shaban
  • RE: Hard Drive Forensics Question
    • From: Murda Mcloud
  • Re: Hard Drive Forensics Question
    • From: Razi Shaban

• Prev by Date: Re: Certifications: Not worth the paper they are printed on?
• Next by Date: Re: AJAX security.
• Previous by thread: Re: Hard Drive Forensics Question
• Next by thread: Re: Hard Drive Forensics Question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Hard Drive Forensics Question ... of a few regarding data recovery after a file has been 'zeroed' ... and whether there is any benefit to using random data during the overwrite. ... something without the need for first deleting it but perhaps you know ... Depending on the nature of those files, opinions could be made either ... (Security-Basics) Re: utility that can delete files ... wipe the disk of deleted files. ... overwrite it with file B. Then you overwrite that with file C. ... I have not seen this at work but I now damage platters on drives I don't want people to access anything from, and I advise the same to all of my friends. ... For a period of about five years, on and off in my spare time, I did a lot of searching for this 'Holy Grail' of data recovery! ... (microsoft.public.windowsxp.general) Re: utility that can delete files ... overwrite it with file B. Then you overwrite that with file C. ... I have not seen this at work but I now damage platters on drives I don't want people to access anything from, and I advise the same to all of my friends. ... For a period of about five years, on and off in my spare time, I did a lot of searching for this 'Holy Grail' of data recovery! ... Anytime that it would appear that promising information was about to be found it always came down to the same thing; quotes from or claims made on the basis of Dr, Gutmann's paper or hearsay about conspiracies and government secrets! ... (microsoft.public.windowsxp.general) RE: Hard Drive Forensics Question ... The copy/paste/delete process that you are describing still doesn't make ... I'd disagree with the above and say that a single overwrite is more than ... Depending on the nature of those files, opinions could be made either ... If it's random data, nothing can be retrieved and they are left ... (Security-Basics) Re: Hard Drive Forensics Question ... much more elaboration. ... Depending on the nature of those files, opinions could be made either ... If it's random data, nothing can be retrieved and they are left ... Some apps will overwrite ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2008-10