Re: Hard Drive Forensics Question



On 2008-10-08 J. Oquendo wrote:
On Wed, 08 Oct 2008, Ansgar Wiechers wrote:
Of course if you'd want to avoid any risk, you'd feed the disk to a
furnace and get rid of the problem once and for all.

And that would do?
http://www.ontrackdatarecovery.co.uk/columbia-drive-recovery/

I don't think so. How was that disk wiped?

Appropriately a degausser would solve the problem, but it would also
make the drive useless. I won't get into counterforensics, but most so
called wiping tools aren't worth the programming it took to make them.

http://www.first.org/conference/2006/papers/geiger-matthew-papers.pdf

Looks interesting, although the test scenario differs from what I had
outlined (single-pass wipe of the entire disk with zeroes). Too bad that
SysInternals' SDelete wasn't included in this evaluation. I'm rather
curious how it would have performed in the "free space" and "targeted
files" tests.

I only took a glimpse now, but will read it thoroughly as soon as I have
a little more time.

There are plenty of ways to securely wipe data, but from my
perspective, it involves creativity and a very good understanding of
the system going right down to the metadata levels. This includes
pre-fetch info, etc., etc.,

If we're talking about removing traces from a system that shouldn't be
touched otherwise: yes, most certainly.

however at the same time, more and more forensics experts could
re-coup evidence of counterforensics tools being used which 1) may
make it easier for us to rebuild, 2) may on its own give weight to
wrongdoing.

To understand what I mean about wrongdoing, you'd have to understand
scenarios... Scenario: Defendant is on trial for stashing corporate
secrets. His attorneys cry foul. Defendant was a salesman... What
exactly was he doing with evidence eliminator again?

You have to understand the mechanisms of fighting a war. Just the
mention of it alone whether he had it for good reasons is enough to
raise suspicion in the eyes of ANY juror. Not to mention the idiotic
names for some of these programs: "Evidence Eliminator" why not call
it "ForensicExpertsShouldCheckMeFirst" or "Hey look I potentially have
something to hide 1.0"

I see your point, but I'd still have to disagree. Having a counter-
forensics tool installed is no proof whatsoever that the defendant
actually did what he's charged with. Presumption of innocence is one of
the most basic principles of our legal system. And that's for a reason.

As for feeding it to a furnance, better be hot enough to turn it to
liquid metal.

Going well above the material's Curie point should suffice, AFAICS.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq