Notifications
Clear all

Exam Drive & Wiping Question

17 Posts
9 Users
0 Likes
1,400 Views
TMD22
(@tmd22)
Posts: 41
Eminent Member
Topic starter
 

I have been instructed in a forensics class to "wipe" my examnination drive after each case, and restore a copy from another HDD to ensure no data from previous case can contaminate the new data nor can a legal challenge be mounted that the exam HDD contained data from a previous case.

Does anyone practice this? And if so, would it not be fine to delete the data from the old case, virus scan the entire drive and then process the new case/data without wiping the drive clean?

I know this extra step is great in theory, but is it really necessary as it takes valuable time from wiping, checksum, FDisk & restoring clone copy of exam drive.

Any input welcome.

Thanks
Mark

 
Posted : 04/11/2005 4:27 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

It is a fundamental practice to sterlize the media that is going to be used for acquisition.

If you skip this part, your case or forensic examination has disaster written all over it. In the court of law, the evidence will be not admissable.

I would highly recommend that you steralize the media by forensic wiping before you start your acqusition.

A free application to sterilize your media.

http//www.cybersecurityinstitute.biz/software/

 
Posted : 04/11/2005 7:19 am
matt3x166
(@matt3x166)
Posts: 26
Eminent Member
 

Absolutely, every single time. Actually, I now have multiple system drives available, so when one case is over, I put in a new drive, take out my old and wipe it. If you just delete it, you should know that the data is still there. While it may not be that important to you, I want to be able to sit on the witness stand and testify truthfully that this was a fresh, updated system disk, that has never contained evidence from another case since it was wiped and the OS installed (or the ghost image blown out to it). Remember, the ultimate goal of computer forensics is to find evidence to be used in court. Cross contamination of evidence is a serious issue and all reasonable steps should be taken in order to prevent this contamination.

Matt

 
Posted : 04/11/2005 7:27 am
 samr
(@samr)
Posts: 119
Estimable Member
 

When you say that you have deleted everything, how can you be sure that this includes everything that was present in unallocated space and file slack?

The only way you can be sure that the drive is 'clean' is to wipe it completely and verify that the disk is wiped. If the disk originally contained sensitive material then it may even be wise to use a brand new hard disk (of course wiping that too) so that you can be sure that no cross contamination is present or that remnants of previously present data can not be retrieved.

 
Posted : 04/11/2005 5:37 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

After you wipe the drive with 00 hex for instance do a grep search on the physical drive for any character other than 00 (the expression is [^\x00]). You should get 0 hits. You don't need to do this every time, just enough to validate your wipe process.

 
Posted : 04/11/2005 7:09 pm
Matt67
(@matt67)
Posts: 7
Active Member
 

Being very new to computer forensics I can only guess that "just deleting the previous case file" is definately going to contaminate your next case file and would be in-admissable. However coming from a data recovery background I can tell you that after each recovery, the image drive I use is wiped running a random character pattern and then two rounds of 00. Once that is done I use A hex editor to check the drive and confirm there is no residual data left.

 
Posted : 04/11/2005 8:48 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

Being very new to computer forensics I can only guess that "just deleting the previous case file" is definately going to contaminate your next case file and would be in-admissable.

This isn't true at all. Depending on what evidence file format you are dealing with I would put it at next to impossible. You've got your authentication procedure that you will use regardless. This will show that the evidence files are not contaminated. The practice of wiping storage drives is probably unnecessary, but it may save you from explaining all the above on the stand some day. It's one of those things we do to prevent questions, even though those questions can be dealt with.

 
Posted : 04/11/2005 9:23 pm
 samr
(@samr)
Posts: 119
Estimable Member
 

I am a little confused. Are you meaning a disk that contains a data copy of the original or a disk that contains the imaged file? and are you talking about a full overwritting delete or just a simple delete? Sorry if the answers seem obvious.

 
Posted : 04/11/2005 9:36 pm
Matt67
(@matt67)
Posts: 7
Active Member
 

Thanks for the info, I'll keep that in mind..Like I said being "very new" it was only a guess..

 
Posted : 04/11/2005 10:50 pm
m7esec
(@m7esec)
Posts: 45
Eminent Member
 

I believe that this gentleman is talking about wiping the examination drive (for example, the HDD that contains his Forensics tools such as Encase, FTK, etc) with a known "clean" OS, Tool installation, etc. I do not believe he is talking about using the drive used to duplicate the original evidence. If this is the case, yes, this is a good practice, and it is what I do everytime on my non-networked Examination PC. Will it be an issue that would arise in court? Probably only if it is suspected to have a virus or other malware that can be used to modify your findings, somehow. It also shows that you are interested in "due diligence" in protecting the investigation and that no outside influences could have had any effect on your results.

Yes it is a pain, but after a while, when you have all the bugs worked out, you and your client will be glad you did.

 
Posted : 05/11/2005 12:19 am
Page 1 / 2
Share: