Problems wiping dri...
 
Notifications
Clear all

Problems wiping drives

8 Posts
2 Users
0 Likes
564 Views
(@murdocha)
Posts: 9
Active Member
Topic starter
 

I seem to be having a few problems wiping down a HDD.

I'm using Encase 6.7
USB2->IDE device (Writeable)
and obviously a HDD (Jumpers set to master)

I have swapped out the hardware including the forensics machine.

The verificatoin report being returned from Encase at the end of drive wiping is coming back with no errors.

All of the sectors in the Unused disk Area appear to contain 00 vlaues as I would expect. If I go to disk view this area of the drive shows up as Case 1\1\Unused Disk Area(PS 1 SO 00 FO 0 LE 1).

However in the graphic of disk locations highlighted is the top row second from the left.

If I click on the graphic and go back one (Case 1\1 (PS 1 SO 00 FO 0 LE 1). I see data which includes the text "Invalid partition table Error loading operating system Missing operating system"

Is this normal or should this drive be totaly free of everything?

Thanks in Advance

 
Posted : 24/10/2007 4:49 pm
(@Anonymous)
Posts: 0
Guest
 

All of the sectors in the Unused disk Area….
I see data which includes the text "Invalid partition table Error loading operating system Missing operating system"

Are you certain as to whether you are wiping the drive or the partition? Your comments, which I've quoted above, lead me to think you are only getting a partition. Check your wiping settings.

Also, you may wish to add Darik's Boot and Nuke (DBAN) to your toolkit. It fits on floppy (remember those?), CD, mini-CD or USB stick. Very small, very configurable, v-e-r-y effective. I use it to forensically wipe drives between cases. I have DD'd the results and get absolutely clean drives (or partitions) every time.

Oh, and DBAN is free! 8)

 
Posted : 24/10/2007 5:21 pm
(@murdocha)
Posts: 9
Active Member
Topic starter
 

Thanks AWTLPI

I have a copy of DBAN, but not with me. Going to burn the ISO to a CD in a bit.

The first thing I thought about when I saw the data in 0 was that I had wiped the partition. But I've checked and double checked and have wiped the physical drive.

The only other thing that I can think of is that when I power the drive on to check that it is wiped maybe windows is writing the data to the disk.

Before I go and try DBAN, I'm going to do the following
1) Start wipe using current hardware.
2) Power off drive partway through the wipe process.
3) Connect the drive via a tableau blocker.
4) Inspect the contents of the drive.

Pressuming EnCase wipes from the start of the drive, I see no reason why this won't work.

Any further comments on this problem, or on my methodolgy are appreciated.

 
Posted : 24/10/2007 5:59 pm
(@Anonymous)
Posts: 0
Guest
 

Is your target HDD in an external USB enclosure? If so, Windows may indeed "automagically" write an MBR to the drive which it perceives as "new.".

I had thought of your same test methodology Wipe enough to ensure that the first few sectors are zeroed, power-down, install a write-blocker between the drive and PC, then power-up and see what EnCase finds. Then… cycle power, remove the write-block and see what happens at next boot.

Please let us know!

 
Posted : 24/10/2007 6:49 pm
(@murdocha)
Posts: 9
Active Member
Topic starter
 

After a wipe with a tableau inbetween no data appears.

The first time the drive is plugged in without the tableau (i.e with a USB -> IDE converter (writeable)) I get 3 characters of text appearing.

One the second power up I receive what appears to be a boot record.

I suppose that just about proves the case.

If anyone can give a concrete answer on this it would put my mind at rest.

 
Posted : 24/10/2007 6:57 pm
(@Anonymous)
Posts: 0
Guest
 

Interesting! Which version of Windows are you running on this box? Did you previously install any third-party USB drivers/tools? Any commercial partition tools?

 
Posted : 24/10/2007 7:06 pm
(@murdocha)
Posts: 9
Active Member
Topic starter
 

XP Pro
As far as I am aware there are no third party partitioning or USB driver tools installed on the machine. But I am not 100% as its not 'my' lab machine.

 
Posted : 26/10/2007 1:08 pm
(@Anonymous)
Posts: 0
Guest
 

murdocha,
I have confirmed this behavior on my XP Home system, as well. I wiped a 16mb USB stick with the latest DBAN Beta, which now supports wiping of USB media. Booting into Helix allowed me to confirm that the stick had been cleared. Insert into XP and a new VBR is written.

A Wiki article on "Volume Boot Record" says that "some dual boot systems, such as NTLDR, take copies of the bootstrap code that individual operating systems install into a single partition's VBR and store them in disc files, loading the relevant VBR content from file after the boot loader has asked the user which operating system to bootstrap." This is all well and fine, except when we wish to forensically examine a USB device.

Google-search "USB write block" to see several post-wiping options. You would boot DBAN, shutdown system, remove USB media, insert write-block, then reinstall USB device and boot into XP. Re-image the USB media and check for non-zeros.

 
Posted : 26/10/2007 8:33 pm
Share: