±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34298
New Yesterday: 0 Visitors: 192

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Problems wiping drives

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Problems wiping drives

Post Posted: Wed Oct 24, 2007 10:49 am

I seem to be having a few problems wiping down a HDD.

I'm using Encase 6.7
USB2->IDE device (Writeable)
and obviously a HDD (Jumpers set to master)

I have swapped out the hardware including the forensics machine.

The verificatoin report being returned from Encase at the end of drive wiping is coming back with no errors.

All of the sectors in the Unused disk Area appear to contain 00 vlaues as I would expect. If I go to disk view this area of the drive shows up as Case 1\1\Unused Disk Area(PS 1 SO 00 FO 0 LE 1).

However in the graphic of disk locations highlighted is the top row second from the left.

If I click on the graphic and go back one (Case 1\1 (PS 1 SO 00 FO 0 LE 1). I see data which includes the text "Invalid partition table Error loading operating system Missing operating system"

Is this normal or should this drive be totaly free of everything?

Thanks in Advance  

murdocha
Member
 
 
  

Re: Problems wiping drives

Post Posted: Wed Oct 24, 2007 11:21 am

All of the sectors in the Unused disk Area....
I see data which includes the text "Invalid partition table Error loading operating system Missing operating system"


Are you certain as to whether you are wiping the drive or the partition? Your comments, which I've quoted above, lead me to think you are only getting a partition. Check your wiping settings.

Also, you may wish to add Darik's Boot and Nuke (DBAN) to your toolkit. It fits on floppy (remember those?), CD, mini-CD or USB stick. Very small, very configurable, v-e-r-y effective. I use it to forensically wipe drives between cases. I have DD'd the results and get absolutely clean drives (or partitions) every time.

Oh, and DBAN is free! Cool
_________________
MSc, CISSP 

AWTLPI
Senior Member
 
 
  

Re: Problems wiping drives

Post Posted: Wed Oct 24, 2007 11:59 am

Thanks AWTLPI

I have a copy of DBAN, but not with me. Going to burn the ISO to a CD in a bit.

The first thing I thought about when I saw the data in 0 was that I had wiped the partition. But I've checked and double checked and have wiped the physical drive.

The only other thing that I can think of is that when I power the drive on to check that it is wiped maybe windows is writing the data to the disk.

Before I go and try DBAN, I'm going to do the following:
1) Start wipe using current hardware.
2) Power off drive partway through the wipe process.
3) Connect the drive via a tableau blocker.
4) Inspect the contents of the drive.

Pressuming EnCase wipes from the start of the drive, I see no reason why this won't work.

Any further comments on this problem, or on my methodolgy are appreciated.  

murdocha
Member
 
 
  

Re: Problems wiping drives

Post Posted: Wed Oct 24, 2007 12:49 pm

Is your target HDD in an external USB enclosure? If so, Windows may indeed "automagically" write an MBR to the drive which it perceives as "new.".

I had thought of your same test methodology: Wipe enough to ensure that the first few sectors are zeroed, power-down, install a write-blocker between the drive and PC, then power-up and see what EnCase finds. Then... cycle power, remove the write-block and see what happens at next boot.

Please let us know!
_________________
MSc, CISSP 

AWTLPI
Senior Member
 
 
  

Re: Problems wiping drives

Post Posted: Wed Oct 24, 2007 12:57 pm

After a wipe with a tableau inbetween no data appears.

The first time the drive is plugged in without the tableau (i.e with a USB -> IDE converter (writeable)) I get 3 characters of text appearing.

One the second power up I receive what appears to be a boot record.

I suppose that just about proves the case.

If anyone can give a concrete answer on this it would put my mind at rest.  

murdocha
Member
 
 
  

Re: Problems wiping drives

Post Posted: Wed Oct 24, 2007 1:06 pm

Interesting! Which version of Windows are you running on this box? Did you previously install any third-party USB drivers/tools? Any commercial partition tools?
_________________
MSc, CISSP 

AWTLPI
Senior Member
 
 
  

Re: Problems wiping drives

Post Posted: Fri Oct 26, 2007 7:08 am

XP Pro
As far as I am aware there are no third party partitioning or USB driver tools installed on the machine. But I am not 100% as its not 'my' lab machine.  

murdocha
Member
 
 

Page 1 of 2
Go to page 1, 2  Next