±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36290
New Yesterday: 4 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Wiping practices

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

andy1500mac
Senior Member
 

Wiping practices

Post Posted: May 22, 05 16:29

Hi All,

Is it common practice to ALWAYS wipe the destination media before making an image? I ask this as someone just getting his feet wet in the field. I am curious because although wiping makes perfect sense to me (to get rid of any residual data), should it really make a difference if I've verified hashes of original media and destination image to be the same.

As a beginner I am testing software and practices at home by creating images of small second hand HDD (2-4 GB’s) to an 80 GB USB drive and analyzing them using different tools. Should I be wiping this drive for every new image I create or seeing as I am working with small test drive sizes is it acceptable to partition the larger drive into, lets say 5-6 volumes and wipe them individually when needed?

Thanks for any input.

Andrew.  
 
  

Andy
Senior Member
 

Re: Wiping practices

Post Posted: May 22, 05 17:13

Andy, current best practice guidelines are that a repository drive should be a wiped forensically before being copied to. The argument for wiping each time is mainly in case of cross contamination of evidence/data.
If you are imaging directly to a file server on a network, as many are doing/starting to do (we practice this, and image directly to a large capacity RAID), then wiping that repository for each case is not feasible.

If you are not using images of drives, and perhaps simply making a direct copy of the data of one drive to another - then examining that data in its native environment - yes wiping that repository drive should be done to ensure nothing remains in unallocated, etc.....

Andy  

Last edited by Andy on Aug 04, 05 01:04; edited 1 time in total
 
  

andy1500mac
Senior Member
 

Re: Wiping practices

Post Posted: May 22, 05 17:25

Thanks Andy...

That's what I assumed but I don't want to be assuming too much at this piont...

The promp and informative reply is once again much appreciated.

Andrew-  
 
  

rofmoc
Newbie
 

Re: Wiping practices

Post Posted: May 22, 05 17:31

Hi Andy,

This is an interesting topic. If you make an image of a harddrive using EnCase or practically any other forensic software, it should not make any difference what so ever whether the target drive was wiped or not.

Since the imaging software makes an identical copy and checks, using hash algorithms, to make sure the copy is identical, there is no real need for wiping from a technical point of view.

The only reason I can see for wiping is that it is easier to explain to anyone questioning the process if you just say "Yes, I wiped the target drive seven using this approved software... Bla bla... thus I can guarantee that the image has not been affected by what may have been on the drive before imaging...".

The fact that the only thing guaranteeing the integrity of the image is the way you make the image and that the image (using EnCase) is a file that cannot easily be manipulated is something you ought to be able to explain and explain in a way that even an amateur would understand (many clients, courts, lawyers etc are amateurs when it comes to computer forensics).

Correct me if I am wrong...

And yes, I DO wipe the target drive, but just once, because there is no way anything overwritten once could affect anything written to the drive after the wiping...
_________________
Videre non videri.
 
 
  

rofmoc
Newbie
 

Re: Wiping practices

Post Posted: May 22, 05 17:38

Ah... And I thought I was fast Very Happy

Well, Andy (both of you), the reason I wipe is just to be able to say I've done it...

When you use any kind of server storage solution this no longer work, as Andy pointed out... And where I worked before that was the case and we never really had difficulties explaining the procedure.

Cross contamination just cannot happen using forensically sound methods.
_________________
Videre non videri.
 
 
  

andy1500mac
Senior Member
 

Re: Wiping practices

Post Posted: May 22, 05 18:03

rofmoc,

Thanks also...this was the thought process that led to me questioning whether an image (hash verified) would be sufficient...someone cross examining me as to wiping/disk integrity etc...

quote:

[The only reason I can see for wiping is that it is easier to explain to anyone questioning the process if you just say "Yes, I wiped the target drive seven using this approved software... Bla bla... thus I can guarantee that the image has not been affected by what may have been on the drive before imaging...". ]

Andrew-  
 

Page 1 of 1