±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36763
New Yesterday: 2 Visitors: 125

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Exam Drive & Wiping Question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

TMD22
Member
 

Exam Drive & Wiping Question

Post Posted: Nov 04, 05 05:27

I have been instructed in a forensics class to "wipe" my examnination drive after each case, and restore a copy from another HDD to ensure no data from previous case can contaminate the new data nor can a legal challenge be mounted that the exam HDD contained data from a previous case.

Does anyone practice this? And if so, would it not be fine to delete the data from the old case, virus scan the entire drive and then process the new case/data without wiping the drive clean?

I know this extra step is great in theory, but is it really necessary as it takes valuable time from wiping, checksum, FDisk & restoring clone copy of exam drive.

Any input welcome.

Thanks
Mark  
 
  

arashiryu
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 04, 05 08:19

It is a fundamental practice to sterlize the media that is going to be used for acquisition.

If you skip this part, your case or forensic examination has disaster written all over it. In the court of law, the evidence will be not admissable.

I would highly recommend that you steralize the media by forensic wiping before you start your acqusition.

A free application to sterilize your media.

www.cybersecurityinsti.../software/  
 
  

matt3x166
Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 04, 05 08:27

Absolutely, every single time. Actually, I now have multiple system drives available, so when one case is over, I put in a new drive, take out my old and wipe it. If you just delete it, you should know that the data is still there. While it may not be that important to you, I want to be able to sit on the witness stand and testify truthfully that this was a fresh, updated system disk, that has never contained evidence from another case since it was wiped and the OS installed (or the ghost image blown out to it). Remember, the ultimate goal of computer forensics is to find evidence to be used in court. Cross contamination of evidence is a serious issue and all reasonable steps should be taken in order to prevent this contamination.

Matt  
 
  

samr
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 04, 05 18:37

When you say that you have deleted everything, how can you be sure that this includes everything that was present in unallocated space and file slack?

The only way you can be sure that the drive is 'clean' is to wipe it completely and verify that the disk is wiped. If the disk originally contained sensitive material then it may even be wise to use a brand new hard disk (of course wiping that too) so that you can be sure that no cross contamination is present or that remnants of previously present data can not be retrieved.  
 
  

gmarshall139
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 04, 05 20:09

After you wipe the drive with 00 hex for instance do a grep search on the physical drive for any character other than 00 (the expression is [^\x00]). You should get 0 hits. You don't need to do this every time, just enough to validate your wipe process.
_________________
Greg Marshall, EnCE 
 
  

Matt67
Newbie
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 04, 05 21:48

Being very new to computer forensics I can only guess that "just deleting the previous case file" is definately going to contaminate your next case file and would be in-admissable. However coming from a data recovery background I can tell you that after each recovery, the image drive I use is wiped running a random character pattern and then two rounds of 00. Once that is done I use A hex editor to check the drive and confirm there is no residual data left.  
 
  

gmarshall139
Senior Member
 

Re: Exam Drive & Wiping Question

Post Posted: Nov 04, 05 22:23

- Matt67
Being very new to computer forensics I can only guess that "just deleting the previous case file" is definately going to contaminate your next case file and would be in-admissable.


This isn't true at all. Depending on what evidence file format you are dealing with I would put it at next to impossible. You've got your authentication procedure that you will use regardless. This will show that the evidence files are not contaminated. The practice of wiping storage drives is probably unnecessary, but it may save you from explaining all the above on the stand some day. It's one of those things we do to prevent questions, even though those questions can be dealt with.
_________________
Greg Marshall, EnCE 
 

Page 1 of 3
Page 1, 2, 3  Next